In our connected world, confidentiality is a central quality requirement. A commonly used mechanism to meet confidentiality requirements is access control. However, access control policies are usually not defined on the architectural abstraction level and are imprecise during design time due to the high degree of uncertainty. This impedes early considerations of confidentiality as implied by “Privacy by Design”. We propose an approach to refine and verify access control policies while handling uncertainty that fills the gap between high-level confidentiality requirements and low-level access control.