Anupam Datta of CMU gave a good lecture at Microsoft Research, available here. Healthcare privacy (HIPAA), financial regulations (Sarbox), and others are shifting to the use of audit and accountability rather than access control methodology. His lecture discusses this from the perspective of the external control system.
First, he agrees that this is the right way to handle the increasingly complex issues that must be accomodated. Access control methodologies will founder and flail, either not delivering the desired privacy or not delivering the desired services.
He then discusses the theoretical basis for analyzing and using audit as a control method. The really hard problem is dealing with the real world data gaps, and with the inherent uncertainty of interpreting events. In his terms, you need an "oracle" to take the ambiguous situations and decide whether these events did or did not meet the regulatory requirements. The dominant need for the "oracle" is to answer questions around purpose, intentions, and plans. He explains the semantic issues involved.
This need for an "oracle" to answer otherwise unanswerable questions is one reason that access control methods will fail, while audit control can succeed. In the post-facto audit analysis you can find ways to deal with the "oracle" problem. In the real time access control situation, the lack of an oracle results in failures.
Then he gives a high level overview of how audit logs would be analyzed. This is at the level of discussion of first order logic, not programming requirements. He's the first person I've heard complimenting HIPAA in a long time. He found the highly operational nature of HIPAA led to a clean analysis solution, other than the inherent need for an oracle. He also gives a high level first order logic equation describing HIPAA. It's just a short simple equation. He's right, HIPAA is a clean set of requirements when viewed properly.