惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Google DeepMind News
Google DeepMind News
F
Fortinet All Blogs
阮一峰的网络日志
阮一峰的网络日志
Apple Machine Learning Research
Apple Machine Learning Research
爱范儿
爱范儿
WordPress大学
WordPress大学
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
J
Java Code Geeks
罗磊的独立博客
S
SegmentFault 最新的问题
V
V2EX
V
Visual Studio Blog
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
美团技术团队
博客园 - 三生石上(FineUI控件)
Stack Overflow Blog
Stack Overflow Blog
Y
Y Combinator Blog
MyScale Blog
MyScale Blog
D
Docker
Google DeepMind News
Google DeepMind News
Blog — PlanetScale
Blog — PlanetScale
M
Microsoft Research Blog - Microsoft Research
Martin Fowler
Martin Fowler
S
Secure Thoughts
B
Blog
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
www.infosecurity-magazine.com
www.infosecurity-magazine.com
Recent Announcements
Recent Announcements
MongoDB | Blog
MongoDB | Blog
C
Cisco Blogs
C
CERT Recently Published Vulnerability Notes
T
True Tiger Recordings
GbyAI
GbyAI
P
Proofpoint News Feed
P
Privacy International News Feed
Jina AI
Jina AI
The Cloudflare Blog
I
Intezer
AWS News Blog
AWS News Blog
Hacker News - Newest:
Hacker News - Newest: "LLM"
S
Security Archives - TechRepublic
NISL@THU
NISL@THU
The Register - Security
The Register - Security
Recent Commits to openclaw:main
Recent Commits to openclaw:main
P
Palo Alto Networks Blog
S
Schneier on Security
L
LINUX DO - 热门话题
C
CXSECURITY Database RSS Feed - CXSecurity.com
Security Latest
Security Latest
C
Cybersecurity and Infrastructure Security Agency CISA

