Why RAG Systems Failed

MLOps.community · Intermediate ·🤖 AI Agents & Automation ·8mo ago

Key Takeaways

The video discusses the failure patterns of RAG systems in terms of agent authorization, highlighting the issues with giving agents their own identity or using user credentials, and introduces the concept of delegated authorization as a solution.

Full Transcript

And so we see two common failure patterns on agent authorization. Pattern number one is what we've all saw with rag systems which is you give the agent its own identity. Uh vendors will call this nonhuman identity, right? It's an identity. It's like a human but it's different. So we need to treat it like a new person. It's a new worker. It's a new knowledge worker. It's just automated. It's intelligent. That didn't work. That's it's never worked. This is why rag systems really struggled. What's the level of permission you give the rag system? Any level of permission above zero, then you run into a second problem is, oh, who do we give access to the agent? So, let's say that we give we create an agent that's doing compensation management at an organization. Does it get access to the CEO's compensation? Does it get access to the intern's compensation? What level of the organization can it see? We define whatever that's going to be. Now, the intern comes in to work for HR and he has access to the agent. What can the what can the intern see? If the intern's access is lower than the agent, you've just created what's called an authorization bypass vulnerability. The CISO will freak out. And so when you look at rag systems, the mass majority of them are working on public information. They're getting the lowest level of permission possible to avoid this problem. This is why all those really smart support apps that you interact with on the websites, you can ask all the questions that it regurgitates the public knowledge base, but the moment you ask it where your order is, it cannot answer the question. It's because they can't figure out how to authenticate and authorize as you and pull your information and prove that it's you asking for it and not you asking for his information. Huge problem. The other failure pattern we see is what is common in most MCP servers, which is you use the user's credentials. I put in my own credentials and the and the MCP server is acting as me and that is secure. That is legitimately secure, but it's very unsafe. I have seen cursor try and delete my root directory. It couldn't because it doesn't have pseudo access. Got blocked. It apologized profusely. It was very kind. Uh but thankfully it didn't have access. That's why giving it your credentials is a terrible idea because you have the ability to delete directories and drive. You have the ability to delete emails. You have the ability to do all kinds of different things that you may or may not want the agent to also be able to do. The right way to do this is what's called delegated authorization. It is to take the intersection of what the agents register to do not as an identity but as an application and then take the user's identity and what they're allowed to do and then take the intersection if the agents authorized to do it because they pre-registered as an as an OOTH application on the downstream service and requested scopes and claims as part of their registration process and the user is also permissioned to do it then the agent should be allowed to do it and if one of those two statements is not correct, the agent should not be allowed to do it. This is very difficult to do. So far as I know, I think we might be the only service that can do it, but that's going to change. Um, in the MCP specification, this has just been accepted. We were the authors of that contribution. Um, so my hope is it'll be merged into the spec by the end of the year. And so regardless of which vendor you use, this should be possible soon.

Original Description

Join our next Virtual conference Agents in Production November 18th: https://home.mlops.community/home/events/agentsinproduction2025-mlops-prosus @TryArcade CEO Alex snippet of his talk during our agent builders summit in SF September 4th
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from MLOps.community · MLOps.community · 0 of 60

