Tag: cyber-security

Implementing Granular Access Control in RAG Applications

A Guide to Implementing Granular Access Control in RAG Applications

Audience: Security Architects, AI/ML Engineers, Application Developers

Version: 1.0

Date: 11 September 2025

1. Overview

This document outlines the technical implementation for enforcing granular, “need-to-know” access controls within a Retrieval-Augmented Generation (RAG) application. The primary mechanism for achieving this is through metadata filtering at the vector database level, which allows for robust Attribute-Based Access Control (ABAC) or Role-Based Access Control (RBAC). This ensures that a user can only retrieve information they are explicitly authorised to access, even after the source documents have been chunked and embedded.

2. Core Architecture: Metadata-Driven Access Control

The solution architecture is based on attaching security attributes as metadata to every data chunk stored in the vector database. At query time, the system authenticates the user, retrieves their permissions, and constructs a filter to ensure that the vector search is performed only on the subset of data to which the user is permitted access.

3. Step-by-Step Implementation

3.1. Data Ingestion & Metadata Propagation

The integrity of the access control system is established during the data ingestion phase.

  1. Define a Metadata Schema: Standardise the security tags. This schema should be expressive enough to capture all required access controls.
  • Example Schema:
  • doc_id: (String) Unique identifier for the source document.
  • classification: (String) e.g., ‘SECRET’.
  • access_groups: (Array of Strings) e.g., [‘NTK_PROJECT_X’, ‘EYES_ONLY_LEADERSHIP’].
  • authorized_users: (Array of Strings) e.g., [‘user_id_1’, ‘user_id_2’].
  1. Ensure Metadata Inheritance: During the document chunking process, it is critical that every resulting chunk inherits the complete metadata object of its parent document. This ensures consistent policy enforcement across all fragments of a sensitive document.
    Conceptual Code:
    Python
    def process_document(doc_path, doc_metadata):
        chunks = chunker.split(doc_path)
        processed_chunks = []
        for i, chunk_text in enumerate(chunks):
            # Each chunk gets a copy of the parent metadata
            chunk_metadata = doc_metadata.copy()
            chunk_metadata[‘chunk_id’] = f”{doc_metadata[‘doc_id’]}-{i}”
            processed_chunks.append({
                “text”: chunk_text,
                “metadata”: chunk_metadata
            })
        return processed_chunks

3.2. Vector Storage

Modern vector databases natively support metadata storage. This feature must be utilised to store the security context alongside the vector embedding.

  1. Generate Embeddings: Create a vector embedding for each chunk’s text.
  2. Upsert with Metadata: When writing to the vector database, store the embedding, a unique chunk ID, and the whole metadata object together.
    Conceptual Code (using Pinecone SDK v3 syntax):
    Python
    # 'vectors' is a list of embedding arrays
    # 'processed_chunks' is from the previous step

    vectors_to_upsert = []
    for i, chunk in enumerate(processed_chunks):
        vectors_to_upsert.append({
            "id": chunk['metadata']['chunk_id'],
            "values": vectors[i],
            "metadata": chunk['metadata']
        })

    # Batch upsert for efficiency
    index.upsert(vectors=vectors_to_upsert)

3.3. Query-Time Enforcement

Access control is enforced dynamically with every user query.

  1. User Authentication & Authorisation: The RAG application backend must integrate with an identity provider (e.g., Active Directory, LDAP, or OAuth provider) to securely authenticate the user and retrieve their group memberships or security attributes.
  2. Dynamic Filter Construction: Based on the user’s attributes, the application constructs a metadata filter that reflects their access rights.
  3. Filtered Vector Search: Execute the similarity search query against the vector database, applying the constructed filter. This fundamentally restricts the search space to only authorised data before the similarity comparison occurs.
    Conceptual Code:
    Python
    def execute_secure_query(user_id, query_text):
        # Authenticate user and get their permissions
        user_permissions = identity_provider.get_user_groups(user_id)
        # Example: returns ['NTK_PROJECT_X', 'GENERAL_USER']

        query_embedding = embedding_model.embed(query_text)

        # Construct the filter
        # This query will only match chunks where 'access_groups' contains AT LEAST ONE of the user's permissions
        metadata_filter = {
            "access_groups": {"$in": user_permissions}
        }

        # Execute the filtered search
        search_results = index.query(
            vector=query_embedding,
            top_k=5,
            filter=metadata_filter
        )

        # Context is now securely retrieved for the LLM
        return build_context_for_llm(search_results)

4. Secondary Defence: LLM Guardrails

While metadata filtering is the primary control, output-level guardrails should be implemented as a defence-in-depth measure. These can be configured to:

  • Block Metaprompting: Detect and block queries attempting to discover the security structure (e.g., “List all access groups”).
  • Prevent Information Leakage: Scan the final LLM-generated response for sensitive keywords or patterns that may indicate a failure in the upstream filtering.

Understanding Air-Gapped IT Infrastructure: Security and Challenges

Intro

I will start with what I consider to be one of this year’s most obvious IT statements, yes, even this early on in the year, so much so that it sounds to me more like a marketing spiel (no offence to my marketing friends) than a technical blog article. However, this conversation comes up daily with colleagues and customers, so I’ll set the scene a little here.

