惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

T
Threat Research - Cisco Blogs
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
The Register - Security
The Register - Security
A
About on SuperTechFans
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
L
LangChain Blog
N
Netflix TechBlog - Medium
量子位
博客园 - 三生石上(FineUI控件)
宝玉的分享
宝玉的分享
H
Help Net Security
D
Docker
D
DataBreaches.Net
T
Tailwind CSS Blog
阮一峰的网络日志
阮一峰的网络日志
B
Blog
博客园 - 聂微东
Apple Machine Learning Research
Apple Machine Learning Research
Google DeepMind News
Google DeepMind News
The Cloudflare Blog
F
Full Disclosure
GbyAI
GbyAI
F
Fortinet All Blogs
Last Week in AI
Last Week in AI
Y
Y Combinator Blog
人人都是产品经理
人人都是产品经理
Recent Announcements
Recent Announcements
博客园 - Franky
MongoDB | Blog
MongoDB | Blog
有赞技术团队
有赞技术团队
博客园 - 叶小钗
小众软件
小众软件
V
Visual Studio Blog
月光博客
月光博客
Stack Overflow Blog
Stack Overflow Blog
The GitHub Blog
The GitHub Blog
Recorded Future
Recorded Future
J
Java Code Geeks
雷峰网
雷峰网
P
Privacy & Cybersecurity Law Blog
C
Cisco Blogs
C
Cyber Attacks, Cyber Crime and Cyber Security
AWS News Blog
AWS News Blog
Webroot Blog
Webroot Blog
美团技术团队
N
News | PayPal Newsroom
G
Google Developers Blog
Security Archives - TechRepublic
Security Archives - TechRepublic
博客园_首页
V
Vulnerabilities – Threatpost

