The Biggest Access Control Challenge In AI: Multisource Data

Forbes

07-07-2025

Suman Sharma is the cofounder and CTO of Procyon Inc.
Imagine a retail firm's AI spitting out a sales forecast for a regional manager, merging public market trends, open to all, with sensitive customer purchase histories, restricted to top execs. The result—a sleek projection—hides a messy problem: How does access control ensure users see only what they're allowed to when AI blends data from multiple sources?
As AI fuels enterprise decisions in retail, finance and tech, this issue towers over security efforts. Access control, the practice of restricting data and systems to authorized users, buckles under AI's dynamic, data-hungry nature. I'll unpack the challenge, its stakes and solutions, urging action to secure enterprises without curbing innovation.
The Challenge: Multisource Data And Access Control
Access control shines in traditional setups: Managers view reports, developers tweak code and each is gated by defined permissions. AI disrupts this. Machine learning, generative models and real-time analytics pull from diverse enterprise sources: internal databases (sales logs, staff records), external feeds (market APIs, vendor stats) and live streams (web clicks, Internet of Things (IoT) sensors). An AI's output, like a forecast or risk score, fuses these, blurring their origins.
Here's the snag: Enterprise users—analysts, managers, contractors—hold varied rights. A retail analyst can see market trends but not customer data. When AI mixes both into a prediction, how does access control block unauthorized bits? This multisource data clash, critical today, tests the limits of securing AI in enterprises.
Why It's A Big Deal
• Security Risk: AI outputs leaking restricted data—customer profiles, trade secrets—can spark breaches. A 2025 report found that 68% of firms faced AI-related data leaks, often due to weak access controls allowing unauthorized exposure of sensitive data blended with public sources.
• Compliance Pressure: Rules like GDPR and CCPA demand data isolation. An AI blending open and restricted sources for an unprivileged user risks violations and hefty fines.
• Trust Erosion: If staff or partners fear AI exposes sensitive info, confidence in systems—and the enterprise—tanks.
Root Causes
Several drivers make this tough:
• Data Entanglement: AI, especially complex models, melds inputs inseparably. A risk score's roots—public stats or private logs—defy easy tracing.
• Static Limits: Traditional access control often uses fixed rules, yet AI data shifts, such as new APIs or fresh streams, can outrun updates.
• Coarse Scope: Permissions like 'view all forecasts' lack precision, missing fine control over specific data or AI outputs.
• User Diversity: Thousands of users across roles query one AI, each with unique rights, defying tidy enforcement.
Implications
The fallout is real. A retail manager, seeing a forecast tied to restricted customer data, gains improper insight, even indirectly. Auditing this is brutal: how do you pinpoint an AI output's sources? In finance, a risk score mixing public trends and private accounts, shown to a junior analyst without full rights, could breach GDPR, costing millions. Worse, if employees or clients doubt access control's grip, trust fades, slowing AI adoption and enterprise growth.
Consider a tech firm: An AI predicts server downtime using public usage stats (open to engineers) and proprietary code metrics (viewable by executives only). If access control slips, an engineer gets a tainted result, risking a leak. Across vast users and fluid data, this spirals.
Solutions To Bridge The Gap
Tackling this demands evolving access control for AI. Here are enterprise-ready fixes:
Tag sources (e.g., "market: open," "customer: restricted") and track them through the AI pipeline. Systems flag or block outputs if restricted data is involved.
• Pros: It catches unauthorized leaks and aids audits.
• Cons: It needs metadata tools and could add processing load.
• Example: In retail, an AI skips customer-based forecasts for an analyst without rights.
Use flexible models like attribute-based access control (ABAC), adjusting permissions by context, such as user role, data sensitivity, query type and time. A manager gets predictions from approved sources only.
• Pros: It adapts to AI's fluidity.
• Cons: The setup can be complex, and a policy shift is needed.
• Example: A finance AI gives a clerk market-based risk scores while blocking account-derived ones.
Build AI to filter responses live, suppressing insights from unauthorized sources. Algorithms can mask restricted elements.
• Pros: This is a direct, user-specific shield.
• Cons: It can be hard to isolate in complex models.
• Example: A tech firm's downtime prediction for an engineer omits proprietary metrics.
Train separate AI models per user group, each fed only accessible data (e.g., an analyst's model uses public stats, not customer records).
• Pros: This ensures a clean split with no leak risk.
• Cons: It can be costly and high maintenance.
• Example: A retail firm runs a 'manager' model and an 'analyst' model, siloed by rights.
Log AI inputs and user outputs for compliance checks. Anomaly detection, perhaps AI-driven, flags odd access.
• Pros: It builds trust.
• Cons: The storage and analysis burden grows.
• Example: Anomaly detection could catch a finance AI leaking private data to a clerk.
Future Outlook
Multisource AI data will surge with generative models, real-time feeds and cloud systems. The challenge swells—think merging web clicks and private profiles or fusing market data and client accounts. Enterprises need AI-savvy solutions, blending traditional methods, dynamic approaches and new tech.
The clock's ticking. AI's reach grows, and so does this access control challenge.
Enterprises, don't wait for a breach. Security teams, audit AI pipelines now: map data sources, test permissions, spot leaks. Developers, build lineage tracking and filters into models; start with pilot projects in retail or finance. Leaders, invest in dynamic access control like attribute-based access control (ABAC) and rethink policies to match AI's pace. Regulators and industry groups, unite to craft AI-specific standards by launching forums or task forces this year. Together, secure AI's potential: act boldly, and act now.
Conclusion
The biggest access control challenge in AI—managing outputs that blend multiple sources, some allowed, some not—dogs enterprises daily. Through data lineage, dynamic controls, output filters, tailored models and audits, we can adapt. Take action to close the gap. Can access control keep up with AI's surge? Your move ensures it will.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?