Large language models lack intrinsic awareness of data ownership and access boundaries, posing risks of sensitive information leakage and unauthorized access. To address this, this work proposes the Chain-of-Authorization framework, which for the first time integrates dynamic authorization mechanisms directly into the model’s inference process. By injecting permission context into the input and guiding the model to generate explicit authorization reasoning traces—encompassing resource validation, identity resolution, and access decisions—the framework establishes authorization as a causal prerequisite for response generation. Leveraging supervised fine-tuning and multi-stage reasoning modeling, the approach significantly improves rejection rates for unauthorized and adversarial queries while preserving task performance, thereby enabling fine-grained access control and overcoming the limitations of conventional static defense mechanisms.

Large Language Models (LLMs) have become core cognitive components in modern artificial intelligence (AI) systems, combining internal knowledge with external context to perform complex tasks. However, LLMs typically treat all accessible data indiscriminately, lacking inherent awareness of knowledge ownership and access boundaries. This deficiency heightens risks of sensitive data leakage and adversarial manipulation, potentially enabling unauthorized system access and severe security crises. Existing protection strategies rely on rigid, uniform defense that prevent dynamic authorization. Structural isolation methods faces scalability bottlenecks, while prompt guidance methods struggle with fine-grained permissions distinctions. Here, we propose the Chain-of-Authorization (CoA) framework, a secure training and reasoning paradigm that internalizes authorization logic into LLMs' core capabilities. Unlike passive external defneses, CoA restructures the model's information flow: it embeds permission context at input and requires generating explicit authorization reasoning trajectory that includes resource review, identity resolution, and decision-making stages before final response. Through supervised fine-tuning on data covering various authorization status, CoA integrates policy execution with task responses, making authorization a causal prerequisite for substantive responses. Extensive evaluations show that CoA not only maintains comparable utility in authorized scenarios but also overcomes the cognitive confusion when permissions mismatches. It exhibits high rejection rates against various unauthorized and adversarial access. This mechanism leverages LLMs' reasoning capability to perform dynamic authorization, using natural language understanding as a proactive security mechanism for deploying reliable LLMs in modern AI systems.