Authorization-First Retrieval: Enforcing Least Privilege in Multi-Agent RAG Systems
Abstract
Authorization-first retrieval enforces least privilege before semantic retrieval, ensuring that documents never enter a multi-agent RAG prompt unless the requesting user or agent is permitted to access them.
Generation-time authorization assumes the model can be trusted to refuse what it has already seen. Authorization-first retrieval inverts the contract: the document never enters the prompt unless the requesting agent has explicit permission for it.
The paper formalizes the threat model for multi-agent RAG, presents implementation patterns compatible with vector and hybrid retrieval, and argues that authorization must constrain the candidate set before ranking or synthesis.
Accepted at ACL TrustNLP 2026. Version 1 was also accepted at SAGAI 2026, colocated with IEEE Symposium on Security and Privacy 2026.