Chatbots, AI, and the identity crisis we didn't see coming (or did we?)

Alright, let’s talk about the shiny new toys everyone’s playing with: chatbots. You know, the ones that can write you an email, summarize a document, or argue about pineapple on pizza with surprising conviction. They’re powered by some genuinely cool tech, but like any powerful tool, they introduce a fresh set of challenges, especially when it comes to who and what they can see and do.

We’ve got a few key players in this AI-powered drama:

• LLMs (Large Language Models): Think of these as the brain of the operation. Trained on truly massive amounts of text data, LLMs are incredibly good at understanding and generating human-like language. They can predict the next word in a sentence with uncanny accuracy, which is why they can write coherent paragraphs, translate languages, and generally sound quite knowledgeable. But, bless their silicon hearts, they can also sometimes just… make stuff up. We call that “hallucination,” which is a rather polite term for confidently presenting fiction as fact. Their knowledge is also inherently limited to the data they were trained on, which is a static snapshot of the world up to a certain point. Not great if you need up-to-the-minute info.
• RAG (Retrieval Augmented Generation): This is where RAG steps in to give the LLM a reality check and access to current events. RAG is a technique that essentially gives the LLM a set of relevant documents or data before it generates a response. When you ask a question, a retrieval system first finds pertinent information from a defined knowledge base (like your company’s internal documents, a live database, or the latest news feeds). Then, that retrieved information is fed to the LLM along with your query. The LLM uses this provided context, in addition to its training data, to generate a more accurate, relevant, and less-likely-to-hallucinate answer. It’s like giving that incredibly smart, but occasionally forgetful, friend the specific notes they need before they give you advice.
• MCP (Model Context Protocol): Now, how do you connect that LLM, empowered by RAG, to all those diverse sources of information and even actions in other systems? That’s where something like the Model Context Protocol comes into play. Think of MCP as a standardized way for AI models (and the applications hosting them) to talk to the outside world – databases, APIs, file systems, you name it. Instead of building custom connectors for every single data source or tool, MCP aims to be a universal connector, a bit like the USB-C of AI interactions. It allows the LLM to dynamically discover and utilize resources and tools it needs to fulfill a request, moving beyond just generating text to potentially taking actions based on the information it finds.

So, a sophisticated chatbot often brings these together: an LLM for language understanding and generation, RAG to pull in relevant and current information from specific sources, and potentially MCP to standardize how the AI interacts with those sources and performs actions. It’s a powerful combination that makes these bots incredibly capable.

The identity elephant in the room

Here’s the rub, and where my world really collides with this brave new AI one. These chatbots, now equipped to access internal documents, query databases, and potentially trigger workflows, aren’t just static programs anymore. They are, in a sense, becoming users of your systems. And just like any other user, their access needs to be managed.

This isn’t just about the end-user asking the chatbot a question. That’s one layer. The deeper, more critical layer is the access the chatbot itself, or more accurately, the underlying AI components, have to your sensitive information and systems.

Think about it:

• What data can the RAG system retrieve? Is it just public documents, or does it have access to confidential customer records, internal financial data, or proprietary code?
• What permissions does the MCP connection grant? Can the AI trigger actions in your CRM, access your cloud storage, or interact with HR systems?
• Who is actually using the chatbot, and are its responses being tailored based on their identity and permissions? You don’t want a junior intern getting access to executive-level insights just because the chatbot can retrieve them.

Traditional identity and access management (IAM) was built for humans logging into applications with static permissions. It wasn’t really designed for a world where AI agents are dynamically accessing a myriad of resources based on a user’s natural language query. Granting broad, static permissions to the AI system because “it needs to access X, Y, and Z” is a fast track to a security nightmare. If you think UAR’s (user access reviews) are painful today, just wait until your auditors start asking you to verify the entitlements of your chatbots and agents.

This is where the principles of least privilege and continuous access governance become not just important, but absolutely critical.

We need to move beyond simply authenticating the user of the chatbot. We need to authenticate and authorize the AI’s access to specific data sources and tools in the context of the user’s request.

This means:

• Knowing the identity of the requestor: Who is the human asking the question? Their identity and role are the starting point.
• Understanding the context of the request: What information is being sought? What action is being requested?
• Evaluating permissions in real-time: Based on the user’s identity and the specific data or tool the AI needs to access to fulfill the request, is this access permitted right now? Static entitlements just don’t cut it when the access patterns are so dynamic.
• Governing the AI’s actions: If the AI is using MCP to interact with other systems, are those actions authorized for the human user who initiated the request? The AI shouldn’t be able to do something the user couldn’t do themselves.

Simply put, securing these powerful AI systems requires extending your identity fabric to understand and govern the relationships between users, the AI model, the data it can access via RAG, and the systems it can interact with via protocols like MCP. It’s about ensuring that access decisions are made continuously, in real-time, based on who is asking, what they are asking for, and the context of the request.

Giving an AI model broad, standing access is like giving a universal skeleton key to a potentially unpredictable intern. It might be convenient in the short term, but the risk is enormous. As we deploy these increasingly capable AI tools, our focus must shift to implementing granular, context-aware access controls that keep our sensitive data and systems secure. The future of safe and responsible AI hinges on getting identity security right at this foundational level.

After all, you wouldn’t give just anyone the keys to the kingdom, even if they are really good at writing emails.