← Previous Next →
1 Our 1st MLOps Meetup // Luke Marsden // MLOps Meetup #1
Our 1st MLOps Meetup // Luke Marsden // MLOps Meetup #1
MLOps.community
2 Remote Collaboration as a Data Scientist
Remote Collaboration as a Data Scientist
MLOps.community
3 MLOps Manifesto with Luke Marsden from Dotscience
MLOps Manifesto with Luke Marsden from Dotscience
MLOps.community
4 MLOps lifecycle description
MLOps lifecycle description
MLOps.community
5 What Does Best in Class AI/ML Governance Look Like in Fin Services? // Charles Radclyffe // MLOps #2
What Does Best in Class AI/ML Governance Look Like in Fin Services? // Charles Radclyffe // MLOps #2
MLOps.community
6 Life purpose and too many spreadsheets
Life purpose and too many spreadsheets
MLOps.community
7 Explainability, Black boxes and EU white paper on reproducibility
Explainability, Black boxes and EU white paper on reproducibility
MLOps.community
8 Hierarchy of Machine Learning Needs // Phil Winder // MLOps Meetup #3
Hierarchy of Machine Learning Needs // Phil Winder // MLOps Meetup #3
MLOps.community
9 Automatically Retrain Machine Learning Models? Are best practices worth it?
Automatically Retrain Machine Learning Models? Are best practices worth it?
MLOps.community
10 Building an MLOps Team? Key ideas to keep in mind
Building an MLOps Team? Key ideas to keep in mind
MLOps.community
11 Hierarchy of MLOps Needs
Hierarchy of MLOps Needs
MLOps.community
12 Bare necessities for getting an ML model into production
Bare necessities for getting an ML model into production
MLOps.community
13 MLOps and Monitoring
MLOps and Monitoring
MLOps.community
14 How Phil Winder got into Data Science and Software Engineering
How Phil Winder got into Data Science and Software Engineering
MLOps.community
15 Provenance and Reproducibility in Machine Learning; what is it and why you need it?
Provenance and Reproducibility in Machine Learning; what is it and why you need it?
MLOps.community
16 Friction Between Data Scientists and Software Engineers
Friction Between Data Scientists and Software Engineers
MLOps.community
17 MLOps Problems in different size companies
MLOps Problems in different size companies
MLOps.community
18 ML tooling in large companies
ML tooling in large companies
MLOps.community
19 ML Platforms - The build vs buy question
ML Platforms - The build vs buy question
MLOps.community
20 ML Services Gateway at SurveyMonkey
ML Services Gateway at SurveyMonkey
MLOps.community
21 Message buses, Async and sync architecture
Message buses, Async and sync architecture
MLOps.community
22 MLOps #4: Shubhi Jain - Building an ML Platform @SurveyMonkey
MLOps #4: Shubhi Jain - Building an ML Platform @SurveyMonkey
MLOps.community
23 Hybrid Data Science Teams @SurveyMonkey
Hybrid Data Science Teams @SurveyMonkey
MLOps.community
24 How do you handle ML version control at SurveyMonkey
How do you handle ML version control at SurveyMonkey
MLOps.community
25 Doing ML with Personal Information
Doing ML with Personal Information
MLOps.community
26 Evolution of the ML feature store @SurveyMonkey
Evolution of the ML feature store @SurveyMonkey
MLOps.community
27 Developing a Machine Learning Feature Store
Developing a Machine Learning Feature Store
MLOps.community
28 Auto retrain ML models is not the question
Auto retrain ML models is not the question
MLOps.community
29 3 key parts to Machine Learning monitoring
3 key parts to Machine Learning monitoring
MLOps.community
30 MLOps Meetup #6: Mid-Scale Production Feature Engineering with Dr. Venkata Pingali
MLOps Meetup #6: Mid-Scale Production Feature Engineering with Dr. Venkata Pingali
MLOps.community
31 MLOps meetup #5 High Stakes ML: Active Failures, Latent Factors with Flavio Clesio
MLOps meetup #5 High Stakes ML: Active Failures, Latent Factors with Flavio Clesio
MLOps.community
32 MLOps: Airflow Pros and Cons
MLOps: Airflow Pros and Cons
MLOps.community
33 Specific challenges in Machine Learning
Specific challenges in Machine Learning
MLOps.community
34 Current State Of Machine Learning
Current State Of Machine Learning
MLOps.community
35 Humans in the Loop are a defining factor in Machine Learning
Humans in the Loop are a defining factor in Machine Learning
