Amestris All insights

Security ยท Technical

Identity and Session Security for AI Assistants: Auth, Context and Audit

Amestris — Boutique AI & Technology Consultancy

Many AI incidents are identity incidents. An assistant answers using the wrong tenant context, calls a tool without correct entitlements, or leaks data through cached results. Identity and session security is the discipline of making "who is asking" and "what are they allowed to do" explicit across the entire AI request path.

Propagate identity through every layer

Identity must flow through:

  • Retrieval. Apply ACL filters and tenant boundaries to every query (see RAG permissions).
  • Tools. Tools should execute with user-scoped or narrowly delegated credentials (see tool authorisation).
  • Logging. Every request and tool action should be tied to user, session and trace IDs (see telemetry schema).

If identity is not explicit, it becomes implicit prompt text - and that is not a reliable control.

Design tool authorization like a security system

Tool use is where assistants can cause real-world side effects. Apply patterns that reduce risk:

  • Least privilege. Only register tools that the current user/session is entitled to use (see safe tooling).
  • Step-up controls. Require approvals for high-risk actions (see approvals).
  • Idempotency and retries. Ensure retries do not duplicate actions (see tool reliability).

Handle multi-tenancy explicitly

Multi-tenant assistants fail when caches, indexes, and routing rules are not tenant-aware. Use explicit tenant identifiers in cache keys and retrieval filters, and test for boundary leaks (see multi-tenancy design).

Protect secrets and tokens

Assistants often introduce new secrets: provider keys, tool credentials, and access tokens. Apply secrets management practices and test rotation with game days (see secrets management and chaos game days).

Make sessions auditable without storing sensitive content

Audit-friendly does not mean storing raw prompts forever. Prefer structured records that capture:

  • Identity, tenant, environment, workflow and policy version.
  • Routing decisions and reason codes (see decision logging).
  • Tool calls and authorisation decisions.
  • Retrieval source identifiers and citation usage.

Apply classification and retention rules to any content-bearing fields (see data classification and retention and deletion).

Strong identity design turns AI assistants into a controlled system instead of an unpredictable side channel.

Quick answers

What does this article cover?

How to secure AI assistants by propagating identity and tenant context through retrieval and tools, with auditable session records.

Who is this for?

Security and engineering teams integrating AI assistants with internal systems and sensitive data.

If this topic is relevant to an initiative you are considering, Amestris can provide independent advice or architecture support. Contact hello@amestris.com.au.

← Back to insights