Abstract: In recent years, Internet of things (IoT) security incidents have occurred frequently. As an important security mechanism, IoT access control plays an important role. However, the existing Internet access control policies cannot be directly applied to the IoT scenarios because of the differences between IoT and Internet. At present, the IoT access control schemes have not paid attention to the security issues. Once the IoT access control is broken, it will cause serious consequences such as privacy data leakage and authority abuse. Thus, it is urgent to comprehensively study the security issues and solutions for access control of IoT. According to the complex architecture, the variety of devices, low storage and computing performance of IoT, the protection surface and trust relationship in IoT access control is combed, the trust chain is built and the risk transmission law in the trust chain is discussed. Around the protection surface and trust chain, we summarize the existing access control attack surface from the perception layer, network layer, and application layer, and analyze the existing security risks. In view of these security risks, we present the necessary access control security demand, including mechanism improvement, attack surface answer, multilevel authentication and authorization, and the combination with specific scenarios. Based on the requirements, the existing security solutions and targeted access control framework are summarized. Finally, we discuss the challenges faced in IoT access control and point out the future research direction that consists of an in-depth study on access control of the cloud platform of IoT, IoT cloud docking standardization, and the introduction of zero trust concept.