DEV Community

n8n for Airtable Power Users: 5 Automations That Take Your Base to the Next Level Validating Gemma 4 for Industrial IoT: A Governance Pattern VS Code Now Credits Copilot on Every Commit by Default Astro and Islands Architecture: Why Your Portfolio Doesn't Need React for Everything Booting from FAT12: How I added file reading to my x86 kernel Unity’s AI agent went public: the developers of a static analysis tool on what that means for code quality Anna's Archive publica un llms.txt para los LLMs que rastrean su catálogo CRDTs for Offline-First Mobile Sync Why I Built Mneme HQ: Preventing AI Agent Architectural Drift Google Antigravity 2.0 Is the I/O 2026 Announcement You Should Actually Care About I Built a Pay-Per-Call Crypto Signal API with x402 — Heres the Architecture JWT Token Refresh Patterns in React 19: Avoiding the Silent Auth Death Spiral 🚀 “From Prompts to Autonomous Agents: What Google I/O 2026 Changed” The Power of Distributed Consensus in Autonomous SOCs Sixteen TUI components, copy-paste, no dependency The Boring Reliability Layer Every Autonomous Agent Needs Nven - Secret manager Building Multi-Tenant Row-Level Security in PostgreSQL: A Production Pattern The Hardest Part of Being a Developer Isn't Coding Building Vylo — Looking for Collaborators, Partners & Early Support I Thought Memory Fades With Time. It Actually Fades With Information. ORA-00064 오류 원인과 해결 방법 완벽 가이드 I registered an AI agent at 1 AM and something cracked open in my head Pitch: Nven - Sync secrets. Ship faster. Why y=mx+b is the heart of AI From Routines to a Crew — Building a System That Plans Its Own Work & executes it 25 React Interview Questions 2026 (With Answers) — Hooks, React 19, Concurrent Mode An open source LLM eval tool with two independent quality signals Using Dashboard Filtering to Get Customer Usage in Seconds from TBs of Data Skills, Java 17, And Theme Accents 4 Hard Lessons on Optimizing AI Coding Agents Arctype: Cross-Platform Database GUI for LLM Artifacts Your robots.txt says GPTBot is welcome. Your server says 403. Organizing How to Use AWS Glue Workflow 5 n8n Automations Every Digital Agency Should Be Running (Bill More, Work Less) Getting Started with TorchGeo — Remote Sensing with PyTorch Designing a Scalable Cross-Platform Appium Framework Google Antigravity 2.0 & Slash Commands Building a Unified Adaptive Learning Intelligence with Gemma 4, Flutter, and Multi-Model Orchestration Looking for beta testers for a £60 server management application The Disk-Pressure Incident That Taught Me to Always Set LimitRanges and Other Lessons from Mirroring EKS Locally. Why AI Should Not Write SQL Against ERP Databases Vibe coding works until it doesn't. The debt is real. Shipping at the Edge: Migrating a Coffee Subscription Platform to Cloudflare Workers Stop Tab-Switching: A Developer's Guide to Color Tools That Actually Fit the Workflow DevOps vs MLOps vs AIOps: What Changes, What Stays, and a Simple Roadmap to Get Started Run Powerful AI Coding Locally on a Normal Laptop 5 n8n Automations Every WooCommerce Store Needs (Save 10+ Hours/Week) What I Learned Building My Own AI Harness Hytale Servers Will Fail Treasure Hunts Until We Fix Our Event Handling Redux in React: Managing Global State Like a Pro Unfreezing Your GitHub Actions: Troubleshooting Stuck Deployments and Protecting Your Git Repo Statistics Unlocking Project Discoverability on GHES: A Key to Software Engineering Productivity When the Cleanup Code Becomes the Project Rockpack 8.0 - A React Scaffolder Built for the Age of AI-Assisted Development Mismanaging the Treasure Hunt Engine in Hytale Servers Will Get You Killed Stop Calling It an AI Assistant. It’s Already Managing Your Company Why Hardcoded Automations Fail AI Agents Why I built a post-quantum signing API (and why JWT is on borrowed time) Weekend Thought: Frontend Build Tools Suffer From Work Amnesia A 10-Line Playwright Trick That Saved Me Hours on Every Sephora Run AI Is Changing Engineering Culture More Than We Realize Everyone Was Focused on Gemini, But Infinite Scaler Was the Real Twister "Gemma 4 Analyzed My Bank Statements – Apparently I 'Have a Problem' with Coffee and Late-Night Apps" #css #webdev #beginners #codenewbie The Hidden Layer Every AI Developer Must Learn AlphaEvolve: Google DeepMind's Gemini-Powered Evolutionary Coding Agent RDS Reserved Instance Pricing: Every Engine, Every Rule, Real Dollar Savings How To Build An AI-Powered MVP Without Burning Your Startup Budget In 2026 Reading a Psychrometric Chart Without Getting Lost LMR-BENCH: Can LLM Agents Reproduce NLP Research Code? (EMNLP 2025) How to turn text into colors (without AI) Building Real-Time Apps in Node.js with Rivalis: WebSockets, Rooms, Actors, and a Binary Wire This Week In React #282 : Security, Fate, TanStack, Redux, Jotai | Hermes-node, Expo, Rozenite, Harness | TC39, Bun, pnpm, npm, Yarn, Node AI Copilot vs AI Agent Architecture - What's Actually Different (And Why It Matters) Smart Contract Security: NEAR's Futures Surge and AI Token Risks Database Maintenance: Tracing Production Incidents to Their Root Cause Stop juggling AI SDKs in PHP — meet Prisma Google Quietly Changed What “Apps” Mean at I/O 2026 The Infrastructure Team Is the Real Single Point of Failure Building SQLite from Scratch: 740 Lines of C++23 to Understand Every Byte of a .db File The 4 Levels of Hermes Agent Scaling Framework: From One Hermes Agent to a Fully Automated Team Your AI Has a Memory. It Just Doesn’t Know What to Remember. Claprec: Engineering Tradeoffs - Limited time vs. Perfection (6/6) Building a Daily Google News API Monitor in Python Building RookDuel Avikal: From Chess Steganography to Post-Quantum Archival Security Google I/O e IA: o que realmente muda na vida do dev? Color Contrast Failures: The Number One Accessibility Issue and How to Fix It # I Watched 15 Hours of Hermes Agent Videos So You Don't Have To Cómo solucionar el bucle infinito en useEffect con objetos y arrays en React The First Agent-Centric Cloud Security Platform — And Why We Didn't Build It That Way On Purpose Most Treasure Hunts Engines on Hytale Servers Are Built to Fail - Lessons from a Burned Database GhostScan v3.0 — From Closed-Source EXE to Open-Source Pentest Framework De hojas de cálculo a IA: construyendo una plataforma SRM moderna When is AI fine in education? Python Tools for Managing API Rate Limits in Data Pipelines How to Implement Exponential Backoff for Rate-Limited APIs in Python "My Web Chat Wasn't a Real Channel. That Broke My Agent Pipeline" next-advanced-sitemap v1.0.7 — safer URL ingestion & automatic trimming for Next.js sitemap generation I keep seeing people build an AI lead processing agent when they really need a 6-step rules engine
The Model Answered. Nobody Asked Who Authorized That.
NTCTech · 2026-05-16 · via DEV Community

NTCTech

Field Notes — Engineering Notes from the Complexity Gap | Rack2Cloud
The ticket came in on a Tuesday. The AI assistant connected to Jira, Confluence, and Slack — the standard enterprise productivity stack. A product manager asked it for "incident history on the payment service." The model returned a thorough summary: timeline, root cause, contributing factors, and a section pulled from a postmortem written by a different business unit that had never been shared with the product team.

Every API call succeeded. Every permission check passed. The model had access to Confluence. The postmortem was in Confluence. The user had a valid session. Nobody had defined what "incident history for this user in this workflow context" was actually supposed to mean.

