AI Access Controls
Control Core applies Policy-Based Access Control (PBAC) to AI systems: governing who can use which AI capabilities, what data can be sent to models, how AI agent tooling is constrained, and how usage is audited and cost-governed. This page covers generative AI, RAG, agent tooling, agentic workflows, and AI cost governance.
How it works
Every AI request — from a user, a service, or an autonomous agent — passes through a Bouncer (Policy Enforcement Point). The Bouncer evaluates the active controls using real-time context from connected data sources (PIPs), then allows or denies the request before it reaches the model, tool, or retrieval system.
Click to enlarge
The Control Plane supplies controls and receives audit logs. Governance teams author controls once and enforce them across every AI-enabled service behind a Bouncer — no changes to the AI application are required.
Generative AI guardrails
Challenge: Organizations adopting generative AI need to control which users and services can call which models, prevent sensitive data from entering prompts, and maintain a clear audit trail.
What Control Core provides:
- Controls define which identities (users, roles, AI agents, or service accounts) can access which model endpoints
- Data masking controls prevent sensitive fields from reaching the model — applied at the Bouncer before the request is forwarded
- Prompt-level controls restrict what content can be included in a request
- Decision logs capture who called which model, with what context, and what the outcome was
Compliance relevance: Aligns with SOC 2, ISO 27001, GDPR/UK GDPR, and HIPAA where AI processes personal or sensitive data. See Regulatory Compliance.
RAG (Retrieval-Augmented Generation)
Challenge: Organizations deploying RAG over internal knowledge bases need real-time permission on what can be retrieved and included in a prompt, without over-exposing confidential documents.
What Control Core provides:
- Controls restrict which documents or data sources a user or session can retrieve based on role, classification, purpose of use, and other real-time context from PIPs
- The Bouncer enforces these rules at the retrieval edge — only permitted content reaches the model
- Data classification controls (e.g.
internalvscustomer-facing) prevent cross-boundary leakage - Tenant isolation controls keep data scoped per user or organization in shared RAG deployments
MCP (Model Context Protocol) and agent tooling
Challenge: AI agents that call external tools and data sources must be constrained so they cannot access out-of-scope resources or cause unintended data leakage.
What Control Core provides:
- Controls define which tools and data sources an agent identity can invoke
- The Bouncer intercepts MCP and A2A traffic before it reaches tool endpoints
- Tenant and user isolation controls prevent cross-user context bleed in multi-user agent deployments
- Audit logs capture every tool call decision for governance and incident review
Enterprise AI applications (chatbots, copilots, analytics)
Challenge: Internal AI applications need consistent access governance, data protection, and an audit trail that satisfies security and compliance teams.
What Control Core provides:
- A single control layer governs who can use which AI applications and what data they can send or receive
- PIPs supply real-time context (employment status, training completion, risk flags, clearance level) so controls adapt dynamically to the current state of the user or the organization
- Audit trails and SIEM integration capture all decisions for compliance review and incident investigation
AI cost governance and optimization
Challenge: AI model usage at scale is expensive and hard to attribute. Organizations need visibility into who is consuming which models, the ability to enforce fair-use and budget policies, and tools to route traffic cost-effectively.
What Control Core provides:
- Usage visibility: Every model request is logged with subject identity, model endpoint, and context — giving teams full visibility into AI consumption by user, team, or service
- Policy-driven routing: Controls can direct requests to less expensive model variants based on the request context, time of day, or user tier — for example, routing exploratory queries to a smaller model while reserving premium models for high-value workflows
- Token budget enforcement: Rate and budget controls limit token consumption per user, service, or organizational unit — preventing runaway costs from unconstrained AI usage
- Tier-based access: Different user groups get access to different model tiers based on their role or approved use case, managed through a single control without modifying application code
- Cost allocation: Audit logs include the metadata needed to attribute AI spending to teams, projects, or cost centres — enabling accurate FinOps reporting
Managing the Agentic AI Workforce
Challenge: Agentic AI — autonomous agents that plan, execute multi-step tasks, and call external services — introduces a new class of digital worker that needs to be governed like any other identity in your organization.
What Control Core provides:
Control Core treats AI agents as first-class identities with their own subject attributes, roles, and trust levels. The same PBAC model that governs human users governs AI agents — consistently, in real time, without separate access control systems.
Key capabilities for agentic governance:
- Agent identity propagation: Require verifiable agent identity on every request — including tool calls made by agents on behalf of human users. Controls can enforce that the end-user identity is always present, preventing privilege escalation through AI intermediaries.
- Tool and server allowlisting: Define which MCP servers, APIs, and external data sources a specific agent or agent class is permitted to call. New tools require explicit policy approval before an agent can access them.
