Traditional access controls — RBAC, ABAC, ACLs — are essential but insufficient for AI systems. AI architectures introduce new dimensions of access that must be controlled: who can query a model, who can modify its training data, what tools an AI agent can use, and how API endpoints are secured. This lesson covers CY0-001 Objective 2.3 and teaches you to implement access controls across four critical dimensions.
Model access governs who can interact with the AI model and at what level of privilege. There are several tiers of model access that require different controls.
Query access is the most basic — the ability to send prompts and receive responses. Even query-only access must be controlled because unlimited querying enables model extraction attacks. Every query leaks information about the model's behavior and capabilities.
Fine-tuning access allows users to modify the model's behavior by training it on additional data. This is a high-privilege operation because it permanently alters the model. Fine-tuning access should be restricted to authorized ML engineers with approval workflows.
Configuration access governs who can modify guardrails, system prompts, prompt templates, and safety settings. Changing a model's system prompt is equivalent to changing its security policy — it should require the same level of authorization.
Evaluation access allows users to view model performance metrics, accuracy scores, and test results. While less dangerous than fine-tuning, evaluation data can reveal model weaknesses that an attacker could exploit.
The exam expects you to recognize that these access tiers require separate permissions. A developer who needs query access for testing should not automatically receive fine-tuning or configuration access.
AI systems interact with data at multiple stages, and each stage requires its own access controls.
Training data access governs who can view, modify, or add to the datasets used to train the model. This is one of the most sensitive access levels because compromised training data leads to compromised models. Access to training data should be tightly restricted, audited, and version-controlled.
Inference data access controls who can view the inputs sent to the model during production use. In many deployments, user prompts contain sensitive information — business strategies, personal details, confidential questions. Logging and accessing these prompts requires appropriate authorization.
Output data access determines who can view model responses. In some systems, model outputs are classified — for example, a model that processes intelligence reports might generate classified summaries. Output access controls must match the classification level of the data the model processes.
Feedback data access governs who can submit corrections, ratings, or annotations to the model's feedback loop. Unrestricted feedback access enables an attacker to gradually shift model behavior through coordinated false feedback submissions.
AI agents are autonomous systems that can take actions — calling APIs, modifying files, sending messages, executing code. Agent access controls are fundamentally different from model access controls because agents act on behalf of users in the real world.
Tool access defines which tools an agent can use. An agent might have access to a web search tool, a code execution environment, and a file system. Each tool should be individually authorized. An agent that only needs to search the web should not have file system access.
API access controls which external services an agent can call. An agent integrating with internal systems might need access to the ticketing system but not the HR database. Each API endpoint should be individually authorized, not granted blanket access.
File system access restricts which directories and files an agent can read, write, or execute. Agents should operate in sandboxed environments with access only to their designated working directories.
Scope limitations define the boundaries of an agent's autonomous action. Can the agent send emails? Can it approve transactions? Can it deploy code? Each capability should be explicitly authorized and bounded. For example, an agent might be authorized to create incident tickets but not to escalate them without human approval.
The key exam concept: excessive agency occurs when an agent has more capabilities than it needs. This is listed as OWASP LLM08 and represents one of the most dangerous AI risks because a compromised agent with excessive permissions can cause widespread damage.
The network layer provides fundamental security controls for AI systems.
Network segmentation isolates AI infrastructure from general corporate networks. Model training environments, inference servers, and data storage should reside in dedicated network segments with controlled ingress and egress.
API authentication verifies the identity of every API caller. For AI systems, this includes not just human users but also other services, agents, and automated pipelines. Mutual TLS provides strong authentication for service-to-service communication.
API authorization enforces per-endpoint permissions. Different API endpoints serve different functions — model query, model management, data upload, metrics retrieval — and each should have its own authorization requirements.
Rate limiting at the network layer provides a second line of defense behind application-level rate limiting. Network-level rate limiting catches abuse that application-level controls miss, including distributed attacks from multiple source IPs.
Egress controls are particularly important for AI systems. An AI agent that can make outbound network connections can exfiltrate data. Egress controls restrict which external hosts the AI system can contact, preventing data exfiltration through model outputs or agent actions.
Traditional Role-Based Access Control (RBAC) assigns permissions based on job roles. While RBAC is a foundation, AI systems require additional access control dimensions.
Dynamic context. An AI agent's required permissions may change based on what it is processing. A support agent handling a routine question needs fewer permissions than one handling a security incident. RBAC assigns static permissions; AI systems need context-aware access.
Temporal boundaries. Some AI operations should only be permitted during specific time windows. Model retraining might only be allowed during maintenance windows. Fine-tuning might require approval workflows with time-limited authorization.
Behavioral boundaries. AI systems should have controls based on what they are doing, not just who is using them. An agent that suddenly starts accessing unusual data patterns should trigger an alert, regardless of whether the requesting user has the right role.
Attribute-Based Access Control (ABAC) provides more granularity by considering user attributes, resource attributes, environmental conditions, and the action being requested. ABAC is better suited to AI systems because it can incorporate contextual factors like data classification, model sensitivity, and request patterns.