the policy modeller as part of the info security team- interesting point. I thought the possible advantage of XACML -besides from interop- is the ability to change and adapt existing access rules while the system is running, i.e. is already developed. So if we restrict the ability to change the rules to specialized people, it tends to get adjusted one time or twice in the lifecycle of the software. It is not much different from hardcoding the rules in the software. If we really want to use the advantage, we need to enable the business guys to understand what happens.
But I haven't seen such a system working. So as you describe it - this organization has some procedure to work with "meta-rules" and then they give the order to change to the security team. The question is, how often occur changes ?
But even if you have specialized people- the policysets get big and complex and so the GUI should really be able to structure them according to different perspectives (like eclipse perspectives) There might be an application perspective, an organization perspective, a dictionary. It is a special kind of rule management system. There have been various attempts to write good editors, see http://www.tfgordon.de/publications. But it is worth a try.