Salvato in:
Dettagli Bibliografici
Autori principali: Bhatt, Shashank Shreedhar, Rajore, Tanmay, Aggarwal, Khushboo, Ananthanarayanan, Ganesh, Chandra, Ranveer, Chandran, Nishanth, Choudhury, Suyash, Gupta, Divya, Kiciman, Emre, Pandey, Sumit Kumar, Setty, Srinath, Sharma, Rahul, Zhao, Teijia
Natura: Preprint
Pubblicazione: 2025
Soggetti:
Accesso online:https://arxiv.org/abs/2509.14608
Tags: Aggiungi Tag
Nessun Tag, puoi essere il primo ad aggiungerne!!
_version_ 1866909794881765376
author Bhatt, Shashank Shreedhar
Rajore, Tanmay
Aggarwal, Khushboo
Ananthanarayanan, Ganesh
Chandra, Ranveer
Chandran, Nishanth
Choudhury, Suyash
Gupta, Divya
Kiciman, Emre
Pandey, Sumit Kumar
Setty, Srinath
Sharma, Rahul
Zhao, Teijia
author_facet Bhatt, Shashank Shreedhar
Rajore, Tanmay
Aggarwal, Khushboo
Ananthanarayanan, Ganesh
Chandra, Ranveer
Chandran, Nishanth
Choudhury, Suyash
Gupta, Divya
Kiciman, Emre
Pandey, Sumit Kumar
Setty, Srinath
Sharma, Rahul
Zhao, Teijia
contents Large language models (LLMs) are increasingly deployed in enterprise settings where they interact with multiple users and are trained or fine-tuned on sensitive internal data. While fine-tuning enhances performance by internalizing domain knowledge, it also introduces a critical security risk: leakage of confidential training data to unauthorized users. These risks are exacerbated when LLMs are combined with Retrieval-Augmented Generation (RAG) pipelines that dynamically fetch contextual documents at inference time. We demonstrate data exfiltration attacks on AI assistants where adversaries can exploit current fine-tuning and RAG architectures to leak sensitive information by leveraging the lack of access control enforcement. We show that existing defenses, including prompt sanitization, output filtering, system isolation, and training-level privacy mechanisms, are fundamentally probabilistic and fail to offer robust protection against such attacks. We take the position that only a deterministic and rigorous enforcement of fine-grained access control during both fine-tuning and RAG-based inference can reliably prevent the leakage of sensitive data to unauthorized recipients. We introduce a framework centered on the principle that any content used in training, retrieval, or generation by an LLM is explicitly authorized for \emph{all users involved in the interaction}. Our approach offers a simple yet powerful paradigm shift for building secure multi-user LLM systems that are grounded in classical access control but adapted to the unique challenges of modern AI workflows. Our solution has been deployed in Microsoft Copilot Tuning, a product offering that enables organizations to fine-tune models using their own enterprise-specific data.
format Preprint
id arxiv_https___arxiv_org_abs_2509_14608
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle Enterprise AI Must Enforce Participant-Aware Access Control
Bhatt, Shashank Shreedhar
Rajore, Tanmay
Aggarwal, Khushboo
Ananthanarayanan, Ganesh
Chandra, Ranveer
Chandran, Nishanth
Choudhury, Suyash
Gupta, Divya
Kiciman, Emre
Pandey, Sumit Kumar
Setty, Srinath
Sharma, Rahul
Zhao, Teijia
Cryptography and Security
Artificial Intelligence
Large language models (LLMs) are increasingly deployed in enterprise settings where they interact with multiple users and are trained or fine-tuned on sensitive internal data. While fine-tuning enhances performance by internalizing domain knowledge, it also introduces a critical security risk: leakage of confidential training data to unauthorized users. These risks are exacerbated when LLMs are combined with Retrieval-Augmented Generation (RAG) pipelines that dynamically fetch contextual documents at inference time. We demonstrate data exfiltration attacks on AI assistants where adversaries can exploit current fine-tuning and RAG architectures to leak sensitive information by leveraging the lack of access control enforcement. We show that existing defenses, including prompt sanitization, output filtering, system isolation, and training-level privacy mechanisms, are fundamentally probabilistic and fail to offer robust protection against such attacks. We take the position that only a deterministic and rigorous enforcement of fine-grained access control during both fine-tuning and RAG-based inference can reliably prevent the leakage of sensitive data to unauthorized recipients. We introduce a framework centered on the principle that any content used in training, retrieval, or generation by an LLM is explicitly authorized for \emph{all users involved in the interaction}. Our approach offers a simple yet powerful paradigm shift for building secure multi-user LLM systems that are grounded in classical access control but adapted to the unique challenges of modern AI workflows. Our solution has been deployed in Microsoft Copilot Tuning, a product offering that enables organizations to fine-tune models using their own enterprise-specific data.
title Enterprise AI Must Enforce Participant-Aware Access Control
topic Cryptography and Security
Artificial Intelligence
url https://arxiv.org/abs/2509.14608