RAG-based AI agents: where do access controls break first?

TL;DR: RAG-powered AI agents can surface sensitive internal data, leak confidential material, or be manipulated through prompt and context injection when permission checks are missing, according to Cerbos. The security problem is not the model alone but the trust boundary around retrieval, authorization, and downstream response generation.

NHIMG editorial — based on content published by Cerbos: authorization-aware data filtering for RAG-based AI agents

By the numbers:

• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.

Questions worth separating out

Q: How should security teams implement access control for RAG-based AI agents?

A: They should enforce authorization before retrieval, not after generation.

Q: Why do RAG-based assistants create more risk than a normal search tool?

A: Because they do not just return matching records, they assemble those records into a generated answer that can expose sensitive context, merge fragments, or amplify poisoned data.

Q: What do security teams get wrong about prompt injection in AI assistants?

A: They often treat prompt injection as a model safety issue alone, when it is also a trust issue in the content pipeline.

Practitioner guidance

• Enforce retrieval-time authorization checks Apply policy before documents, rows, or API responses are injected into the prompt so the model never sees data the user cannot access.
• Classify the data sources behind every agent Inventory which repositories, APIs, and knowledge bases feed each AI assistant, then map those sources to the same access rules used elsewhere in the product.
• Filter retrieved content before prompt assembly Treat document fragments, search snippets, and vector results as untrusted input and remove content that could influence unsafe or out-of-scope responses.

What's in the full article

Cerbos' full article covers the implementation detail this post intentionally leaves at the strategy level:

• Step-by-step policy flow from user request to filtered retrieval to generated answer.
• Concrete examples of role, department, and region-based authorization filters for AI assistants.
• Architecture patterns for centralizing access control across apps, APIs, and AI agents.
• Operational discussion of auditability, compliance, and response logging in RAG workflows.

👉 Read Cerbos' analysis of authorization-aware access control for RAG AI agents →

RAG-based AI agents: where do access controls break first?

Explore further

View Full Forum →  |  NHI Foundation Course →