TL;DR: Agentic RAG systems need deterministic authorization in the retrieval flow, not prompt-level instructions, because AI agents can reason around access boundaries unless the check is enforced under the hood, according to Authzed. That makes authorization architecture, not model quality, the decisive control for protecting sensitive documents.
NHIMG editorial — based on content published by AuthZed: building a production-grade agentic RAG system with deterministic authorization
By the numbers:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%).
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes.
Questions worth separating out
Q: How should security teams enforce authorization in agentic RAG systems?
A: Security teams should enforce authorization as a hard workflow step before the model receives any document content.
Q: Why do RBAC-only models struggle in enterprise retrieval workflows?
A: RBAC-only models struggle because enterprise document access is usually shaped by relationships, exceptions, and inheritance, not just static job roles.
Q: What breaks when authorization happens inside the LLM prompt instead of the workflow?
A: When authorization lives inside the prompt, it becomes advisory rather than enforceable.
Practitioner guidance
- Enforce authorization before retrieval reaches the model Place a deterministic authorization node between retrieval and generation so the LLM never sees content the subject cannot access.
- Model document access as relationships, not only roles Represent department membership, ownership, explicit viewers, and public documents in the permissions schema so the retrieval layer mirrors enterprise reality.
- Use bulk permission checks for candidate document sets Check all retrieved documents in one permission request, then return only approved items.
What's in the full article
AuthZed's full blog post covers the operational detail this post intentionally leaves for the source:
- The LangGraph node design that hardcodes authorization into the workflow instead of leaving it to the model.
- The full SpiceDB schema and the relationship model used to represent departments, owners, viewers, and public documents.
- The implementation detail for CheckBulkPermissions and fail-closed handling in the retrieval pipeline.
- The configuration steps for moving the demo from local containers to AuthZed Cloud and Weaviate Cloud.
👉 Read AuthZed's analysis of deterministic authorization for agentic RAG →
Agentic RAG authorization: where the governance gap is appearing?
Explore further
Authorization must be treated as a control plane, not a prompt hint: The article shows that retrieval in agentic RAG can only be safe when policy enforcement is deterministic and external to the model. Prompt instructions are advisory, while authorization is binary, auditable, and enforceable before content reaches the LLM. That distinction is now central to OWASP-NHI and Zero Trust thinking for AI workflows. Practitioners should design around a hard authorization boundary, not a soft behavioural instruction.
A few things that frame the scale:
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation, according to AI Agents: The New Attack Surface report.
- In the same research, 92% of respondents said governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so.
A question worth separating out:
Q: Should teams use bulk permission checks for AI retrieval pipelines?
A: Yes, when retrieval returns multiple candidate documents, bulk permission checks are the safer and more scalable choice. They let teams evaluate access in one request, reduce latency, and avoid leaking partial results through sequential processing failures. They also support fail-closed behaviour, which is essential for AI systems that can otherwise continue on unsafe inputs.
👉 Read our full editorial: Agentic RAG needs deterministic authorization, not prompt instructions