SoK: Authorization in Multi-Agent Retrieval-Augmented Generation Systems
Abstract
A systematization of authorization failure modes and mitigation families in agentic RAG, organized around the correctness property of Authorization-First Retrieval.
Retrieval-augmented generation and multi-agent LLM systems are moving into enterprise settings that handle sensitive data. This SoK defines threat models and correctness criteria for authorization in semantic retrieval pipelines.
It develops a taxonomy of failure modes including semantic overfetch, cross-domain synthesis leakage, and delegation escalation, then compares mitigation families such as role-partitioned indices, metadata filtering, post-generation redaction, and agent tool-scope controls.
The paper systematizes Authorization-First Retrieval as a unifying ordering property: authorization must be a precondition to defining the semantic retrieval candidate space.