Retrieval augmented generation can make private knowledge easier to use, but it also creates a new access-control surface. A search result that leaks a restricted document is not a small ranking bug. It is a security incident.
Testing RAG permissions requires more than checking whether filters exist in the query. Teams need repeatable fixtures that prove users only retrieve what they are allowed to see.
Start with permission fixtures
Create a small controlled corpus that represents your real permission model. Include public documents, team-only documents, manager-only documents, customer-specific records and revoked access cases.
Each fixture should define the expected result set for named test users. This makes access control testable before the full corpus is indexed.
Test negative cases first
Positive tests prove that authorised users can retrieve relevant content. Negative tests prove that unauthorised users cannot retrieve restricted content through direct queries, semantic paraphrases, metadata searches or citation follow-ups.
Useful negative tests include:
- Asking for a restricted document by title.
- Asking for a summary of a team the user is not part of.
- Using terms that appear only in restricted documents.
- Requesting citations that should not be visible.
- Trying cross-tenant or cross-customer phrasing.
Watch for permission drift
Permission drift happens when the index no longer reflects source-system access. Causes include delayed syncs, group membership changes, archived documents and ownership transfers.
Strong RAG platforms include regular permission reconciliation and deletion workflows. See RAG permissions design, RAG deletion workflows and tenant isolation.
Audit both retrieval and generation
Audit trails should show the user, query, permission filters, retrieved chunks, source documents and answer citations. If the answer includes a claim from a restricted source, the trace should make that visible.
Do not rely only on final answers. A model may refuse to cite a source while still using the source content in the generated response.
Include access controls in regression gates
Every retrieval change should run permission tests. This includes chunking changes, embedding model changes, reranker updates, metadata schema changes and connector upgrades.
Access control is not separate from retrieval quality. It is one of the core quality dimensions for enterprise RAG.