TL;DR: RAG systems can surface confidential documents to the wrong users because vector search ignores source-system permissions, while ReBAC preserves ownership, team membership, and sharing relationships during retrieval, according to Descope. Static roles and metadata filters do not scale once access becomes dynamic and document-level.
At a glance
What this is: This tutorial shows how relationship-based access control can preserve document permissions in a RAG pipeline by checking access between retrieval and generation.
Why it matters: IAM and security teams need this pattern because AI applications inherit the least-privilege problem immediately, and a single missed permission boundary can expose sensitive HR, finance, or executive content.
By the numbers:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope.
- 17 minutes.
👉 Read Descope's tutorial on adding ReBAC to a RAG pipeline
Context
Retrieval-augmented generation is only as safe as the authorization layer around it. Once source documents are converted into embeddings, the search layer may still find the right content semantically, but it no longer understands who should be allowed to see it.
That is the core governance gap this tutorial addresses for enterprise RAG: access decisions must be computed from relationships, not inferred from vector similarity or hardcoded metadata. In practice, that makes document ownership, team membership, and ad hoc sharing part of the identity model, not just the application model. This is the same boundary problem that shows up whenever identity-aware AI systems touch internal data, including the wider NHI governance problem described in the Ultimate Guide to NHIs.
Key questions
Q: How should security teams protect RAG pipelines from exposing restricted documents?
A: Security teams should insert an authorization check after retrieval and before generation, so the model only receives content the user is allowed to see. That means semantic search can still find candidate documents, but a separate policy layer must verify ownership, team membership, or share relationships before any text reaches the prompt.
Q: Why do static RBAC rules fail in enterprise AI document access?
A: Static RBAC fails when permissions depend on changing relationships such as project membership, document ownership, or ad hoc sharing. Those conditions shift too often for fixed roles to remain accurate, so AI retrieval systems need a relationship-driven model that can reflect current access without broad metadata rewrites.
Q: What breaks when RAG systems filter documents only by metadata?
A: Metadata-only filtering breaks when access rules are too dynamic to encode in every record. If a user joins a new team or receives a share, thousands of metadata entries may need updating, and any missed update can leak confidential content through a semantically relevant retrieval path.
Q: Who should be able to explain why a user saw a specific document in RAG?
A: The application and authorization layer should be able to explain the access path, not just the LLM. Auditors and security teams need a trace from user to relationship to document so they can prove the retrieval was authorised and identify which rule granted access.
Technical breakdown
Why metadata filtering breaks for RAG authorization
Metadata filtering works only when access rules are simple and mostly static. In RAG, the vector database retrieves documents by semantic relevance, but relevance is not authorization. If permission state lives in record-level metadata, every team change or share event forces broad updates across many chunks. That creates a brittle access model that cannot keep up with real organisational relationships. The correct design separates retrieval from authorization so each layer does one job well: search finds candidate content, and policy decides whether the user may see it. This matters because the security boundary is between retrieval and generation, not inside the LLM.
Practical implication: do not treat vector similarity as a permission signal; enforce authorization after retrieval but before prompt assembly.
How ReBAC models document-level access
Relationship-Based Access Control represents access as links between users, teams, and resources. A user can own a document, inherit access through team membership, or receive access through a share relationship. That model fits enterprise content because permissions are usually contextual and transitive rather than fixed to a single role. ReBAC also preserves explainability: the system can answer why access was granted by tracing the relationship path. In RAG, that means the authorization service can evaluate only the small set of retrieved documents, instead of scanning the entire corpus. The result is a scalable policy layer that matches organisational reality.
Practical implication: model ownership, team membership, and sharing as relationships that can be checked dynamically at query time.
Post-retrieval filtering and the access-denied fallback
Post-retrieval filtering keeps the vector index simple while preventing unauthorised context from reaching the model. After retrieval, the app asks the authorization service whether each candidate document is allowed for the current user. If enough authorised content exists, generation proceeds. If not, the system should return an access-denied response instead of letting the LLM answer from restricted context or improvise from missing data. This pattern is especially important in enterprise chatbots where the same retrieval pipeline may touch HR, finance, and executive material. The control point is narrow, but it is decisive.
Practical implication: build a hard deny path when no authorised context remains, rather than allowing the model to answer from partial retrievals.
NHI Mgmt Group analysis
ReBAC is a permission model, but not a substitute for identity governance. The tutorial shows the right control boundary for RAG, yet the broader lesson is that AI applications inherit identity complexity the moment they touch internal content. Ownership, team membership, and sharing are identity relationships, not application shortcuts, and they need lifecycle handling just like any other access path. Practitioners should treat RAG authorization as part of the wider access governance programme, not as a feature bolted onto search.
Static roles are the wrong abstraction for document access in AI systems. RBAC works when access groups are stable, but the article correctly shows that document permissions often change with team movement, project scope, and one-off sharing. That makes the real problem permission drift across a living graph of relationships. ReBAC fits because it expresses how access actually changes in organisations, which is why it is a better fit for AI retrieval pipelines that must stay aligned with current business structure.
