Simply controlling who can access what is rarely sufficient. In most authorization scenarios you also need to consider aspects such as when, from where, how, why and under what special conditions.

The expressiveness of XACML combined with the fact that policy enforcement is fine-grained and dynamic, makes it possible to consider the risks that manifest themselves in the given context of an access request. "The opportunity makes the thief", as the saying goes. Risks vary with the situation.

The nurse's curiosity may have triggered a violation of the patient's privacy, the bank withdrawal could be based on identity theft, goods receipting may be fraudulent, intended to trigger an invoice payment to the accounting officer's cousin. Hence, there are no "absolute" risks or risk levels. Risks need to be calculated in relation to probabilities, which in turn differ with the values at stake.

The risk level may be considered to be low for averaged sized bank account withdrawals if the ATM machine is located near the bank account holder's home address and the balance of the account well exceeds the amount withdrawn; normal user behavior patterns reduce the risk level. We may assume that goods receipt registrations carry a greater risk if the attesting user happens to be the individual who originally issued the purchase order, a situation for which one ideally would want to enforce segregation of duties but due to circumstances may not be able to. If the patient is not currently in treatment at the hospital, the probability for a privacy violation increases, etc. 

For examples such as these, XACML policy-based authorization offers risk adaptivity. A policy can state that access be permitted provided the "risk level <2" whereby the risk level dynamically is calculated in real-time taking aspects as the above mentioned into account.