Per NIST SP 800-53, “access control policy and procedures address the controls in the AC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures.”
Specifically, Per AC-1 of NIST SP 800-53, organizations are to “...develop, document, and disseminate…” an access control policy and procedure. Additionally, within the AC family itself (i.e., AC-1 to AC-25) there are numerous controls that also require organizations to document how such controls are implemented.. The keyword here is “document”, which means you need a policy for AC-1.