An asset stored on a storage device of a computer system is detected to be omitted from an asset-specific access policy. Using a utilization history of the asset, a criticality of the asset is scored, generating a first criticality score for the asset. Using the first criticality score, the asset is classified into a policy category. A selected access policy selected from a set of access policies assigned to a set of assets in the policy category is applied to the asset, the selected access policy specifying an access restriction of the asset.