By Guillaume Girard

Software Engineer

Views: 2

Artificial intelligence

Partager l’article

More and more organizations aim to provide their teams with an AI assistant capable of querying CRM, ERP, databases, internal files or support tickets in natural language. The benefits are concrete: time savings, reduced manual searches, improved answer quality, and workflow automation.

However, connecting ChatGPT, Claude or an in-house AI agent to information systems is not just a technical project. It’s an architecture, security, and governance challenge, where the AI agent must never have higher privileges than the user. Without a rigorous framework, AI can become a cross-system gateway to sensitive data, exposing the company to leaks, access errors, and compliance violations.

Understanding the Risks of Naïve Integration

Poorly designed AI integration can lead to massive leaks and permission breaches. Companies often underestimate the complexity of access rights in their internal tools.

Confidential Data Leakage

When the AI assistant receives enriched context, it may include sensitive document excerpts in its response. A simple query about the production pipeline or HR files can reveal information the user shouldn’t see. Without strict filtering, AI becomes a data-leakage vector, capable of summarizing confidential contracts or extracting financial figures.

Imagine a Swiss SME in industrial equipment that connected its AI assistant to SharePoint using a global account. A marketing team member requested a product report, and the AI included confidential R&D pricing data in its summary. The leak was only discovered after internal distribution, highlighting the critical need to rigorously separate contexts.

Without masking mechanisms and automatic keyword-based refusals, every AI response represents a potential risk. Leakage is not only technical: it undermines trust and can create legal and contractual liabilities for the company.

Over-Permissioning the AI Agent

Many projects start with a global token or administrator account to speed up deployment. Unfortunately, this privileged access grants the AI agent far broader scope than a typical employee. A single prompt can expose HR databases, customer lists, or incident logs.

Over-permissioning creates a silent vulnerability: a hacker or malicious insider can hijack the assistant to reach protected segments of the information system. Authentication and authorization mechanisms designed for human users are effectively bypassed.

The golden rule remains the principle of least privilege: the AI agent must never have more rights than the user it serves. Any unnecessary access must be formally restricted and audited.

Poor Reproduction of Business Permissions

Permissions in Google Drive, SharePoint, Salesforce, or Jira are often granular, dynamic, and hard to translate into a vector index or a retrieval-augmented generation (RAG) engine. A document shared “view-only” with a group can become editable when stored in an alternate repository if permissions aren’t mapped precisely.

Without dynamic rights reconciliation, AI may return outdated results or misjudge a file’s confidentiality. It can then offer suggestions that conflict with internal policies.

Edana: strategic digital partner in Switzerland

We support companies and organizations in their digital transformation

Let's talk about you

Permission Architectures for Secure Access

Choosing the right authentication scheme determines the reliability of your enterprise AI assistant. Each connection method has governance and user-experience trade-offs.

User-Scoped Authentication (OAuth User-Scoped)

In this approach, each employee authorizes the AI to act on their behalf via single sign-on. The agent then queries internal APIs using the user’s specific tokens. Rights are strictly aligned with those of the employee, ensuring real-time adherence to business permissions.

The main challenge is onboarding: every user must complete an authentication flow. Depending on connector maturity, token renewal and expiration handling can affect the experience. However, delegated-access flows often mitigate this friction.

This architecture is especially recommended when handling sensitive or highly regulated data, such as in finance, healthcare, or public services.

Global Connection with Permission Synchronization

The company uses an admin account to bulk-import data into an internal index. A synchronization module attempts to replicate each user’s access rights on the imported segments. This method simplifies initial setup and delivers high search performance.

However, it poses risks if access logic changes frequently or business rules are complex. Mismatches between production permissions and those in the index can lead to security gaps.

A Swiss financial institution under strict regulatory scrutiny adopted this architecture. The case study showed that any role update must trigger a full resynchronization; otherwise, the AI occasionally surfaced outdated or unauthorized documents.

Delegated Access for Security-Usability Balance

Delegated access allows the system to obtain a user-scoped token on demand without a full OAuth flow for each employee. The application holds an admin token that exchanges a limited-scope access ticket for a given user. The workflow stays smooth while preserving precise permission alignment.

This option often offers the best compromise between security and usability, provided the generated tokens are short-lived and can be revoked immediately if needed. It does require connectors that support this flow.

For highly sensitive or structured data, a simplified internal permission layer is discouraged, even if it may suffice for a non-critical document repository.

Securing Indexing and Retrieval-Augmented Generation

Retrieval-augmented generation enhances AI relevance but can also duplicate sensitive data out of control. The vector index must include permission metadata and query-time filtering.

RAG Architecture and Its Limits

Retrieval-augmented generation involves indexing relevant documents or excerpts, then enriching the model’s output with these sources. This approach reduces hallucinations and improves context. However, if the index contains confidential content without permission metadata, it becomes an improper copy of your information system.

Every vector must carry its access rules: group, role, and classification level. At query time, a filter should automatically exclude unauthorized results before calling the AI model.

Dynamic Indexing and Data Freshness

AI assistants often need the latest data: open tickets, CRM opportunities, order statuses, inventory levels, or IT incidents. Periodic indexing may not suffice. You must implement incremental updates or direct API calls to guarantee freshness.

An intelligent, permission-scoped cache helps reduce latency while maintaining security. Monitoring synchronization lag alerts teams to critical delays.

Preventing Prompt Injection

Prompt injection occurs when malicious instructions are embedded in a document or query to hijack the AI. Without lock-down mechanisms, the assistant may ignore its security constraints and disclose prohibited information.

Best practices include sandboxing prompts, systematically cleaning inputs, and implementing refusal rules based on regular expressions or ML models that detect manipulation attempts.

Governance, Compliance, and Approval Workflows

Reading data carries different risks than writing or modifying it. Any action must follow a clear workflow with human validation for sensitive operations.

Action Levels: Read, Prepare, Execute

Distinguishing between simple reading, action suggestion, and actual execution is fundamental. AI can draft an email or prepare a CRM update, but final sending often requires human oversight to avoid incidents.

It’s recommended to restrict write permissions to approved workflows only, with an approval log that records the validator’s identity and action timestamp.

Logging, Traceability, and Auditability

To meet security and compliance requirements, every query, response, and action by the AI agent must be logged. Logs should capture the initiating user, request content, data accessed, and executed action.

Integrating with a security information and event management (SIEM) system allows correlating these events with the wider IT environment and quickly detecting any anomalous access or usage. Shift-left security enhances early detection.

Without fine-grained traceability, reconstructing the sequence of events after an incident or responding to a regulatory audit becomes impossible.

Governance Best Practices

Apply the principle of least privilege, segment connectors by business domain, and rotate tokens regularly. Also establish an emergency revocation plan in case an account or token is compromised.

Prompt-injection testing, periodic permission audits, and preventive refusal engines complete these measures.

Aligning with Swiss data protection, trade-secret, and cybersecurity requirements ensures a responsible, compliant integration of enterprise AI assistants.

Transform Your AI Assistant into a Secure Co-Pilot

Poorly integrated enterprise AI can become the most dangerous entry point to your internal data. Risks of leaks, over-permissioning, prompt injection, and uncontrolled actions are real without proper architecture, security, and governance. Conversely, a rigorous strategy—user-scoped authentication or delegated access, secure RAG indexing, dynamic permission filters, and approval workflows—turns AI into a reliable, context-aware co-pilot.

Organizations that master every integration step—from rights mapping to traceability and adherence to Swiss and international standards—will succeed. Our Edana experts support this journey with open-source architectures, secure API integration, tailored UX, approval workflows, and proactive monitoring.

Discuss your challenges with an Edana expert