Position: Authorization Must Be an Architectural Primitive in Multi-Agent RAG Systems

Retrieval-augmented generation and multi-agent AI systems now handle sensitive enterprise data, but vector search, agent delegation, and response synthesis can break conventional row-level and API authorization guarantees.

The paper argues that prompt restrictions, stale role-embedded vectors, and post-generation filtering are insufficient because the model may already have seen the data. Agents should inherit exactly the permissions of the calling user, nothing more.

Authorization belongs alongside retrieval and inference as a first-class architectural primitive, with its own contract, observability surface, and failure mode taxonomy.