Lessons on AI Access Control from Asimov
The Problem of Hard Limits
Hey folks! Or Weis here with another digest 💌
Everyone is talking about AI, and I think Asimov is a great place to start.
Isaac Asimov’s Three Laws of Robotics envisioned a future where strict, embedded rules would prevent robots from causing harm. But in today's world, embedding hard limits into AI systems remains quite a distant challenge.
Unlike Asimov's fictional robots, which were imagined to have intrinsic, hardcoded rules embedded directly into their "positronic brains" or operating systems, actual modern AI systems operate quite differently.
The AI we know and use today, particularly LLMs, is based on probabilistic reasoning and pattern recognition. These systems are trained on vast amounts of data to predict outcomes or generate responses, and their behavior emerges from patterns in data, not from hard-coded directives or physical constraints. While their networks can be fine-tuned and guided by prompts, there’s currently no good way to embed unbreakable "laws" into the AI's architecture.
But that doesn’t mean AI Agents are, or should be, completely limitless, or we cannot set any boundaries on how they operate. But how do we set those boundaries? Let’s talk about that.
The Existing Reality of AI Limitations
Today, as you are probably aware, AI systems like ChatGPT are subject to some limits that prevent them from generating certain types of content.
These limits are typically enforced through a combination of explicit external mechanisms. Multi-agent RAG (Retrieval Augmented Generation), for example, enables an AI to interact with its memory to answer queries. At the same time, other agents monitor these interactions, deciding what the AI can or cannot access.
AI systems also rely on deterministic code to constrain their behavior and system-level instructions to guide them. Every AI agent operates with a layered prompt system:
There’s the user’s prompt, but there’s also a baseline system prompt set by engineers.
A system prompt can define the AI’s role and tasks—like, “You’re a support agent,” or “You pass butter.” Then, for specific cases, additional prompts can be included as part of the input to tailor the AI’s behavior further.
The AI takes all these inputs, reads them, and extrapolates them to predict the most appropriate response based on the combined context.
However, how these prompts interact can significantly alter the AI’s behavior.
Even with instructions like, “Don’t listen to later prompts,” clever prompt engineering can often find ways to bypass these constraints. It’s practically impossible to enforce an unbreachable boundary solely through prompt design because the input space is too vast, and language model behavior is too diverse.
AI models today are excellent at extrapolating based on a wide variety of options. You feed a large language model a lot of data, and it becomes very versatile. It can discuss different topics, interact with various services, and perform numerous tasks.
However, this versatility is a double-edged sword. While it allows the AI to handle a broad range of tasks, it also introduces challenges in control.
That’s why relying solely on prompts for strict enforcement is insufficient. We need external deterministic controls layered around the AI system.
A New Type of User and the Challenge of Cascading Permissions
Let’s zoom out for a moment and look at this issue from a broader perspective.
Currently, the majority of your application users are human - but this is set to change very soon. Within the next one to three years, I believe AI agents are likely to overtake humans as the primary users of applications.
This shift will be fueled by the rise of AI-native applications as a new standard for software development, as well as increased interconnectivity. We’re bound to see more AI agents operate on behalf of humans and other AI agents across various platforms, creating a cascading network of machine identities interacting with one another. Since most of us will likely rely on multiple AI agents, their numbers are expected to surpass the number of human users in the near future.
Let’s look at a simple example:
You’re going to a theme park with your friends. Your AI agent will talk to the agents of your friends and also to the theme park’s application to get tickets. You’ll also might want snacks, so it will coordinate with your supermarket’s application to have something delivered to your home before the trip. It might arrange for a rental car. The possibilities are endless. Meanwhile, the AI agents for your friends will also be working—they’ll be scheduling appointments on their behalf, perhaps checking their calendar applications to confirm availability.
Even in this simple scenario, your AI agent is interacting with at least five other agents, each of which is likely cascading communications with other AI agents. The more options you add, the more convoluted this structure becomes.
This scenario poses a really important question: How do we audit these decisions?
If a mistake happens, you’ll need the ability to understand which agent made which decision, and based on which policies.
