As companies increasingly develop Retrieval-Augmented Generation (RAG)-based Large Language Model (LLM) applications, such as chatbots accessing third-party data like Google Drive, a key challenge arises: preventing unauthorized data access. This issue involves ensuring that the information retrieved by the LLM is aligned with user permissions, which can be tackled through several architectural patterns. One approach is query-time filtering using third-party APIs, advantageous for its simplicity but prone to latency issues. Another involves syncing access control lists (ACLs) into a local vector database, enabling fast queries but demanding high maintenance and scalability challenges. A third option is replicating third-party permissions logic within a custom policy engine, offering robust control but requiring significant effort to maintain. The complexity is further heightened by the need for identity resolution in systems relying on diverse data sources. As the field evolves, teams are exploring various strategies to strike a balance between security, performance, and scalability, with future developments likely to focus on enabling LLMs not only to access data but also to act upon it safely.