{"ID":2869141,"CreatedAt":"2026-06-01T04:54:23.091178241Z","UpdatedAt":"2026-06-01T04:54:23.091178241Z","DeletedAt":null,"paper_url":"https://arxiv.org/abs/2509.14608","arxiv_id":"2509.14608","title":"Enterprise AI Must Enforce Participant-Aware Access Control","abstract":"Large language models (LLMs) are increasingly deployed in enterprise settings where they interact with multiple users and are trained or fine-tuned on sensitive internal data. While fine-tuning enhances performance by internalizing domain knowledge, it also introduces a critical security risk: leakage of confidential training data to unauthorized users. These risks are exacerbated when LLMs are combined with Retrieval-Augmented Generation (RAG) pipelines that dynamically fetch contextual documents at inference time. We demonstrate data exfiltration attacks on AI assistants where adversaries can exploit current fine-tuning and RAG architectures to leak sensitive information by leveraging the lack of access control enforcement. We show that existing defenses, including prompt sanitization, output filtering, system isolation, and training-level privacy mechanisms, are fundamentally probabilistic and fail to offer robust protection against such attacks. We take the position that only a deterministic and rigorous enforcement of fine-grained access control during both fine-tuning and RAG-based inference can reliably prevent the leakage of sensitive data to unauthorized recipients. We introduce a framework centered on the principle that any content used in training, retrieval, or generation by an LLM is explicitly authorized for \\emph{all users involved in the interaction}. Our approach offers a simple yet powerful paradigm shift for building secure multi-user LLM systems that are grounded in classical access control but adapted to the unique challenges of modern AI workflows. Our solution has been deployed in Microsoft Copilot Tuning, a product offering that enables organizations to fine-tune models using their own enterprise-specific data.","short_abstract":"Large language models (LLMs) are increasingly deployed in enterprise settings where they interact with multiple users and are trained or fine-tuned on sensitive internal data. While fine-tuning enhances performance by internalizing domain knowledge, it also introduces a critical security risk: leakage of confidential t...","url_abs":"https://arxiv.org/abs/2509.14608","url_pdf":"https://arxiv.org/pdf/2509.14608v1","authors":"[\"Shashank Shreedhar Bhatt\",\"Tanmay Rajore\",\"Khushboo Aggarwal\",\"Ganesh Ananthanarayanan\",\"Ranveer Chandra\",\"Nishanth Chandran\",\"Suyash Choudhury\",\"Divya Gupta\",\"Emre Kiciman\",\"Sumit Kumar Pandey\",\"Srinath Setty\",\"Rahul Sharma\",\"Teijia Zhao\"]","published":"2025-09-18T04:30:49Z","proceeding":"cs.CR","tasks":"[\"cs.CR\",\"cs.AI\"]","methods":"[\"RAG\",\"Large Language Model\",\"Language Model\",\"Generative Adversarial Network\"]","has_code":false}