AI Authentication and Authorization | FusionAuth Docs/Articles
Light<br>Dark<br>System
Log In
Get a demo<br>Open main menu
AI Authentication and Authorization<br>By Dan Moore
Human identity is the source of AI authority.
I know what you're thinking: another article about AI security? Stick with me. This one is different because it's grounded in a simple, almost obvious truth that the industry keeps forgetting in its rush to ship agents: the same identity and authorization patterns that secured the API boom of the 2010s are exactly what you need to secure AI systems today.
If you've built OAuth integrations, managed API keys, or set up role-based access control, you already have most of the knowledge you need. AI auth is not a new discipline. It's an extension of existing best practices.
"Anyone who considers arithmetical methods of producing random digits is, of course, in a state of sin."<br>— John von Neumann
"Anyone who lets AI access resources without deterministic safeguards is, of course, in a state of folly."<br>— The Author
The Von Neumann quote is a classic warning about assuming you can take something reliable and get non-deterministic outputs. The inverse principle applies here. AI systems are probabilistic: they reason, hallucinate, and improvise. But the identity layer that governs who they act for and what they're allowed to do must be deterministic. Identity is not something to "vibe."
This article walks through three AI use cases:
retrieval-augmented generation (RAG)
tool use (MCP and APIs)
agentic systems
And examines them through the lens of authentication, authorization, and identity management. It uses FusionAuth examples, but also notes where there are standards-based solutions.
We'll use a single running example throughout: you are an engineering manager at a bank, looking to improve support desk operations for both employees and customers, with AI.
A Quick Overview of the Use Cases#
Before we dive in, let's define what we're working with.
Retrieval-augmented generation (RAG) augments the data available to an AI model by feeding it documents at query time. Your bank employees or customers ask a question, and the RAG system retrieves relevant internal documents and then provides it to an LLM to ground the LLM's answer. The key auth concern: not every user should see every document. A customer is going to see different documents from a teller, who will see different ones from a VP.
Tool use (MCP and APIs) allows AI systems to take actions like reading from a database, updating a customer record, or calling an external service. The Model Context Protocol (MCP) is an emerging standard for connecting AI tools to services, but plain APIs with rich documentation work too. The key auth concern: controlling what each tool can do, and on whose behalf.
Agentic systems are semi-autonomous, task-oriented workflows that can read data, take action across multiple systems, and ask for human input when needed. They are non-deterministic software components that chain together reasoning steps. The key auth concern: maintaining a chain of identity from the human who authorized the workflow all the way through to every action taken, as well as limiting agents' access.
Here's how these map to what an identity provider can help with:
ScenarioAuthorizationAuthenticationIdentity ManagementRAGYesYes (framework-specific)Yes (framework-specific)Tool UseYesYesYesAI AgentsYesYesYes<br>Now let's dig into each of these use cases.
RAG: Making Sure the Model Never Sees What It Shouldn't#
Here's the scenario.
You have bank documents related to customer support tasks, such as loan agreements, customer agreements, compliance policies, wealth management playbooks, and fraud investigation procedures. You want to make them available for customers and employees to query through an AI interface. But not all documents should be available to every user. Customer support, fraud and security, disputes and chargebacks, and loan servicing teams each need access to different document sets. And don't forget customers themselves.
Companies like LinkedIn, DoorDash, and Vimeo already use RAG in production. The pattern is well-established.
Why Identity Matters for RAG#
When answering a query, the LLM should never even see documents the user shouldn't have access to. You don't have to craft some clever prompt. You're not relying on the model to keep secrets. With the right authorization framework, you're filtering documents before they reach the model.
This is primarily an authorization problem. You authenticate the user (prove they are who they claim to be), process their query, pull documents from the vector datastore, then filter the documents based on which documents the user is allowed to query.
The model only receives documents that pass the authorization check.
Implementation#
The implementation follows a straightforward pipeline:
Chunk your documents into segments suitable for vector search.
Build an authorization...