Authorization-First Retrieval: Enforcing Least Privilege in Multi-Agent RAG Systems
Summary
Authorization-First Retrieval (AFR) addresses a critical trustworthiness gap in multi-agent Retrieval-Augmented Generation (RAG) systems operating under role-based access control. Traditional retrieve-then-filter pipelines allow semantic retrieval to introduce unauthorized content into a model's context window before authorization checks, a problem formalized as a pipeline ordering issue. AFR proposes an architectural invariant where authorization must constrain the retrieval candidate set before any learned component processes content. Experiments on a corpus of 247 chunks across 232 documents, with 584 queries spanning 12 enterprise roles, show retrieve-then-filter pipelines expose unauthorized context in 86.1% of queries. AFR eliminates these structural leaks by design. Cross-model evaluations with Gemini 2.0 Flash and GPT-4o-mini reveal structural exposure is an architectural property, independent of the model, while behavioral defenses result in answer leakage rates of 41.3% and 29.5%. The study concludes behavioral guardrails and metadata tagging are insufficient for enforcing least privilege, advocating for authorization-first architectures for verifiable, model-independent security guarantees in RAG.
Key takeaway
For AI Security Engineers designing or auditing multi-agent RAG systems, you must prioritize architectural security over behavioral guardrails. Relying on retrieve-then-filter pipelines introduces structural vulnerabilities, exposing unauthorized content in over 86% of queries, regardless of the underlying LLM. Implement Authorization-First Retrieval (AFR) to enforce least privilege by design, ensuring authorization constrains retrieval before content reaches any learned component. This provides a verifiable, model-independent security guarantee for your RAG deployments.
Key insights
Authorization must constrain RAG retrieval before learned components consume content to prevent unauthorized data exposure.
Principles
- Authorization correctness reduces to noninterference.
- Structural exposure is an architectural property.
- Behavioral guardrails are unreliable for least privilege.
Method
Authorization-First Retrieval (AFR) mandates that authorization predicates filter the retrieval candidate set prior to any learned component processing the content.
In practice
- Integrate authorization before retrieval.
- Prioritize architectural security invariants.
- Do not solely depend on post-retrieval filters.
Topics
- Authorization-First Retrieval
- RAG Security
- Least Privilege
- Role-Based Access Control
- Noninterference
- LLM Data Leakage
Best for: AI Architect, CTO, VP of Engineering/Data, AI Scientist, AI Engineer, AI Security Engineer
Related on AIssential
Editorial summary, takeaway, and curation by AIssential. Original article published by Paper Index on ACL Anthology.