Basic Concept: RAG-based AI systems retrieve information from knowledge bases to augment their responses. The differential access to sensitive employee data based on user role demonstrates that role-based data access controls are functioning correctly, restricting what data different users can retrieve through the AI interface. CompTIA SecAI+ Study Guide covers data access controls as the primary mechanism for preventing sensitive data exposure in RAG systems.
Why A is Correct: Data access controls define what information each user role is permitted to retrieve from the knowledge base. In this scenario, administrator-level users can access employee directory information while employee-level users cannot. The RAG system enforces these permissions when retrieving data for the AI ' s responses, preventing unauthorized users from accessing sensitive employee data through the chatbot interface regardless of how they phrase their queries.
Why B is Wrong: Model-specific guardrails filter responses based on content policies. While they can prevent certain categories of sensitive information from being disclosed, the scenario specifically shows differential access based on user role, which is the characteristic of access control enforcement, not content-based guardrail filtering.
Why C is Wrong: Rate limiting restricts request frequency. It does not differentiate what data different users can access; it only controls how often they can make requests. Both the administrator and employee could be subject to the same rate limit while still receiving different data based on their access controls.
Why D is Wrong: Prompt templates standardize how queries are structured. They do not implement user role-based data access restrictions or prevent specific user types from accessing sensitive information in the underlying knowledge base.
Submit