A policy generation agent automatically generates a security policy for an application and a specified custom security manager. The agent launches an application in a development environment. The agent instantiates a development security manager based on a custom security manager defined by the application. The agent runs the application in the development environment, causing the application to request permissions from the development security manager. The development security manager passes the permissions request to the custom security manager and approves the one or more permissions. The custom security manger determines whether to approve or deny the request based on a permissions policy. Responsive to a determination to deny the request, the agent updates the permissions policy to approve subsequent requests for the permissions. The agent also associates the updated permissions policy with the application. The agent may enable different sections of the policy based on performance, security, or application stakeholder preference.