Why RAG Systems Failed
Key Takeaways
The video discusses the failure patterns of RAG systems in terms of agent authorization, highlighting the issues with giving agents their own identity or using user credentials, and introduces the concept of delegated authorization as a solution.
Full Transcript
And so we see two common failure patterns on agent authorization. Pattern number one is what we've all saw with rag systems which is you give the agent its own identity. Uh vendors will call this nonhuman identity, right? It's an identity. It's like a human but it's different. So we need to treat it like a new person. It's a new worker. It's a new knowledge worker. It's just automated. It's intelligent. That didn't work. That's it's never worked. This is why rag systems really struggled. What's the level of permission you give the rag system? Any level of permission above zero, then you run into a second problem is, oh, who do we give access to the agent? So, let's say that we give we create an agent that's doing compensation management at an organization. Does it get access to the CEO's compensation? Does it get access to the intern's compensation? What level of the organization can it see? We define whatever that's going to be. Now, the intern comes in to work for HR and he has access to the agent. What can the what can the intern see? If the intern's access is lower than the agent, you've just created what's called an authorization bypass vulnerability. The CISO will freak out. And so when you look at rag systems, the mass majority of them are working on public information. They're getting the lowest level of permission possible to avoid this problem. This is why all those really smart support apps that you interact with on the websites, you can ask all the questions that it regurgitates the public knowledge base, but the moment you ask it where your order is, it cannot answer the question. It's because they can't figure out how to authenticate and authorize as you and pull your information and prove that it's you asking for it and not you asking for his information. Huge problem. The other failure pattern we see is what is common in most MCP servers, which is you use the user's credentials. I put in my own credentials and the and the MCP server is acting as me and that is secure. That is legitimately secure, but it's very unsafe. I have seen cursor try and delete my root directory. It couldn't because it doesn't have pseudo access. Got blocked. It apologized profusely. It was very kind. Uh but thankfully it didn't have access. That's why giving it your credentials is a terrible idea because you have the ability to delete directories and drive. You have the ability to delete emails. You have the ability to do all kinds of different things that you may or may not want the agent to also be able to do. The right way to do this is what's called delegated authorization. It is to take the intersection of what the agents register to do not as an identity but as an application and then take the user's identity and what they're allowed to do and then take the intersection if the agents authorized to do it because they pre-registered as an as an OOTH application on the downstream service and requested scopes and claims as part of their registration process and the user is also permissioned to do it then the agent should be allowed to do it and if one of those two statements is not correct, the agent should not be allowed to do it. This is very difficult to do. So far as I know, I think we might be the only service that can do it, but that's going to change. Um, in the MCP specification, this has just been accepted. We were the authors of that contribution. Um, so my hope is it'll be merged into the spec by the end of the year. And so regardless of which vendor you use, this should be possible soon.
Original Description
Join our next Virtual conference Agents in Production November 18th: https://home.mlops.community/home/events/agentsinproduction2025-mlops-prosus @TryArcade CEO Alex snippet of his talk during our agent builders summit in SF September 4th
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from MLOps.community · MLOps.community · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
Our 1st MLOps Meetup // Luke Marsden // MLOps Meetup #1
MLOps.community
Remote Collaboration as a Data Scientist
MLOps.community
MLOps Manifesto with Luke Marsden from Dotscience
MLOps.community
MLOps lifecycle description
MLOps.community
What Does Best in Class AI/ML Governance Look Like in Fin Services? // Charles Radclyffe // MLOps #2
MLOps.community
Life purpose and too many spreadsheets
MLOps.community
Explainability, Black boxes and EU white paper on reproducibility
MLOps.community
Hierarchy of Machine Learning Needs // Phil Winder // MLOps Meetup #3
MLOps.community
Automatically Retrain Machine Learning Models? Are best practices worth it?