Redis

Real-Time Fraud Detection: Latency, Features & Scale Context window in AI: why every token is a budget decision Redis Data Integration in Redis Cloud is now GA in AWS | Redis Why AI Misses Business Context & How Teams Fix It AI Reasoning Explained: Why Context Matters Semantic Layer vs Context Layer: Key Differences Redis array data type: How it works and when to use it Context Graphs vs. Vector Search: When RAG Falls Short What’s new in two – May 2026 edition Redis 8.8 performance improvements: Faster string, hash, streams, SCAN & more Redis 8.8: New array data structure & open source features How Conflict-free Replicated Data Types power active-active database replication Context Orchestration: What It Is & How It Works Context Compaction for AI Agents: A Complete Guide Prompt Bloat: Causes, Costs & Fixes for LLM Apps Agentic Retrieval Techniques: A Complete Guide Single-shot reliable consumers with XREADGROUP CLAIM in Redis 8.4 | Redis Long-Horizon AI Agents: Memory & State Infrastructure What is a context engine? What Is a Context Layer? AI Agent Infrastructure Context Retrieval for AI Agents: What It Is & Why It Matters Context Poisoning: How Bad Data Breaks Agent Reasoning Context is all you need: Introducing Redis Iris | Redis Context Engineering for AI: What It Is & How to Build It Dynamic endpoints: Migrate databases without changing your endpoint | Redis AI Shopping Assistants: How They Work & What to Build Endless Aisle Retail: Infrastructure & Real-Time Data LLM Speed Benchmarks: Metrics & Infrastructure Guide Context Pruning: Cut LLM Tokens Without Losing Quality What’s new in two – April 2026 edition Agentic AI Architecture: 5 Patterns Explained AI Agent vs Chatbot: Key Differences Explained Advantages of Building a Vector Search Solution API Latency in LLM Apps: Causes & How to Fix It Security advisory: [CVE‑2026‑23479] [CVE‑2026‑25243] [CVE-2026-25588] [CVE‑2026‑25589] [CVE-2026-23631] | Redis Edge Computing Latency: Causes & How to Reduce It AI Agents vs Workflows: When to Use Each Streaming LLM Responses: Make Your AI App Feel Fast Active-Active vs Active-Passive Database Architecture Prefill vs Decode: LLM Inference Phases Explained Long-Term Memory Architectures for AI Agents Time to First Byte Test: Tools, Causes & Fixes Speculative decoding: how it works & when to use it P95 Latency: What It Is & Why It Matters Why Multi-Agent LLM Systems Fail & How to Fix Them AI Human in the Loop: Production Oversight Patterns Native OpenTelemetry metrics for Redis client libraries | Redis Client-side geographic failover for Redis Active-Active | Redis Use Redis with SQL | Redis Introducing Redis Feature Form Build Google ADK Agents with persistent, real-time memory on Redis | Redis Startup Spotlight: Neuron Systems API Throttling: Algorithms, Patterns & Mistakes Agentic AI Examples Across 6 Industries Best Chunking Strategies for RAG Pipelines Agentic AI Guardrails: Controls That Work Redis joins AWS at GDC to support the next generation of gaming | Redis Designing a semantic routing system: From static rules to dynamic intelligence with Redis and Java | Redis Real-Time Dispatch System: A Complete Guide P99 Latency: What It Means & How to Fix It Tokenization in LLMs: What AI App Devs Need to Know TTFT Meaning: What is Time to First Token? Atomic slot migration with Redis 8.4 Hybrid search benefits: Why your RAG system needs both keyword & vector search What’s new in two: March 2026 edition Vector embedding generators: How they work & how to use them Throughput-optimizing Redis for L2 KV Cache Reuse What is a data pipeline? Building AI agent pipelines that don't forget, fail, or fall apart Redis achieves Google Cloud Ready, Distributed Cloud status ahead of Google Cloud Next ‘26 | Redis Real-time network monitoring: what your data platform needs to keep up AI agent API: How agents connect to the real world What is multicloud infrastructure? A guide for 2026 What is a transaction monitoring system & how does it work? Why your AI agent fails in production & how tracing helps AI agent benchmarks: Where they fall short & why your infrastructure matters What is a JSON database (and when should you use one)? Introducing the Redis Partner Network: A new foundation for real-time innovation How real-time customer segmentation works in retail Payment orchestration & vault architecture in retail Agentic systems vs. GenAI: when generation isn't enough What is fuzzy matching? Semantic caching & routing: two powerful patterns for vector classification Redis alternatives: Why there are no exact substitutes Connect to Azure Managed Redis with Redis Insight 3.2.0 How to tame the thundering herd problem Redis to Manage Storage Replication | Redis How hierarchical navigable small world (HNSW) algorithms can improve search | Redis How leading financial institutions use Redis to drive growth | Redis What’s new in two: May 2025 | Redis Introducing Model Context Protocol (MCP) for Redis | Redis Redis vs. Elasticsearch: What’s faster for GenAI & vector search? | Redis Build fast, production-worthy AI apps with Spring AI and Redis | Redis Azure Managed Redis is GA today | Redis Redis then & now: Adapting with developers through every era | Redis Supercharge Your AI with OpenShift AI and Redis: Unleash speed and scalability | Redis What’s new in two: April 2025 | Redis Redis 8 is now GA, loaded with new features and more than 30 performance improvements | Redis What is a data strategy? 6 key components explained Data replication explained: types, examples & use cases
AI agent access control: a practical guide
Redis · 2026-06-12 · via Redis

Picture a support agent that's authorized to read customer tickets, summarize them, and draft replies. A user asks it to "pull up everything related to account 4471's billing dispute." The agent authenticates fine, queries the vector store, and returns a clean summary, along with three chunks from an internal finance doc that mention account 4471 in a footnote. Nobody approved that. Nothing was hacked. The retrieval just didn't know it shouldn't surface those chunks for this user, on this task, right now.

That's the gap AI agent access control is meant to close. It defines what an authenticated agent can see and do for a specific user, task, and workflow. Without per-action scope, a legitimate agent can leak private data even when authentication, API access, and system approvals all work as designed.

The hard part: knowing who an agent is rarely tells you what it should be allowed to do right now, for this task, on this user's behalf. Treating agent authorization like old app authorization is where leaks start. This guide covers what AI agent access control means, why authentication only solves half the problem, where access leaks through retrieval, how entity- and field-level scoping works in the context layer, and why durable controls live at the data layer.

How agent authorization differs from traditional app authorization

Traditional app authorization assumes a predictable world. The principal is a human or stable service with a fixed identity and known role, and the system often checks permissions at login or session start. AI agents break those assumptions because access needs emerge during execution.

The deeper distinction is timing. Identity and access management (IAM) verifies identity and grants initial access, while AI authorization governs what a system does after access is granted, which is where the risk concentrates.

