Described embodiments provide systems, methods, computer readable media for determining risk metrics. A device may provide a risk model for a network environment. The risk model may include an input level and an output level. The input level may process first datasets each corresponding to a feature and a time window. The first datasets may include factors on access requests. The output level may generate a first aggregate risk metric of a first access request according to the datasets processed by the input level. The device may identify a second dataset corresponding to a second access request over the features and time windows. The device may determine a second aggregate risk metric by applying the second dataset to the risk model. The device may generate a response to the second access request according to an access control policy and the second aggregate risk metric.