MLOps.community
Building an MLOps Team? Key ideas to keep in mind
MLOps.community
Hierarchy of MLOps Needs
MLOps.community
Bare necessities for getting an ML model into production
MLOps.community
MLOps and Monitoring
MLOps.community
How Phil Winder got into Data Science and Software Engineering
MLOps.community
Provenance and Reproducibility in Machine Learning; what is it and why you need it?
MLOps.community
Friction Between Data Scientists and Software Engineers
MLOps.community
MLOps Problems in different size companies
MLOps.community
ML tooling in large companies
MLOps.community
ML Platforms - The build vs buy question
MLOps.community
ML Services Gateway at SurveyMonkey
MLOps.community
Message buses, Async and sync architecture
MLOps.community
MLOps #4: Shubhi Jain - Building an ML Platform @SurveyMonkey
MLOps.community
Hybrid Data Science Teams @SurveyMonkey
MLOps.community
How do you handle ML version control at SurveyMonkey
MLOps.community
Doing ML with Personal Information
MLOps.community
Evolution of the ML feature store @SurveyMonkey
MLOps.community
Developing a Machine Learning Feature Store
MLOps.community
Auto retrain ML models is not the question
MLOps.community
3 key parts to Machine Learning monitoring
MLOps.community
MLOps Meetup #6: Mid-Scale Production Feature Engineering with Dr. Venkata Pingali
MLOps.community
MLOps meetup #5 High Stakes ML: Active Failures, Latent Factors with Flavio Clesio
MLOps.community
MLOps: Airflow Pros and Cons
MLOps.community
Specific challenges in Machine Learning
MLOps.community
Current State Of Machine Learning
MLOps.community
Humans in the Loop are a defining factor in Machine Learning
MLOps.community
Learning from real life Machine Learning failures
MLOps.community
Survivorship Bias in machine learning tutorials
MLOps.community
Swiss Cheese model in Machine Learning
MLOps.community
Resume driven development in Machine learning & software engineering
MLOps.community
Who has the highest standards in ML?
MLOps.community
Venkata Pingali of Scribble Data Thoughts on the Current State of Machine Learning
MLOps.community
Dependable data and being able to Trust in your Data with Venkata Pengali of Scribble Data
MLOps.community
Speed, Trust, Evolution and Scale in MLOps
MLOps.community
More difficult transition for data scientists to become ML engineers
MLOps.community
How many models in prod til I need a dedicated ML platform?
MLOps.community
Deeper thinking from data scientists around platform blackholes
MLOps.community
Checkpointing, metadata, and confidence in your data
MLOps.community
Adjacent usecases and multistep feature engineering
MLOps.community
Standardization of Machine Learning tools like in Software Engineering with Venkata Pingali
MLOps.community
Reproducability flaws in end to end Machine Learning debugging
MLOps.community
3rd wave of data scientists
MLOps.community
MLOps meetup #7 Alex Spanos // TrueLayer 's MLOps Pipeline
MLOps.community
MLOps Meetup #8 Optimizing Your ML Workflow with Kubeflow 1.0
MLOps.community
Are Kubeflow and Airflow complementary?
MLOps.community
Why Kubeflow gained so much traction=open community
MLOps.community
Who decides the dirrection of Kubeflow
MLOps.community
What do Kubeflow and Arrikto do and how do they work together?
MLOps.community
Versioning your ML steps with Kubeflow
MLOps.community
Machine Learning Lifecycles//Perception vs Reality
MLOps.community
Kubeflow vs SageMaker in Machine Learning
MLOps.community
More on: Agent Foundations
View skill →Related Reads
📰
📰
📰
📰
Agent Telemetry Is Not Agent Control
Dev.to · Assili Salim
I Built an Agentic AI SOC Analyst — Then Spent Most of the Project Teaching It When *Not* to Act
Medium · Cybersecurity
I Ran US vs Chinese AI Models Through Production Workloads at p99
Dev.to · fiercedash
A Living, Breathing MCP Server
Medium · AI
🎓
Tutor Explanation
DeepCamp AI