The named concept here is the retrieval-authorisation boundary. That boundary is where semantic search stops and access control begins, and it is the point most AI deployments get wrong. If the pipeline retrieves first and authorises too late, the model may already have seen restricted content. Practitioners should think of this as a governance boundary, not an implementation detail, because once the wrong context enters the prompt, the exposure problem has already occurred.
This pattern also changes how auditors should evaluate AI systems. The relevant question is not whether the chatbot can answer accurately, but whether the system can prove why a specific user saw a specific document path. Auditability, denial logging, and relationship traceability become core controls for enterprise AI because they turn an opaque retrieval event into a reviewable access decision. Teams that cannot explain the path from user to document will struggle to defend the system in a compliance review.
ReBAC should be viewed as part of the emerging NHI governance stack around AI applications. As AI assistants increasingly mediate access to internal data, the access graph becomes a machine-enforced identity fabric for non-human workflows. That makes lifecycle, revocation, and delegated access traceability more important, not less. Practitioners should expect RAG security to converge with broader NHI governance rather than remain a separate engineering concern.
From our research:
- 98% of companies plan to deploy even more AI agents within the next 12 months, despite documented rogue behaviour in 80% of current deployments, according to AI Agents: The New Attack Surface report.
- 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so.
- That gap is why practitioners should review the OWASP Agentic Applications Top 10 alongside their own retrieval and authorization controls.
What this signals
Retrieval-authorisation boundary: once AI systems sit between employees and internal knowledge, the old separation between IAM and application design stops holding. Teams need to treat document access as an identity decision that happens at query time, not as a static property of the content store.
With 92% of organisations saying AI agent governance is critical but only 44% implementing policies, the pattern here is structural. ReBAC gives practitioners a way to express access in relationships, but programme owners still need lifecycle revocation, audit traceability, and denial handling to keep the graph current.
For teams maturing AI access controls, the next step is not a better vector index. It is aligning the application with the same identity and lifecycle discipline that governs human and machine access elsewhere in the stack, then testing whether authorised context can be proved end to end.
For practitioners
- Separate retrieval from authorization Keep the vector database focused on semantic retrieval and place a dedicated authorization decision immediately before context is passed to the LLM. This prevents unauthorized chunks from becoming prompt input even when they rank highly on similarity.
- Model access as relationships, not static metadata Represent document ownership, team membership, and sharing as first-class relationships so access updates follow the organisation instead of requiring bulk metadata rewrites across the corpus.
- Log the relationship path behind each decision Capture which relationship granted or denied access so compliance teams can answer who accessed what and why without reconstructing the decision manually from application logs.
- Add a hard deny path for empty authorised context If retrieval returns no documents the current user is allowed to see, stop the generation flow and return an access-denied message rather than asking the model to answer from restricted data.
Key takeaways
- RAG systems leak when semantic retrieval is allowed to outrun authorization, because the model can receive content the user never had permission to see.
- Relationship-based access control fits enterprise document access better than static roles, because ownership, sharing, and team membership change continuously.
- Practitioners should enforce authorization after retrieval, log the relationship path, and hard-stop generation when no authorised context remains.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | RAG authorization depends on controlling non-human access paths to internal content. |
| NIST CSF 2.0 | PR.AC-4 | The tutorial's core issue is access enforcement based on identity and relationships. |
| NIST Zero Trust (SP 800-207) | PR.AC-1 | The post uses an explicit authorize-before-use pattern aligned to zero trust. |
Map RAG document access to PR.AC-4 and verify entitlement before any content reaches the model.
Key terms
- Relationship-Based Access Control: A permission model that grants access through relationships between users, groups, and resources rather than only through static roles. In AI retrieval systems, ReBAC is useful because access often changes with ownership, sharing, and team structure, and those changes need to be evaluated at query time.
- Retrieval-Authorisation Boundary: The point in a RAG pipeline where semantically relevant content must be checked against policy before it becomes model input. This boundary matters because retrieval can surface sensitive text even when the requester is not entitled to see it, so authorization must happen before generation.
- Post-Retrieval Filtering: A design pattern where candidate documents are first found by search and then filtered by access policy before use. It is more reliable than metadata-only pre-filtering when permissions are dynamic, because it keeps search and authorization separate while still preventing unauthorized content from reaching the LLM.
- Document-Level Authorization: Access control that evaluates whether a specific user may view a specific document, rather than granting broad access to a collection or role. In enterprise AI, document-level authorization is essential because a chatbot can expose highly sensitive material even when the overall application appears benign.
What's in the full article
Descope's full tutorial covers the operational detail this post intentionally leaves for the source:
- Step-by-step Python code for wiring ReBAC checks into a live RAG query function.
- Concrete examples of how ownership, team, and sharing relations are created in the authorization graph.
- Sample audit logging behaviour that shows why a user was allowed or denied access.
- Implementation notes for ChromaDB retrieval, cache behaviour, and batch checks.
👉 The full Descope tutorial shows the sample code, relation setup, and verification checks in detail.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on 2026-04-23.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org