Controlling asset-access has traditionally been considered a matter for systems in which assets reside. Centralized approaches to access control are, however, problematic for the IoT. One reason for this is that devices may not be confined to a single system of control. In this abstract, we argue for a new paradigm in which assets are empowered to make their own access decisions. To facilitate this shift in perspective, we propose a policy-neutral framework based on principles adapted from object-oriented programming. This approach establishes assets as active, message-passing entities that store and determine their own access control. We describe initial work modelling the interaction of such assets and point to future formal work for reasoning about protocols and policy composition
