When an AI agent queries your document management system, whose permissions does it use?
For most AI platforms, the answer is a shared service account. One set of credentials, used by every user, with access to everything. The agent sees all documents, all folders, all client data, regardless of who asked the question.
This is how most integrations work today. It is also a serious problem for any organisation where not everyone should see everything.
The shared credential problem
Consider a law firm with ethical walls between practice groups. Partner A works on the Acme acquisition. Associate B works on a dispute involving Acme’s competitor. If both use an AI agent that connects to the firm’s document management system via a shared service account, the ethical wall is gone. The AI has access to both matters. The only thing preventing a breach is the AI not volunteering information it shouldn’t, which is not a security control.
The same problem exists in financial services (Chinese walls between advisory and trading), in healthcare (patient data segregation), and in any organisation with role-based access to sensitive information.
Shared credentials turn your AI platform into a data access escalation tool.
How it should work
When User A asks the AI agent to search for documents, the search should execute with User A’s own credentials. The agent returns only what User A is authorised to see. When User B asks the same question, they get a different set of results, because their credentials grant access to different documents.
This sounds obvious. It is surprisingly rare.
Most AI integration tools, including popular automation platforms, connect to external services using credentials that are configured once and shared across all users. Some platforms allow you to configure multiple credential sets, but the mapping from user to credential is manual and brittle. Very few enforce per-user credential isolation at the architectural level.
What CompleteFlow does differently
CompleteFlow treats external service credentials as per-user secrets. Each user authenticates once with each external service (NetDocuments, SharePoint, Salesforce, etc.) through a standard OAuth consent flow. Their tokens are stored in Azure Key Vault, which provides hardware-backed encryption, access logging, and purge protection. Only the credential broker service can access the vault. No other part of the system can read the tokens.
When a workflow or AI agent needs to call an external service, the platform retrieves the correct user’s token at execution time. The external service sees a request from that specific user and applies its own access controls. Ethical walls, folder permissions, client matter restrictions: all enforced by the upstream system, using the authenticated user’s own permissions.
A few things that matter about this approach:
Tokens never enter the AI context. The AI agent decides what tool to call and with what parameters. The credential broker handles authentication separately. The token is never included in a prompt, never logged in a conversation, never visible to the LLM.
Each user’s access is independently auditable. The platform logs every credential retrieval: which user, which service, when, and in what context (chat session or workflow run). If a compliance team needs to know what data User A’s agent accessed last Tuesday, that information exists.
Expired or revoked access fails visibly. If a user’s token expires or is revoked, the workflow fails with a clear error rather than silently falling back to a shared account. There is no degraded mode where the system quietly uses someone else’s credentials.
Offboarding is clean. When a user leaves the organisation, an administrator revokes all their external connections. Tokens are deleted from the vault and revoked with the upstream services. There is nothing to forget or miss.
Why this matters for your organisation
If you are evaluating AI platforms that integrate with your document management system, email, or other sensitive business systems, ask this question: when the AI accesses our data, whose permissions does it use?
If the answer is “a service account” or “the admin who set up the integration,” you have a gap. Every user who talks to the AI effectively has the same data access, regardless of their actual role or clearance.
Per-user credential delegation is not a feature. It is a prerequisite for deploying AI in any environment where access controls exist for a reason.
CompleteFlow connects to external systems through the Model Context Protocol with per-user credential isolation. For a deeper look at MCP security in regulated environments, see our technical analysis.