Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
indiekitai 6 hours ago

This highlights a fundamental challenge with AI assistants: they need broad access to be useful, but that access is hard to scope correctly.

The bug is fixable, but the underlying tension—giving AI tools enough permissions to help while respecting confidentiality boundaries—will keep surfacing in different forms as these tools become more capable.

We're essentially retrofitting permission models designed for human users onto AI agents that operate very differently.

pjc50 4 hours ago | parent | next [-]

Crucially, this wouldn't be an issue if the AI ran locally, but "sending all your internal email in cleartext to the cloud" is a potentially serious problem for organizations with real confidentiality requirements.

SignalStackDev 2 hours ago | parent | prev | next [-]

The retrofitting problem is real, but there's a more specific design failure worth naming: the data flows in the wrong direction.

In traditional access control, the pattern is: user requests data -> permissions checked -> data returned or denied. The model never sees unauthorized data.

With Copilot and most LLM agents today, the pattern is: user asks question -> model retrieves broadly -> sensitivity label checked as a filter -> model generates answer. The label-checking happens after the data is already in the model's context.

That's the bug waiting to happen, label system or not. You can't reliably instruct a model to 'ignore what you just read.'

The pattern that actually works - and I've had to build this explicitly for agent pipelines - is pre-retrieval filtering. The model emits a structured query (what it needs), that query gets evaluated against a permission layer before anything comes back, and only permitted content enters the context window. The model architecturally can't see what it's not allowed to see.

The DLP label approach is trying to solve a retrieval problem with a generation-time filter. It's a category error, and it'll keep producing bugs like this one regardless of how good the label detection gets.

hippo22 6 hours ago | parent | prev | next [-]

How is this different than any other access control system?

ses1984 5 hours ago | parent | next [-]

When you frame it that way, it’s really not that different. The issue isn’t the access control system itself, more so that it’s really asking too much of people who don’t have the skills or understanding to manage it. Teams of trained professionals get it wrong when the scope is limited to a single application or suite of applications, and you think grandma is going to properly manage access control over her entire digital footprint?

3 hours ago | parent | prev | next [-]
[deleted]
kakacik 5 hours ago | parent | prev [-]

Well, its maintained by humans to start with, peer reviewed by humans. They fuck up from time to time in extremely limited scope, depending on how much given company is willing to invest into getting quality work, but nothing like this. Humans are clearly not the weak link to be automated away, in contrary.

I work in one of the special legal jurisdictions, such fubar would normally mean banning such product from company for good. Its micro$oft so unfortunately not possible yet, but oh boy are they digging their grave with such public incompetence, with horrible handling of the situation on top of that. For many companies, this is top priority right behind assuring enough cash flow, not some marginal regulatory topic. Dumb greedy amateurs.

jrjeksjd8d 5 hours ago | parent | prev [-]

I think the fundamental tension is that AI produces a high volume of low quality output, and the human in the loop hates reviewing all the slop. So people want to just let the AI interface directly, but when you let slop into the real world there are consequences.