- An AI brain enforces access at the moment it retrieves knowledge to answer, per identity and per request, in real time.
- It keeps each source's existing permissions instead of copying data into a new index that loses them.
- Field-level redaction lets it withhold one sensitive part of a document, like a salary column, while the rest stays useful.
- Every access is recorded in a content-blind, tamper-evident audit you can verify independently, with an optional on-chain anchor.
- AI agents are governed the same way as people: identity checks, limits, human-in-the-loop, and a kill switch, with agents connecting over MCP.
An AI brain controls who sees what by checking permissions before it answers, not after. For every request it confirms who is asking through your existing login, evaluates that identity against each connected source's real access rules, retrieves only what the person or agent is cleared to see, hides sensitive fields inside allowed documents, and writes the access to a tamper-evident log you can verify.
How does a company AI brain decide who sees what?
A company AI brain decides who sees what by running an access check on every request before it answers. It identifies the person or agent asking, looks up their real permissions on each connected source, and limits retrieval to what they are cleared to read. Relevance still ranks results, but only inside that allowed set, so the brain never grounds an answer in something the requester should not see.
The order is the whole point. Most systems retrieve first and consider access later, if at all. An AI brain reverses that: identity and permissions come before retrieval, which is what stops a well-phrased question from surfacing a document the asker was never meant to reach.
Step one: confirm who is asking
Access control starts with identity, so an AI brain first confirms who, or what, is behind a request. It uses your existing single sign-on rather than a separate login, so the brain knows the same things about a person your other systems do: their team, their role, their groups. No confirmed identity means no answer.
Agents get a verifiable identity too. AIVM Brain authenticates people through WorkOS single sign-on and can give AI agents a verifiable identity using the ERC-8004 standard for trustless agents, so the brain always knows which agent is asking, not just that some agent is.
Step two: permission-aware retrieval with RBAC and ABAC
Permission-aware retrieval is the core of how an AI brain controls access. Before it fetches anything, it evaluates the requester's identity against each source's rules, using role-based access control (RBAC) and attribute-based access control (ABAC), and retrieves only from documents that identity is cleared to see. That is the difference between governed retrieval and plain RAG, which ranks by relevance and ignores who is asking.
It also keeps permissions where they belong. Rather than bulk-copying everything into one shared index that strips the original access rules, an AI brain reads each connected source's live permissions, so a change in your access controls is reflected the next time the brain answers.
Step three: field-level redaction inside allowed documents
Access is rarely all-or-nothing, so an AI brain can hide a single sensitive field inside a document the requester is otherwise allowed to read. A salesperson might see a customer record but not its contract value. An employee might read a team plan but not the compensation column. Redacting the field, rather than refusing the whole file, keeps answers useful while keeping the secret part secret.
This matters because blocking entire documents makes AI frustrating and trains people to route around it. Field-level redaction is what lets a governed brain stay genuinely helpful without becoming the thing that leaks.
Step four: record every access in a verifiable audit
An AI brain records every access in a tamper-evident, content-blind log: what was asked, what was retrieved, and which person or agent was involved, without storing the content itself. Content-blind matters because the record is then safe to share with auditors, and the vendor cannot read your data through it. The log is independently verifiable, with an optional cryptographic anchor on-chain so no party can alter it after the fact.
The same layer makes erasure tractable. Because knowledge sits at a governed layer rather than baked into a trained model, AIVM Brain can support a provable right to be forgotten: delete a record, propagate the removal, and produce proof it is gone, which is the realistic answer to GDPR Article 17 for company knowledge. Document provenance can also be tracked with the C2PA standard.
How an AI brain governs AI agents, not just people
An AI brain governs AI agents with the same controls it applies to people, because an autonomous agent acting at scale is a bigger risk than any single employee. Agents connect over the Model Context Protocol (MCP) and are subject to the same identity check, permission-aware retrieval, and audit, plus explicit limits, human-in-the-loop on sensitive actions, and a kill switch.
This is the part personal tools and most knowledge bases skip. Giving an agent a governed endpoint, rather than a copy of the data or an admin key, means the agent can be useful across company knowledge while every read it makes stays inside the same rules and the same audit a person would face.
How AIVM Brain implements access control
AIVM Brain applies all of this out of the box. It connects to sources like Slack, GitHub, Google Drive, Notion, Box, Confluence, Salesforce, and Telegram with their permissions intact, authenticates people through WorkOS single sign-on, isolates each tenant in its own database, and uses your own model key without training on your data. Every access lands in a content-blind audit you can verify, with an optional on-chain anchor.
The result is an AI brain you can turn on without a multi-month security review, because the controls security asks about, identity, permission-aware retrieval, redaction, audit, and agent governance, are built in rather than bolted on. It is free to start with npx @aivm/brain init.