InclementSec Research
Data Authorization Controls for
Securing Agentic AI Systems
A framework that extends authorization enforcement beyond the action boundary to the data layer — because in agentic AI, controlling what a system can do is no longer sufficient to control the risk it poses.
Authorization models — RBAC, ABAC, Zero Trust — share a common assumption: constraining actions constrains risk. For decades, this worked. Behavior was deterministic, bounded, and auditable.
Agentic AI systems break this assumption. An agent that can dynamically compose tool chains, transform data across contexts, and pursue goals through non-deterministic paths makes action-based authorization structurally insufficient.
The evidence is accumulating: EchoLeak, Log-To-Leak, Claudy Day — in every case, each action was authorized. The data exposure was not.
DACSA operates on four pillars that together provide data-layer enforcement for agentic systems.
A graduated lattice structure that classifies data by sensitivity level, enabling policy decisions based on what the data is, not just who requested it.
Directed acyclic provenance graphs that track how data flows through the system, maintaining a complete audit trail of transformations.
Detection of inference-based disclosure and aggregation attacks — catching the subtle accumulation of individually harmless data points into sensitive composites.
Constraints on what the system can emit regardless of the path it took to get there — the last line of defense at the output boundary.
Apr 1, 2026
The full model — four pillars, architecture, real-world case studies, and an honest look at limitations. This is what data-layer enforcement for agentic AI actually looks like.
Mar 26, 2026
The security community is overwhelmingly focused on applying current solutions to a novel problem. After RSAC, I'm convinced that adaptation alone isn't going to work this time.
DACSA: Data Authorization Controls for Securing Agentic AI Systems
View Publications