Consistency and/or completeness of access control policy sets may be validated and/or verified. An access control policy set may be received. The access control policy set may include access control policies that allow or disallow access to computing resources. Individual ones of the access control policies may include one or more attributes. The one or more attributes of a given access control policy may be ordered into a predetermined order responsive to the one or more attributes of the given access control policy lacking the predetermined order. A decision tree may be generated based on the access control policies. The decision tree may be analyzed to determine one or more of (1) whether one or more of the access control policies are incomplete, or (2) whether one or more of the access control policies are inconsistent with one or more other ones of the access control policies.