- Scope containment: Controls bind agents to specific resource scopes — an agent deployed for finance workflows cannot access HR data, even if the underlying model would technically permit it.
- Risk-aware escalation: Controls can evaluate agent risk signals (unusual tool call patterns, anomalous data volume) and trigger approval gates or human-in-the-loop workflows before allowing sensitive operations to proceed.
- Auditability: Every agent action — every tool call, retrieval, or API request — produces a decision record that attributes the action to both the agent identity and the human principal on whose behalf it acted.
- Drift prevention: As agent capabilities evolve and new tools become available, controls remain the stable governance layer. Teams can update what agents are permitted to do without touching the agent application itself.
Business outcome: Organizations adopting agentic AI can scale their AI workforce confidently — knowing that every agent operates within defined, auditable boundaries, and that governance keeps pace with the speed of AI capability expansion.
Real-world AI governance frameworks
AI governance is becoming a regulated discipline. Every major framework below introduces obligations around human oversight, access control, data protection in AI workflows, and audit trails — all of which are authorization and enforcement problems. Control Core provides the enforcement layer that turns these policy obligations into runtime decisions.
Note: The sections below describe how Control Core's capabilities align with framework requirements. They do not constitute certification or legal compliance claims. Consult your legal and compliance advisors.
EU AI Act
The EU AI Act (in force from 2024, phased obligations through 2026–2027) is the world's first comprehensive AI regulation. It classifies AI systems by risk level and imposes strict obligations on high-risk AI — systems used in critical infrastructure, employment, education, law enforcement, financial services, healthcare, and fundamental rights decisions.
Key obligations and how Control Core addresses them:
| EU AI Act Obligation | Control Core capability |
|---|---|
| Human oversight (Art. 14): High-risk AI must allow humans to intervene, override, or halt the system | Approval gate actions require human authorization before the AI proceeds; break-glass overrides are logged |
| Access controls (Art. 15 + Annex IV): Only authorized persons can access high-risk AI systems | Controls restrict model endpoint access by identity, role, and clearance — enforced at the Bouncer before any model is called |
| Logging and auditability (Art. 12): High-risk AI must maintain detailed logs of every operation | Every AI request decision — allow, deny, gate — is logged with subject identity, model endpoint, context, and outcome |
| Purpose limitation: AI must be used only for the disclosed purpose | Purpose-of-use attribute checks on every model request; deny use outside declared scope |
| Fundamental rights impact: Actions affecting individuals require audit-ready evidence | Per-decision audit records capture which model was used, what data was provided, and under what authorization |
| Prohibited AI (Art. 5): Certain AI applications are prohibited (e.g., real-time biometric surveillance in public spaces) | Controls can enforce a hard deny for prohibited AI use case identifiers — preventing any call to those workflows |
Example — financial institution operating credit-decisioning AI: A bank uses an AI model that automatically assesses creditworthiness. Under the EU AI Act, this is a high-risk AI application (Annex III, point 5b). A Control Core control governs every call to the credit model: it checks that the requesting system is an authorized credit decisioning workflow, that a human reviewer flag is present for decisions above a threshold, and that the request falls within the declared use case scope. Every decision is logged for the technical documentation required under Article 11. When regulators request evidence of human oversight, the audit log shows every instance where an approval gate was triggered and who reviewed it.
Example — HR platform using AI for recruitment screening: An HR technology company operates an AI-assisted CV screening service (high-risk under Annex III, point 4). Controls restrict which HR systems can call the screening model, enforce that job category attributes are present in every request (preventing scope drift), and log every decision for the technical documentation obligation. When a candidate exercises their right to meaningful information about an automated decision under GDPR Article 22, the audit log provides the per-decision record needed to construct a human-readable explanation.
NIST AI Risk Management Framework (AI RMF 1.0)
The NIST AI RMF (published January 2023) provides a voluntary framework for managing AI risks across four core functions: Govern, Map, Measure, and Manage. It is widely referenced in US federal procurement, financial services guidance, and enterprise AI governance programs. The Govern function — establishing policies, accountability structures, and oversight mechanisms for AI — maps most directly to what Control Core provides.
