Inferensys

Glossary

Field-Level Security

A fine-grained authorization mechanism that masks or redacts specific sensitive fields within a retrieved document before it is passed to the large language model for generation.
ML engineer running AI model benchmarks, performance charts on multiple screens, late night home office setup.
FINE-GRAINED AUTHORIZATION

What is Field-Level Security?

A data protection mechanism that restricts access to specific data fields within a document, ensuring that sensitive information is masked or redacted before retrieval-augmented generation.

Field-Level Security (FLS) is a fine-grained authorization mechanism that masks or redacts specific sensitive fields within a retrieved document before it is passed to the large language model for generation. Unlike document-level security, which controls entire file access, FLS operates at the attribute level, ensuring that a user may see a record but not its confidential columns, such as salary or social security numbers.

In a RAG architecture, FLS is typically enforced during post-retrieval filtering by a Policy Enforcement Point (PEP) that evaluates the user's attributes against a Policy Decision Point (PDP). This process dynamically strips or tokenizes restricted fields like credit_card_number from the text chunk, preventing exposure to the model while preserving the utility of the remaining context for accurate answer generation.

GRANULAR DATA PROTECTION

Key Characteristics of Field-Level Security

Field-Level Security (FLS) is a fine-grained authorization mechanism that masks or redacts specific sensitive fields within a retrieved document before it is passed to the large language model for generation. Unlike document-level controls, FLS operates at the attribute level, ensuring that even if a document is retrieved, only authorized fields are visible to the model.

01

Attribute-Based Masking

FLS dynamically evaluates a user's security context against field-level metadata to determine visibility. Instead of blocking an entire document, the system selectively redacts or tokenizes specific fields like Social Security Numbers, salaries, or internal project codes.

  • Dynamic Evaluation: Policies are evaluated at query time, not index time.
  • Conditional Logic: Access can depend on user role, location, and device posture.
  • Partial Exposure: A manager might see a salary field, while a peer sees a [REDACTED] placeholder.
02

Pre-Generation Sanitization

The critical architectural placement of FLS is in the post-retrieval, pre-generation phase. After the vector store returns relevant chunks, a Policy Enforcement Point (PEP) strips unauthorized fields before the text is injected into the LLM's context window.

  • Zero-Trust Context: The LLM never receives the raw sensitive data.
  • Irreversible Redaction: Text is physically removed, not just hidden via CSS.
  • Schema-Aware: The system understands JSON paths and XML tags to target nested fields precisely.
03

Structured vs. Unstructured Data

FLS implementation differs significantly based on the data format. For structured data (JSON, databases), field paths are explicit. For unstructured text (PDFs, Word docs), the system relies on Named Entity Recognition (NER) to identify sensitive spans.

  • Structured: Uses JSONPath or XPath to target $.employee.salary.
  • Unstructured: Uses regex patterns and machine learning classifiers to find PII.
  • Hybrid: Combines metadata filtering with in-text redaction for maximum coverage.
04

Format-Preserving Encryption (FPE)

In scenarios where data utility must be preserved for the LLM's reasoning, FLS can use Format-Preserving Encryption instead of simple redaction. This replaces a sensitive value with a ciphertext that maintains the original data type and length.

  • Schema Integrity: A 16-digit credit card number is replaced with a 16-digit token.
  • Referential Integrity: The same plaintext always maps to the same ciphertext, allowing the LLM to perform joins.
  • Downstream Decryption: Authorized systems can reverse the tokenization post-generation.
05

Integration with Identity Propagation

FLS relies on Identity Propagation to function correctly. The end-user's authenticated context must be securely transmitted from the application layer through the retrieval pipeline to the field-level authorization engine without degradation.

  • Header Forwarding: User JWTs or SAML assertions are passed to the retrieval service.
  • Impersonation Prevention: The retrieval service verifies the token's integrity before applying policies.
  • Contextual Attributes: Beyond identity, signals like geolocation and device risk score inform field-level decisions.
06

Audit and Compliance Logging

Every field-level access decision must be logged for forensic analysis. The audit trail captures not just which document was retrieved, but precisely which fields were exposed or masked for a specific user session.

  • Granular Logs: Records include field_path, action (masked/revealed), and policy_id.
  • Immutable Storage: Logs are written to append-only storage to prevent tampering.
  • Compliance Mapping: Directly supports GDPR 'data minimization' and PCI DSS 'masking' requirements.
ACCESS CONTROL GRANULARITY COMPARISON

Field-Level Security vs. Other Access Control Granularities

A comparison of authorization granularities within a RAG pipeline, from coarse document-level controls to fine-grained field-level redaction.

FeatureDocument-Level SecurityChunk-Level AuthorizationField-Level Security

Granularity Unit

Entire document

Individual text chunk

Specific field or text span

Authorization Point

Pre-retrieval

Pre-retrieval or post-retrieval

Post-retrieval

Prevents Unauthorized Retrieval

Masks Sensitive Data in Authorized Docs

Preserves Non-Sensitive Context

Typical Mechanism

Access Control Lists (ACLs)

Metadata Filtering

Named Entity Recognition & Redaction

Computational Overhead

Low

Medium

High

Risk of Data Leakage via Inference

Low

Medium

Lowest

FIELD-LEVEL SECURITY

Frequently Asked Questions

Explore the critical mechanisms of Field-Level Security (FLS) in RAG architectures. These FAQs detail how to mask, redact, and control specific data fields within retrieved documents to prevent sensitive information leakage to large language models.

Field-Level Security (FLS) is a fine-grained authorization mechanism that masks or redacts specific sensitive fields within a retrieved document before it is passed to the large language model for generation. Unlike Document-Level Security, which controls access to entire files, FLS operates at the attribute level. For example, a RAG system retrieving a customer record for a support agent might display the customer's name and purchase history but automatically redact the Social Security Number and credit card fields. This is enforced during the Post-Retrieval Filtering stage, ensuring that the LLM never ingests the sensitive data, thereby preventing accidental exposure in generated summaries or answers.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.