Field-Level Security (FLS) is a fine-grained authorization mechanism that masks or redacts specific sensitive fields within a retrieved document before it is passed to the large language model for generation. Unlike document-level security, which controls entire file access, FLS operates at the attribute level, ensuring that a user may see a record but not its confidential columns, such as salary or social security numbers.
Glossary
Field-Level Security

What is Field-Level Security?
A data protection mechanism that restricts access to specific data fields within a document, ensuring that sensitive information is masked or redacted before retrieval-augmented generation.
In a RAG architecture, FLS is typically enforced during post-retrieval filtering by a Policy Enforcement Point (PEP) that evaluates the user's attributes against a Policy Decision Point (PDP). This process dynamically strips or tokenizes restricted fields like credit_card_number from the text chunk, preventing exposure to the model while preserving the utility of the remaining context for accurate answer generation.
Key Characteristics of Field-Level Security
Field-Level Security (FLS) is a fine-grained authorization mechanism that masks or redacts specific sensitive fields within a retrieved document before it is passed to the large language model for generation. Unlike document-level controls, FLS operates at the attribute level, ensuring that even if a document is retrieved, only authorized fields are visible to the model.
Attribute-Based Masking
FLS dynamically evaluates a user's security context against field-level metadata to determine visibility. Instead of blocking an entire document, the system selectively redacts or tokenizes specific fields like Social Security Numbers, salaries, or internal project codes.
- Dynamic Evaluation: Policies are evaluated at query time, not index time.
- Conditional Logic: Access can depend on user role, location, and device posture.
- Partial Exposure: A manager might see a salary field, while a peer sees a
[REDACTED]placeholder.
Pre-Generation Sanitization
The critical architectural placement of FLS is in the post-retrieval, pre-generation phase. After the vector store returns relevant chunks, a Policy Enforcement Point (PEP) strips unauthorized fields before the text is injected into the LLM's context window.
- Zero-Trust Context: The LLM never receives the raw sensitive data.
- Irreversible Redaction: Text is physically removed, not just hidden via CSS.
- Schema-Aware: The system understands JSON paths and XML tags to target nested fields precisely.
Structured vs. Unstructured Data
FLS implementation differs significantly based on the data format. For structured data (JSON, databases), field paths are explicit. For unstructured text (PDFs, Word docs), the system relies on Named Entity Recognition (NER) to identify sensitive spans.
- Structured: Uses JSONPath or XPath to target
$.employee.salary. - Unstructured: Uses regex patterns and machine learning classifiers to find PII.
- Hybrid: Combines metadata filtering with in-text redaction for maximum coverage.
Format-Preserving Encryption (FPE)
In scenarios where data utility must be preserved for the LLM's reasoning, FLS can use Format-Preserving Encryption instead of simple redaction. This replaces a sensitive value with a ciphertext that maintains the original data type and length.
- Schema Integrity: A 16-digit credit card number is replaced with a 16-digit token.
- Referential Integrity: The same plaintext always maps to the same ciphertext, allowing the LLM to perform joins.
- Downstream Decryption: Authorized systems can reverse the tokenization post-generation.
Integration with Identity Propagation
FLS relies on Identity Propagation to function correctly. The end-user's authenticated context must be securely transmitted from the application layer through the retrieval pipeline to the field-level authorization engine without degradation.
- Header Forwarding: User JWTs or SAML assertions are passed to the retrieval service.
- Impersonation Prevention: The retrieval service verifies the token's integrity before applying policies.
- Contextual Attributes: Beyond identity, signals like geolocation and device risk score inform field-level decisions.
Audit and Compliance Logging
Every field-level access decision must be logged for forensic analysis. The audit trail captures not just which document was retrieved, but precisely which fields were exposed or masked for a specific user session.
- Granular Logs: Records include
field_path,action(masked/revealed), andpolicy_id. - Immutable Storage: Logs are written to append-only storage to prevent tampering.
- Compliance Mapping: Directly supports GDPR 'data minimization' and PCI DSS 'masking' requirements.
Field-Level Security vs. Other Access Control Granularities
A comparison of authorization granularities within a RAG pipeline, from coarse document-level controls to fine-grained field-level redaction.
| Feature | Document-Level Security | Chunk-Level Authorization | Field-Level Security |
|---|---|---|---|
Granularity Unit | Entire document | Individual text chunk | Specific field or text span |
Authorization Point | Pre-retrieval | Pre-retrieval or post-retrieval | Post-retrieval |
Prevents Unauthorized Retrieval | |||
Masks Sensitive Data in Authorized Docs | |||
Preserves Non-Sensitive Context | |||
Typical Mechanism | Access Control Lists (ACLs) | Metadata Filtering | Named Entity Recognition & Redaction |
Computational Overhead | Low | Medium | High |
Risk of Data Leakage via Inference | Low | Medium | Lowest |
Frequently Asked Questions
Explore the critical mechanisms of Field-Level Security (FLS) in RAG architectures. These FAQs detail how to mask, redact, and control specific data fields within retrieved documents to prevent sensitive information leakage to large language models.
Field-Level Security (FLS) is a fine-grained authorization mechanism that masks or redacts specific sensitive fields within a retrieved document before it is passed to the large language model for generation. Unlike Document-Level Security, which controls access to entire files, FLS operates at the attribute level. For example, a RAG system retrieving a customer record for a support agent might display the customer's name and purchase history but automatically redact the Social Security Number and credit card fields. This is enforced during the Post-Retrieval Filtering stage, ensuring that the LLM never ingests the sensitive data, thereby preventing accidental exposure in generated summaries or answers.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Field-Level Security is one component of a comprehensive RAG authorization architecture. These related concepts define the broader ecosystem of controls that govern what data reaches the language model.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us