A few things make agent authorization harder than the app version:

  • Per-action, not per-session. An agent can make thousands of decisions inside a single session, each one potentially needing its own authorization check.
  • Scope emerges at runtime. Static delegation assumes you can predict access before execution, but agents reveal what they need as plans branch, tool calls depend on intermediate results, and cross-system access appears late.
  • Delegation gets recursive. A user delegates to an agent, which spawns a sub-agent, which calls a third that touches production data. OAuth agent flows don't fully address an agent acting as a distinct identity in that chain.

One principle holds across all of this: the model shouldn't be the security boundary. The LLM should not decide whether an action is permitted; an external policy engine makes that call. Controls written as system-prompt instructions can be bypassed by prompt injection, so enforcement has to sit upstream of the model.

Redis Iris

Redis Iris serves agent context in milliseconds

Redis Iris connects memory, live data, and retrieval in one place.

Why authentication isn't enough: three agent authorization failures

Authentication tells you which agent is calling. Authorization defines what it may access and whether a downstream action was legitimately derived from an upstream instruction, with a verifiable chain back to a human decision. Because authorization happens after access, authentication only solves half the problem.

That gap shows up in three recurring ways:

  • Permissions that are too broad. Excessive agency is overpowered agent behavior that often comes from three root causes: excessive functionality, excessive permissions, and excessive autonomy. An extension meant only to read data connects with an identity that also carries UPDATE, INSERT, and DELETE rights. The agent authenticated fine; the permissions behind it were too broad.
  • Checks at the wrong layer. Permission checks at the tool-call level miss what the agent intends to do. A skill permitted to run SELECT queries may be coerced by prompt injection to run DELETE, because the check happens at the call, not the intent.
  • Authority that leaks across hops. When one agent asks a more privileged agent to fetch data on its behalf, you get a permission mismatch pattern, a confused-deputy scenario where access controls can get bypassed entirely.

The common fix is to bind authority to the workflow rather than the identity. Secure delegation patterns shrink scope at each hop and keep a human in the loop for sensitive actions, so an agent's delegated permissions stay a subset of the workflow, not a direct inheritance of the owner's access.

Least privilege & the blast radius of an over-scoped agent

How much a single slip exposes comes down to one thing: how much the agent could reach in the first place. A tightly scoped agent that goes wrong might surface one customer's record; an agent with unrestricted access could surface the entire customer database. And the slip usually isn't a breach. It's the agent returning data to the user it's working for, like the support agent in the opening example handing over finance-doc chunks, often set off by prompt injection rather than a deliberate attack. Least privilege matters more for agents than for people here, because they act at machine speed and may never trip the anomaly detection a human attacker would.

Reach gets dangerous when an agent inherits credentials it shouldn't. In one documented incident, an agent inherited a domain token and its effective access jumped from domain management to the entire production infrastructure. Broad credentials turn a small mistake into a large one.

Retrieval then multiplies whatever the agent can reach, turning one over-scoped document into answer fragments across many responses.

How to enforce permissions in RAG retrieval pipelines

That multiplication has a straightforward mechanism. Vector search returns the top-k chunks by similarity score, and similarity has no idea who's allowed to see what. When permission checks live in the application layer instead of at the point where documents are selected, the engine can hand back chunks the user was never authorized to see, and the model treats them as fair game. The consequences scale with that gap: an overpowered agent can disclose personal data, and in multi-tenant setups, one group's embeddings can surface in another group's results.

The fix is to enforce permissions at retrieval itself, not after the fact. Three patterns do this, and they work best layered together:

  • Metadata filtering at retrieval. Attach permission metadata to documents at ingestion, then filter on it during the similarity search so only authorized chunks reach the model.
  • Permission-aware retrieval. Propagate user identity and permissions into the retrieval process, not just the application layer, with strict logical partitioning for multi-tenant isolation.
  • Layered policy enforcement. Apply input authorization on the query scope, retrieval-augmented generation (RAG) authorization on retrieval filtering, and output authorization that masks sensitive values.

Metadata filtering carries the most weight of the three, but two limits matter before you lean on it alone. Permission changes in the source data sync only periodically, so a revoked grant can linger in the index. And when a principal belongs to hundreds of groups, encoding all of it into accurate filters gets brittle. That's why the patterns layer: a separate policy decision outside the index covers what metadata filtering misses.

Redis Vector Database

Build agents that remember, not agents that guess

Redis Iris gives every agent fresh context and long-term memory.