Key AI RMF functions and how Control Core addresses them:
| AI RMF Function | Control Core capability |
|---|---|
| GOVERN 1.1: Policies for AI risk management are established | Controls encode AI access and usage policies — who can call which model, for what purpose, with what data |
| GOVERN 1.2: Accountability for AI risks is defined | Every AI request is logged with the subject identity and the control version that evaluated it — accountability is traceable |
| GOVERN 2.2: Organizational teams with AI responsibilities have established policies | Controls can be scoped to specific AI applications and governed by specific teams in the Control Plane — separate from general IT policy |
| MAP 5.1: AI system scope is clearly defined | Controls enforce declared scope — agents and applications that drift outside their defined scope are denied at the Bouncer |
| MEASURE 2.6: AI risk measurement includes impacts on individuals | Audit logs provide per-individual, per-decision records for impact assessment |
| MANAGE 2.2: AI risk response includes escalation procedures | Approval gate and break-glass actions implement escalation workflows for high-risk AI decisions |
| MANAGE 4.1: Residual risks from AI are monitored post-deployment | Real-time audit logs and SIEM integration enable ongoing monitoring of AI access patterns and anomaly detection |
Example — enterprise AI governance program: A large enterprise adopts the NIST AI RMF as their internal AI governance standard. Every AI service in their estate is deployed behind a Bouncer. The Control Plane serves as the Govern layer — policy owners author controls, define scope, and assign accountability. The Bouncer provides the Measure and Manage layer — logging every AI interaction, detecting access outside scope, and escalating high-risk decisions. When the AI governance team produces their quarterly AI risk review, they export the audit log per AI service and present decision counts, deny rates, and escalations as evidence of active management.
OWASP Top 10 for LLM Applications
The OWASP Top 10 for Large Language Model Applications (v1.1, 2023 / updated 2024) identifies the most critical security risks in LLM deployments. Three risks are directly addressable through access controls enforced at the Bouncer.
LLM01 — Prompt Injection
Attackers craft inputs that override system instructions, exfiltrate data, or cause the model to perform unauthorized actions. Controls can detect and block requests containing known injection patterns or that attempt to override declared system context.
Example: A customer-facing AI assistant accepts freeform user input. A control at the Bouncer scans the request for prompt injection markers (override instructions, jailbreak phrases, encoded payloads) before forwarding to the model. Requests matching injection patterns are denied with a logged event — preventing the model from ever processing the malicious input.
LLM06 — Sensitive Information Disclosure
LLMs may reveal sensitive data present in training or retrieval context. Controls can enforce that requests to RAG pipelines only retrieve documents within the user's clearance level, preventing sensitive data from entering the prompt.
Example: A legal research platform uses a RAG pipeline over a corpus containing confidential client documents alongside public materials. A control checks user.clearance against document.classification on every retrieval request. Documents classified above the user's clearance are filtered out before they are included in the model's context — preventing inadvertent disclosure through the model's response.
LLM08 — Excessive Agency
AI agents granted too many permissions can cause unintended data modification, exfiltration, or system changes when manipulated or when reasoning goes wrong. Controls enforce explicit allowlists of which tools and data sources each agent can invoke.
Example: An AI agent assisting with contract management is authorized to read contract records and draft amendment text. It is not authorized to write to the contract database or send emails. Controls at the Bouncer allow GET requests to the contracts API but deny POST, PUT, or DELETE requests regardless of what the model instructs. When the model reasons toward an unexpected write (triggered by a manipulated contract), the Bouncer denies the action and logs the event before it can cause data modification.
OWASP LLM Top 10 alignment summary:
| OWASP LLM Risk | Control Core mitigation |
|---|---|
| LLM01 Prompt Injection | Input inspection controls at the Bouncer; deny on injection pattern detection |
| LLM02 Insecure Output Handling | Output masking controls; prevent PII or classified data from returning to unauthorized callers |
| LLM06 Sensitive Information Disclosure | RAG retrieval controls; clearance-based document filtering before prompt construction |
| LLM08 Excessive Agency | Explicit tool and API allowlisting per agent identity; deny out-of-scope tool calls |
| LLM09 Overreliance | Approval gate actions for high-stakes AI decisions; human-in-the-loop enforcement |
| LLM10 Model Theft | Model endpoint access controls; only authorized applications can call the model API |
ISO/IEC 42001 — AI Management System
ISO/IEC 42001 (published December 2023) is the first international standard for AI management systems. It establishes requirements for organizations developing or using AI responsibly, covering risk management, impact assessment, operational controls, and continual improvement. It follows the same high-level structure as ISO 27001.
Key clauses and how Control Core addresses them:
| ISO/IEC 42001 Clause | Control Core capability |
|---|---|
| 6.1 — Risk treatment: Implement controls to address AI risks | Controls are the operational implementation of AI risk treatment — access restriction, data minimization, oversight gates |
| 8.4 — AI system impact assessment: Document the intended use and assess impacts | Controls encode intended use scope — access outside the declared use case is denied and logged |
| 8.6 — Data management: Restrict access to AI training and inference data | Data access controls on training pipelines and inference endpoints; field-level masking for sensitive input data |
| 9.1 — Monitoring and measurement: Monitor AI system performance and compliance | Audit logs provide per-request decision records for compliance measurement |
| Annex A — AI-specific controls: Controls for proper use, explainability, and oversight | Approval gates (human oversight), audit trails (explainability evidence), scope containment (proper use enforcement) |
Financial services AI governance: SR 11-7, MAS, and FCA
Financial regulators have extended model risk management frameworks to cover AI and machine learning systems used in lending, trading, fraud detection, and customer interactions.
