A method and system provides access control for sensitive data. An access control system defines a plurality of access policies for gaining access to the sensitive data. Each access policy includes a plurality of rules that indicate whether or not the client machine can gain access to an initial access secret under the policy. When the access control system receives access request data from a client machine requesting access to the access control system under one of the policies, the access control system compares characteristics of the client machine to the rules of the access policy. If the characteristics of the client machine satisfy the rules of the access policy in the access control system provides an initial access secret, such as an application key, to the client machine.