Document-level & field-level access control for agents

Scoped retrieval works at two levels: the entity, such as a document or row, and the field, such as a column like Social Security number (SSN) or salary. Role-based access control (RBAC) alone tends to run out of room here, because it's tied to static roles rather than the task an agent is doing right now. Two models go finer: attribute-based access control (ABAC) evaluates attributes of the subject, object, operation, and environment against policy, and relationship-based access control (ReBAC) keys permissions to the relationship between user, data, and request context rather than role alone.

In practice, those models are enforced at three levels of granularity:

  • Document-level. Enforces permissions from ingestion through query, with the retrieval engine filtering results by the end user's identity.
  • Row-level. Works the same way at the table level. The safer pattern is to pass the user's own auth token so every query carries the human user's context, instead of relying on an over-privileged service account.
  • Field-level. Hides sensitive columns even when surrounding data is accessible, and values like personally identifiable information (PII) can be masked or redacted before data reaches the model.

Done well, this layering gives an agent effective permissions based on the current task rather than a static role that accrues privileges over time.

Why a governed data model beats raw database access

Entity and field scoping need structure underneath them, and that's where a defined data model does heavy lifting. The tempting shortcut is text-to-SQL: handing the model raw schema and letting it write queries. The problem is there's no policy guardrail between the user's question and the SQL that runs.

Direct database access carries risks beyond inconsistency. Agentic systems with direct database access introduce unauthorized retrieval of sensitive information and potential exploitation of system vulnerabilities. Text-to-SQL specifically opens you up to SQL injection via prompt injection, credentials sitting in LLM context, schema exposure, and no identity passthrough for end-user tracking. A governed data model flips the failure mode by shifting trust from model output to infrastructure. The pattern is to define metrics, dimensions, and access policies once, then let the agent select from that governed set with row-level and role-based rules applied before any query runs. Raw database access gets replaced with bounded operations like get_customer_by_id(id) and list_recent_orders(limit=50), each with input validation, row caps, IAM enforcement, and audit logging baked in.

Auto-converting OpenAPI specs into Model Context Protocol (MCP) tools is a common reaction with its own failure modes. Large enterprise APIs can expose dozens of endpoints, and when too many similar tools are available the model may pick the wrong one or stall loading large schemas. Defining structured tools against a governed model sidesteps the sprawl.

Enforcing agent access control at the data layer

Controls belong upstream of the model and close to the data when the agent can't be trusted as the policy engine. MCP gives agents a standard way to reach tools and data, and the protocol provides transport-level authorization so clients can make scoped requests on behalf of resource owners. Broad scopes invite lateral data access and privilege chaining that's hard to revoke, so fine-grained, per-tool scopes are the safer pattern.

The data platform itself becomes part of that story. Redis stores data in memory, with sub-millisecond latency reported for core operations, alongside vector search and semantic caching. Because retrieval, memory, and policy checks all sit in the hot path of every agent loop, doing that enforcement server-side only works if the data layer is fast.

Redis Iris builds the governed pattern into the platform. Its Context Retriever lets you define business entities, fields, relationships, and access rules, then expose them to agents through governed schemas rather than direct queries or text-to-SQL, with row-level filters enforced server-side. RedisVL MCP does the same for existing Redis Search indexes, exposing them as governed retrieval surfaces with predictable tool contracts: schema-aware filters, controlled return fields, runtime limits, and an optional read-only mode. That's the structured-tool pattern enforced at the data layer rather than written into a prompt.

Agent Memory adds the governance primitives agents need for state, including configurable time-to-live settings so stale memories expire automatically. Together, Context Retriever and Agent Memory treat context engineering as a data-layer concern, governing retrieval and memory in one place across agents.

Redis Cloud

Fresh context, every call

Redis Iris keeps agent data current so answers stay accurate.

Scoped retrieval is both a security control & a quality control

Authenticating an agent is the easy part. The hard work is enforcing what it can reach per action, scoping retrieval at the document and field level, and replacing raw database access with a governed data model the agent selects from rather than writes against. Unscoped retrieval leaks data, and it also degrades agent accuracy by stuffing context with information the model shouldn't have, so the same control that protects you also makes agents work better.

The durable place to enforce this is the data layer, upstream of the model and close to where the data already lives. Redis Iris brings governed retrieval, agent memory, semantic caching, and data integration into one real-time context engine, so scoping stays fast and consolidated instead of spread across separate systems. If your app team already runs Redis for cache invalidation or sessions, your AI stack may be closer to this than you think. To see how governed, low-latency retrieval works with your data, try Redis Iris or talk to our team about your context layer.