In today’s digital landscape, cybersecurity threats are becoming increasingly sophisticated, putting sensitive data and critical infrastructure at constant risk. While firewalls, intrusion detection systems, and endpoint security solutions form a solid defence, some environments require an even more extreme measure. It is something that the most security-conscious folks have known…. forever, but one that is increasingly becoming an accepted standard way of designing enterprise IT infrastructures.

Air-Gapped Infrastructure.

But what exactly is an ‘air-gapped’ infrastructure, and how does it compare to other isolation and control methods like ‘air-locking’? 
As a side note, I probably didn’t invent the term ‘airlock ‘in the context of IT infrastructure, but I am vain enough to hope so. The nerd in me thinks of Sci-Fi films set in space, where an airlock exists to keep the bad out (vacuum of space) and the good (Air) in while providing a way to safely cross between the two environments.

More importantly, what are the challenges in building and maintaining such an infrastructure? Let’s dive in.

Well, to quote Spiderman’s nerdy, IT-admin best friend; “with great security (in terms of IT infrastructure) comes greatly constrained functionality and increased complexity” (he never said that)

What is Air-Gapped IT Infrastructure?

Air-gapping is the practice of physically isolating a computer system or network from all external, untrusted networks, including the Internet. It is one of the highest levels of security and is often deployed in military, intelligence, critical infrastructure, and high-security corporate environments.

The goal? To create a barrier that cyber threats simply cannot cross—at least not remotely. However, this presents significant challenges for IT administrators who must manage updates, data transfers, and operational continuity without direct online access.

Why Air-Gapping is So Challenging

While air-gapped systems offer unparalleled security, they are notoriously difficult to build and maintain due to:

  • Software and Patch Management: How do you keep systems updated without connecting to the internet?
  • Data Transfer and Integrity: Moving data in and out requires extreme caution—one mistake could compromise an entire network.
  • Operational Continuity: Without cloud services, online monitoring tools or connected networks, IT teams must rely on manual processes and offline backups.
  • Physical Security: Protecting air-gapped hardware from insider threats and supply chain attacks is just as critical as preventing remote exploits.

Air-Gapping vs. Air-Locking: What’s the Difference?

Not all isolation methods are created equal. Many organisations employ controlled air-gapped environments, also known as ‘air-locked’ systems, where temporary access to external networks is permitted through highly controlled gateways.

For example, software updates might be transferred through a designated firewall or proxy server, ensuring some level of connectivity under strict supervision. However, there’s a major caveat: air-locked systems are not truly air-gapped.

The Hidden Risk of Air-Locked Systems

While air-locking provides a practical compromise, it introduces a significant security risk: human error or insider threats could leave the ‘air-lock’ open. A misconfiguration, malicious insider, or even a moment of negligence could create a vulnerability that compromises the entire system.

This is why air-gapped environments remain the gold standard for maximum security—but at the cost of operational complexity.

Best Practices for Running Air-Gapped Environments

Successfully operating air-gapped infrastructure requires a combination of strict security policies and well-defined operational procedures. Here are some key best practices:

1. Secure Data Transfers

  • Use vetted USB drives, optical media, or one-way data diodes.
  • Ensure all transfers undergo forensic scanning and approval processes.
  • Keep an immutable log of all data movements.

2. Software and Patch Management

  • Maintain a trusted offline repository for updates.
  • Deploy patches only after extensive testing in an isolated environment.
  • Use cryptographic verification to prevent tampering.

3. Access Control and Monitoring

  • Implement strict physical access controls, such as biometric authentication.
  • Use multi-factor authentication for any system interactions.
  • Deploy host-based intrusion detection systems (HIDS) to monitor for anomalies.

4. Incident Response and Disaster Recovery

  • Maintain fully offline backups that are physically stored in a secure location.
  • Regularly test disaster recovery procedures to ensure they work without cloud dependencies.
  • Use isolated forensic workstations to investigate any suspected breaches.

Is Air-Gapping Right for Your Organisation?

If your organisation handles highly classified information, critical infrastructure, or intellectual property, air-gapped environments provide an unmatched level of security. However, if usability and efficiency are major concerns, an air-locked or hybrid approach may be a more practical choice.

Ultimately, the decision comes down to risk tolerance vs. operational feasibility—a balance that every security-conscious organisation must carefully consider.

Final Thoughts

Air-gapping remains one of the most effective cybersecurity measures available today, but it’s not without its trade-offs. While fully air-gapped environments offer unparalleled security, the operational challenges can be significant. Meanwhile, air-locked systems provide a compromise but introduce potential vulnerabilities if not carefully managed.

Whether you’re building an air-gapped infrastructure from scratch or refining your organisation’s security posture, one thing is clear: true cybersecurity requires a multi-layered approach that prioritises both protection and practicality.

The above steps are by no means all there is to designing and operating secure environments, obviously, but I felt the need to put down my thoughts based on conversations I often have about the definition of the term ‘air-gapped’ and just like other topics, such as ‘multi-tenancy’, and what they actually mean in the real world.

What are your thoughts on air-gapped vs. air-locked security? Let’s discuss in the comments! 👇