Remember, we're talking about a very simple, low-risk scenario here. Now, think about applying this in professional or corporate settings, in environments requiring strict compliance or security. Consider factories, critical infra, military sites, or similar high-stakes settings - you see where I’m going with this.
There’s no doubt the ability to audit these interactions will become security priority number one soon enough.
A Problem for the Near Future
As we see, this boundless connectivity introduces endless friction for auditing and managing access. It’s bound to be a challenge for us humans to keep track of everything happening in these interconnected systems.
This will become a critical aspect of each application, each agent, and every interface used to interact with these agents. Understanding and controlling these connection points will be vital to keep everything running smoothly.
I think most people likely don’t fully grasp how dramatically different the world will look once we reach that level of interconnectivity. This shift is bound to be as transformative as the shift from a world without cell phones or the internet to one where they are ubiquitous. The impact on daily life will be on that scale - and that’s definitely something to think about.
The Challenge of AI Access Control Today
If we look at the position of this technology right now, we’re just one step behind this vision— in the phase of adding the first AI agents to our applications and developing more AI-native applications.
When you add an AI agent to your application, you’re essentially connecting that agent to the external world. You’re providing it with initial connectivity to human users, your existing API services, tools, and various third-party solutions. However, when integrating an AI agent into your application, you can’t just do it willy-nilly.
You need to decide what your AI agent is allowed to do with your API. The naive approach of saying, "Oh, my API already has access control, so that’s fine," won’t work.
Why? Because traditional access control is designed to ensure that a human using your service can only access the appropriate APIs based on their quota, plan, pricing, billing, and so on. It might also enforce role-based policies, but that’s all centered around human users.
When you add an AI agent, you can’t automatically assume it’s allowed to do everything the human user is allowed to do. There are two key points to consider:
AI agents acting on behalf of your customers
AI agents acting as part of your service
Assuming AI agents are allowed to use everything within your service can also lead to numerous vulnerabilities. The agent might do things the user doesn’t expect, leading to friction, damage, or even business problems for your end customer.
If these issues arise and you realize after the fact that you didn’t plan for them, it will already be too late. By then, the cost—whether financial, reputational, or operational—will have been incurred.
As you build applications and start connecting AI agents, it’s crucial to implement policies that treat AI agents with the same consideration as human users and avoid having separate enforcement for them. These policies should account for an AI agent's level of agency but must not give it the same permissions or privileges as a human user.
How do you do that? You need to be able to do two things:
First, you need to understand what the different points are that the AI will interact with and decide on the policy for each point, considering whether it is acting as part of the service or on behalf of a customer.
Second, addresses the "on behalf of" aspect at each of those points—understanding on whose behalf the agent is acting and incorporating that into the policy.
This will be very similar to what we see with observability for microservices, where there’s a cascade of requests between services. In this context, however, the actors in the chain are far less deterministic.
This brings us back to Asimov -
Asimov’s Three Laws of Robotics paint a picture of rules that robots simply cannot violate, ensuring a safety net for humanity. While we’re far from embedding unbreakable “laws” into AI, there are practical steps we can take to manage this new reality:
Deterministic Policies: AI systems should operate within systems that enforce clearly defined, non-negotiable rules that leave no room for interpretation.
Layered Enforcement: Combining deterministic systems with AI-generated insights provides flexibility while maintaining control.
Auditable Cascades: Build systems that can trace and document every decision made by AI agents, from initiation to execution.
These measures won’t solve every problem, but they offer a foundation for managing the growing complexity of AI interactions. As AI becomes more integrated into our systems, these solutions will help ensure the balance between flexibility and security is maintained.
By addressing these challenges today, we can prepare for the rise of AI agents as the dominant users of applications and ensure their interactions are both secure and manageable.
If you want to learn more on this topic, here are a few reading suggestions:
The Challenges of Generative AI in Identity and Access Management (IAM) by Gabriel Manor
Building AI Applications with Enterprise-Grade Security Using RAG and FGA by Bartosz Pietrucha
And, if you haven’t read it, here’s a PDF of I, Robot by Isaac Asimov!
Like what you read? Hated it? Felt absolutely neutral about it?
Leave a like, share it with others, or let me know in the comments ❤️
You're also always welcome to contact me directly on LinkedIn or in the Permit.io community!