Inferensys

Glossary

Model Access Control List (ACL)

A granular permission set attached directly to a specific model artifact or version, defining which users, groups, or service accounts are authorized to invoke it for inference.
ML engineer managing model versions on laptop, version history visible, technical Git-like workflow.
Authorization

What is a Model Access Control List (ACL)?

A granular permission set attached directly to a specific model artifact or version, defining which users, groups, or service accounts are authorized to invoke it for inference.

A Model Access Control List (ACL) is a granular permission set attached directly to a specific model artifact or version, defining which users, groups, or service accounts are authorized to invoke it for inference. Unlike broad Role-Based Access Control (RBAC) policies, a model ACL enforces the Least Privilege Principle at the individual resource level, ensuring that a downstream application can only query the exact model version it requires and nothing else.

In a Zero Trust Architecture, the model ACL is evaluated by a Policy Enforcement Point (PEP) during every inference request, often in conjunction with a JSON Web Token (JWT) or OAuth 2.0 Client Credentials Flow token. This mechanism provides a critical defense-in-depth layer against Model Stealing Detection evasion and unauthorized data exfiltration by strictly controlling which identities can interact with proprietary model weights.

GRANULAR MODEL PERMISSIONS

Key Characteristics of Model ACLs

Model ACLs provide fine-grained, artifact-level authorization that decouples access policy from application code, enabling zero-trust inference serving.

01

Artifact-Level Binding

Permissions are attached directly to a specific model version or artifact, not to an API endpoint. This means authorization travels with the model through staging, production, and rollback scenarios.

  • Access is evaluated against the model's unique identifier (e.g., model:v2.3-prod)
  • Revoking access to a deprecated version does not affect the new one
  • Enables immutable audit trails tied to specific model artifacts
02

Principal Types

ACLs define who can invoke a model by binding permissions to distinct principal types:

  • User Accounts: Individual data scientists or engineers performing ad-hoc inference
  • Service Accounts: Machine identities for automated pipelines or microservices
  • Group Claims: RBAC groups or OIDC claim-based groupings for team-level access
  • Anonymous Principals: Explicitly denied by default; public access must be explicitly granted
03

Action Granularity

Model ACLs support more than a binary allow/deny. They define specific verbs that map to inference operations:

  • invoke: Permission to submit data and receive predictions
  • read_metadata: Permission to view model card, version history, and performance metrics
  • manage_acl: Permission to modify the ACL itself (typically restricted to model owners)
  • export: Permission to download model weights or artifacts (often disabled in production)
04

Policy Evaluation Order

When a request arrives, the ACL engine evaluates permissions in a deterministic order to resolve conflicts:

  1. Explicit Deny: If any rule explicitly denies the principal, access is blocked immediately
  2. Explicit Allow: If a rule explicitly grants the required action, access proceeds
  3. Group Inheritance: Principal inherits permissions from group memberships
  4. Default Deny: If no rule matches, the request is rejected (fail-secure posture)

This mirrors AWS IAM policy evaluation logic, ensuring predictable security outcomes.

05

Integration with External Policy Engines

Model ACLs rarely operate in isolation. They integrate with centralized authorization systems for unified governance:

  • Open Policy Agent (OPA): ACL decisions can be delegated to OPA using Rego policies for complex, cross-service rules
  • Policy Enforcement Points (PEP): Sidecar proxies or API gateways enforce ACL decisions at the network layer
  • Token Introspection: OAuth 2.0 tokens are validated and mapped to ACL principals via RFC 7662-compliant introspection endpoints
  • SPIFFE: Workload identities from SPIFFE are resolved to ACL service accounts in Kubernetes-native deployments
06

Immutable Audit Logging

Every ACL evaluation generates a cryptographically signed audit event, stored in append-only storage for non-repudiation:

  • What was logged: Principal ID, model version, action requested, timestamp, decision (allow/deny), and the specific rule that matched
  • Compliance use cases: SOC 2 evidence, GDPR access reporting, and forensic investigation of model extraction attempts
  • Tamper-proofing: Logs are written to WORM-compliant storage with HMAC integrity checks
MODEL ACL

Frequently Asked Questions

Essential questions about implementing and managing granular access control for machine learning model inference endpoints.

A Model Access Control List (ACL) is a granular permission set attached directly to a specific model artifact or version that defines which users, groups, or service accounts are authorized to invoke it for inference. Unlike broad API gateway rules, a Model ACL operates at the model layer, evaluating each inference request against a stored policy. When a client presents an authenticated identity—typically via a JSON Web Token (JWT) or SPIFFE-based credential—the model serving runtime queries the ACL to determine if that principal has the invoke permission for the requested model version. This mechanism enforces the Least Privilege Principle by ensuring a downstream application authorized to call Model A cannot automatically call Model B. Implementations often integrate with Open Policy Agent (OPA) or cloud-native IAM systems to externalize authorization logic, allowing security teams to manage permissions as code without modifying model serving containers.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.