US — SR 11-7 (Model Risk Management, Federal Reserve / OCC):
The SR 11-7 guidance on model risk management requires that models used for financial decisions have appropriate access controls, validation processes, and ongoing monitoring. AI/ML models are subject to the same validation and governance requirements as traditional statistical models.
| SR 11-7 Requirement | Control Core capability |
|---|---|
| Model access restricted to authorized users and processes | Controls restrict which applications and identities can call each AI model endpoint |
| Model usage monitored and logged | Every model call is logged with identity, purpose, and outcome |
| Development and production model environments separated | Controls enforce environment-based access — staging models cannot be called from production workflows and vice versa |
| Model changes require authorization | Approval gate controls gate model version promotions to production |
Example — US bank credit model governance: A regional bank uses an ML model for commercial credit decisioning. SR 11-7 requires that access to the production model is restricted to the credit origination workflow and that all model invocations are logged. A Control Core Bouncer in front of the model API enforces: (1) only the authorized credit origination service account can call the production model, (2) development and test credentials are denied on the production endpoint, (3) every call is logged with the requestor, the model version, and the input data classification. Model risk management reviews pull directly from the audit log.
Singapore — MAS Principles for Responsible Use of AI in Financial Services:
The Monetary Authority of Singapore (MAS) published fairness, ethics, accountability, and transparency (FEAT) principles for AI in financial services, and its FEAT Assessment Framework provides a methodology for assessing AI governance.
| MAS FEAT Requirement | Control Core capability |
|---|---|
| Accountability: Clear responsibility for AI outcomes | Controls enforce which identities are authorized to operate each AI system; decisions are attributed to subject and control version |
| Fairness: AI must not produce discriminatory outcomes | Controls can enforce that certain sensitive attributes (e.g., protected characteristics) are not present in model input |
| Transparency: Decisions must be explainable | Per-decision audit logs record input context, control evaluated, and outcome — supporting explanation generation |
| Ethics: AI use must be within declared ethical scope | Purpose-of-use controls deny AI calls outside declared use categories |
UK — FCA Guidance on AI in Financial Services:
The UK FCA has published discussion papers and guidance on AI governance in financial services, emphasizing the need for model explainability, human oversight of high-impact decisions, and robust controls over AI systems that interact with consumers.
| FCA Expectation | Control Core capability |
|---|---|
| Senior Manager accountability for AI systems | Controls scoped to specific AI applications; policy owners named in the Control Plane audit trail |
| Consumer Duty — foreseeable harm from AI | Approval gate actions enforce human review for decisions that could cause consumer harm |
| Operational resilience for AI systems | Controls failsafe to deny when PIP data is unavailable — fail-closed by default |
| Audit trail for supervisory review | Full per-request decision logs available for FCA examination |
US Executive Order on AI Safety (AI Safety EO)
US federal agencies and federal contractors operating AI systems face mandates flowing from executive orders and agency guidance requiring mandatory access controls, safety testing, and reporting for AI systems above capability thresholds. Control Core's audit and enforcement capabilities support compliance for:
- Mandatory incident reporting when AI systems operate outside authorized scope
- Access controls limiting AI capability access to cleared personnel
- Red-teaming support: audit logs from adversarial testing sessions provide evidence of scope containment testing
Compliance alignment
| Framework | How Control Core helps |
|---|---|
| EU AI Act | Human oversight gates, access restriction to high-risk AI, purpose-limitation enforcement, mandatory audit trail |
| NIST AI RMF | Govern layer — policy encoding; Manage layer — scope enforcement and escalation |
| OWASP LLM Top 10 | Prompt injection detection, RAG retrieval controls, agent tool allowlisting, output masking |
| ISO/IEC 42001 | Operational controls for AI risk treatment, data access controls, monitoring evidence |
| SR 11-7 (US Fed/OCC) | Model access restriction, environment separation, usage logging for model risk reviews |
| MAS FEAT (Singapore) | Accountability, fairness input controls, transparency via audit log |
| FCA AI guidance (UK) | Senior Manager accountability trail, Consumer Duty oversight gates |
| SOC 2 | Security, availability, and processing integrity for AI-enabled services |
| GDPR / UK GDPR | Purpose limitation, data minimisation, and consent for AI processing |
| HIPAA | Minimum necessary access and audit trails where AI processes health data |
See Regulatory Compliance for regional and jurisdiction-specific details.
Next steps
- AI Governance overview — governance capabilities and configuration
- Regulatory Compliance — compliance use cases by region
- Dynamic Context Management — real-time context for controls
- PBAC Best Practices — control design patterns