Nobody noticed until the summary was pasted into an executive slide deck and someone in the room recognized content they hadn't intended to share.

This is the llm authorization problem — and it isn't solved by tightening API permissions.

llm authorization boundary collapse — api authorization vs workflow authorization gap in enterprise ai

The Failure Was Correct Behavior

The model didn't malfunction. It did exactly what it was designed to do: aggregate relevant information across connected systems and synthesize a useful response. The Jira integration returned relevant tickets. The Confluence integration returned relevant documents. The Slack integration returned relevant thread context. The model assembled them into a coherent answer.

The failure was that nobody had defined the authorization boundary for the workflow — only for the individual API calls within it.

This distinction matters architecturally. In traditional enterprise systems, when a user requests data, the request is scoped at the API level: this user can read these records, these documents, these messages. The system enforces that scope at every call. The scope boundary is explicit, enforced, and auditable.

In an AI workflow connected to multiple enterprise systems, the scope question shifts. The user has permissions. The model has connections. But the model doesn't ask "what was this user intended to retrieve?" — it asks "what is relevant to answering this question?" Those two questions return different result sets, and the gap between them is where authorization boundary collapse lives.

APIs Validate Identity. LLMs Aggregate Context.

Traditional enterprise authorization operates on a three-layer model that most architects understand implicitly:

Authentication — who are you? Validate identity, confirm session, check credentials.

Authorization — what are you allowed to do? RBAC, ACLs, policy enforcement. This is where most enterprise security investment lives.

Contextual authorization — what were you intended to do in this specific workflow? This layer doesn't exist in most enterprise auth architectures because traditional systems didn't need it. A database query returns exactly what you asked for. A REST endpoint returns a defined resource. The scope of the response is determined by the request.

LLMs break the third layer open. A model connected to ten enterprise systems doesn't retrieve one resource — it aggregates context across all systems it has access to, ranked by relevance to the prompt. The user's intent ("tell me about incident history") becomes the model's retrieval scope, and that scope is bounded only by what the model can access, not by what the user was supposed to see.

The result: an AI workflow can satisfy every individual authorization check at the API layer while returning a response that violates the organizational intent behind those policies. Every call was authorized. The aggregation was not.

llm authorization three layers — authentication authorization contextual authorization gap

Authorization Boundary Collapse

This failure pattern has a name: Authorization Boundary Collapse — the moment an AI workflow inherits access scopes broader than the user intent it is acting on.

It's distinct from a permissions failure. The permissions were correct. The boundary between "what this user is allowed to access" and "what this user was intended to access in this context" simply wasn't defined — because enterprise authentication infrastructure was built for intentional, scoped requests, not for AI systems that aggregate laterally across everything they can reach.

Authorization Boundary Collapse shows up in predictable patterns in enterprise AI deployments:

An enterprise copilot connected to HR, finance, and engineering systems returns salary information when asked about headcount planning — because the model's connections include the HR system and "headcount planning" is semantically adjacent to compensation data.

A support AI with Slack and ticketing access surfaces internal escalation discussion when summarizing a customer issue — because the internal thread about that customer is in scope for the model's Slack integration.

A developer assistant with repository and documentation access returns security architecture details when asked about a service's error handling — because the threat model document lives in the same Confluence space as the engineering runbooks.

None of these are bugs. None of them would have been caught by an access review. Every individual permission was valid. The workflow authorization was never defined.

The Hidden Assumption in Enterprise Auth

The architecture assumed every request was intentional. This assumption is embedded in how enterprise auth is designed and enforced, and it held up well for decades because traditional systems don't generate lateral context — they respond to explicit requests.

A user queries a database: the query defines the scope. A user calls an API: the endpoint defines the resource. The request and the response have a direct, bounded relationship that authorization policy can govern.

An AI assistant processing "give me context on this customer issue" doesn't have a bounded request. It has a semantic goal that it will satisfy by traversing every connected system it has access to. The model doesn't know that the Slack integration wasn't supposed to surface the internal escalation thread. It knows that the thread is relevant. Relevance and authorization are different properties — and most enterprise auth infrastructure only enforces one of them.

Architect's Verdict

If the model can aggregate across systems, authorization must exist at the workflow layer — not only at the API layer.

This means defining, for each AI workflow: what data sources are in scope, what retrieval intent is authorized, and what response content is acceptable for this user in this context. That definition needs to exist as an explicit policy, enforced before the model aggregates — not inferred from the permissions of the connected systems.

For agentic deployments — AI systems that don't just retrieve but take action — the surface area expands from retrieval to execution. Authorization Boundary Collapse in a retrieval workflow is embarrassing. In an agentic workflow with write access, it's an incident.

The model answered. The architecture assumed that was the same as the model being authorized.

Additional Resources

Originally published at rack2cloud.com

此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。