Permissioned LLMs: Enforcing Access Control in Large Language Models

TL;DR

This paper introduces Permissioned LLMs (PermLLMs), a novel approach to enforce organizational access control in large language models by formalizing mechanisms and metrics to ensure correct access restrictions in query responses.

Contribution

The paper proposes a new class of LLMs called PermLLMs that incorporate access control structures, introduces formal abstractions and metrics for enforcement, and develops three novel mechanisms based on Parameter Efficient Fine-Tuning.

Findings

PermLLMs effectively enforce access control in LLMs across multiple datasets.

The access advantage metrics (DDI and UGI) reliably quantify access control efficacy.

Experimental results demonstrate the superiority of PermLLMs in maintaining data privacy.

Abstract

In enterprise settings, organizational data is segregated, siloed and carefully protected by elaborate access control frameworks. These access control structures can completely break down if an LLM fine-tuned on the siloed data serves requests, for downstream tasks, from individuals with disparate access privileges. We propose Permissioned LLMs (PermLLM), a new class of LLMs that superimpose the organizational data access control structures on query responses they generate. We formalize abstractions underpinning the means to determine whether access control enforcement happens correctly over LLM query responses. Our formalism introduces the notion of a relevant response that can be used to prove whether a PermLLM mechanism has been implemented correctly. We also introduce a novel metric, called access advantage, to empirically evaluate the efficacy of a PermLLM mechanism. We introduce three novel PermLLM mechanisms that build on Parameter Efficient Fine-Tuning to achieve the desired access control. We furthermore present two instantiations of access advantage--(i) Domain Distinguishability Index (DDI) based on Membership Inference Attacks, and (ii) Utility Gap Index (UGI) based on LLM utility evaluation. We demonstrate the efficacy of our PermLLM mechanisms through extensive experiments on five public datasets (GPQA, RCV1, SimpleQA, WMDP, and PubMedQA), in addition to evaluating the validity of DDI and UGI metrics themselves for quantifying access control in LLMs.