MLOps.community
36 Learning from real life Machine Learning failures
Learning from real life Machine Learning failures
MLOps.community
37 Survivorship Bias in machine learning tutorials
Survivorship Bias in machine learning tutorials
MLOps.community
38 Swiss Cheese model in Machine Learning
Swiss Cheese model in Machine Learning
MLOps.community
39 Resume driven development in Machine learning & software engineering
Resume driven development in Machine learning & software engineering
MLOps.community
40 Who has the highest standards in ML?
Who has the highest standards in ML?
MLOps.community
41 Venkata Pingali of Scribble Data Thoughts on the Current State of Machine Learning
Venkata Pingali of Scribble Data Thoughts on the Current State of Machine Learning
MLOps.community
42 Dependable data and being able to Trust in your Data with Venkata Pengali of Scribble Data
Dependable data and being able to Trust in your Data with Venkata Pengali of Scribble Data
MLOps.community
43 Speed, Trust, Evolution and Scale in MLOps
Speed, Trust, Evolution and Scale in MLOps
MLOps.community
44 More difficult transition for data scientists to become ML engineers
More difficult transition for data scientists to become ML engineers
MLOps.community
45 How many models in prod til I need a dedicated ML platform?
How many models in prod til I need a dedicated ML platform?
MLOps.community
46 Deeper thinking from data scientists around platform blackholes
Deeper thinking from data scientists around platform blackholes
MLOps.community
47 Checkpointing, metadata, and confidence in your data
Checkpointing, metadata, and confidence in your data
MLOps.community
48 Adjacent usecases and multistep feature engineering
Adjacent usecases and multistep feature engineering
MLOps.community
49 Standardization of Machine Learning tools like in Software Engineering with Venkata Pingali
Standardization of Machine Learning tools like in Software Engineering with Venkata Pingali
MLOps.community
50 Reproducability flaws in end to end Machine Learning debugging
Reproducability flaws in end to end Machine Learning debugging
MLOps.community
51 3rd wave of data scientists
3rd wave of data scientists
MLOps.community
52 MLOps meetup #7 Alex Spanos // TrueLayer 's MLOps Pipeline
MLOps meetup #7 Alex Spanos // TrueLayer 's MLOps Pipeline
MLOps.community
53 MLOps Meetup #8 Optimizing Your ML Workflow with Kubeflow 1.0
MLOps Meetup #8 Optimizing Your ML Workflow with Kubeflow 1.0
MLOps.community
54 Are Kubeflow and Airflow complementary?
Are Kubeflow and Airflow complementary?
MLOps.community
55 Why Kubeflow gained so much traction=open community
Why Kubeflow gained so much traction=open community
MLOps.community
56 Who decides the dirrection of Kubeflow
Who decides the dirrection of Kubeflow
MLOps.community
57 What do Kubeflow and Arrikto do and how do they work together?
What do Kubeflow and Arrikto do and how do they work together?
MLOps.community
58 Versioning your ML steps with Kubeflow
Versioning your ML steps with Kubeflow
MLOps.community
59 Machine Learning Lifecycles//Perception vs Reality
Machine Learning Lifecycles//Perception vs Reality
MLOps.community
60 Kubeflow vs SageMaker in Machine Learning
Kubeflow vs SageMaker in Machine Learning
MLOps.community

The video explains why RAG systems failed due to authorization issues and introduces delegated authorization as a solution, highlighting its importance for secure AI systems.

Key Takeaways
  1. Understand the failure patterns of RAG systems
  2. Identify the risks of giving agents their own identity or using user credentials
  3. Implement delegated authorization to ensure secure agent authorization
  4. Register agents as applications on downstream services and request scopes and claims
  5. Take the intersection of agent and user permissions to determine authorized actions
💡 Delegated authorization is a crucial concept for secure AI systems, allowing agents to perform actions only when both the agent and user are authorized to do so.

Related Reads

Up next
Types of AI Agents explained in Tamil | AI Agent Types | Beginner-Friendly AI Guide | Karthik's Show
Karthik's Show
Watch →