Activation-Space Anchored Access Control for Multi-Class Permission Reasoning in Large Language Models
Zhaopeng Zhang, Pengcheng Sun, Lan Zhang, Chen Tang, Jiewei Lai, Yunhao Wang, Hui Jin
TL;DR
This work tackles the challenge of enforcing fine-grained, multi-class permission constraints in LLM-powered QA over knowledge bases. It introduces Activation-space Anchored Access Control (AAAC), a training-free framework that detects permission signals in mid-to-late activation layers and steers risky activations toward permission-specific anchors, thereby suppressing unauthorized content while preserving authorized utility. The method constructs per-permission anchors offline from small labeled samples and applies a risk-aware, multi-anchor steering mechanism online, guided by an Activation-Space Informativeness score and a two-threshold policy. Empirical results on three diverse LLMs and the new MultiPER-Enterprise benchmark show substantial reductions in permission violations (up to 86.5%) and prompt-based attack success (up to 90.7%), with modest inference overhead and robust performance across configurations. The work also provides analyses of layer selection, steering strength, and robustness, and discusses deployment considerations, limitations, and societal impact.
Abstract
Large language models (LLMs) are increasingly deployed over knowledge bases for efficient knowledge retrieval and question answering. However, LLMs can inadvertently answer beyond a user's permission scope, leaking sensitive content, thus making it difficult to deploy knowledge-base QA under fine-grained access control requirements. In this work, we identify a geometric regularity in intermediate activations: for the same query, representations induced by different permission scopes cluster distinctly and are readily separable. Building on this separability, we propose Activation-space Anchored Access Control (AAAC), a training-free framework for multi-class permission control. AAAC constructs an anchor bank, with one permission anchor per class, from a small offline sample set and requires no fine-tuning. At inference time, a multi-anchor steering mechanism redirects each query's activations toward the anchor-defined authorized region associated with the current user, thereby suppressing over-privileged generations by design. Finally, extensive experiments across three LLM families demonstrate that AAAC reduces permission violation rates by up to 86.5% and prompt-based attack success rates by 90.7%, while improving response usability with minor inference overhead compared to baselines.
