Abstract: Identity and Access Management (IAM) is one of the cornerstone disciplines of enterprise security. As
organizations expand, the policies, entitlement catalogs and process documentation expand as well, and IAM
specialists find themselves fielding the same questions over and over, instead of working on access reviews or
incident response. This thesis introduces a multi-agent knowledge assistant based on Large Language Models (LLMs) and Retrieval-Augmented Generation (RAG) which was designed according to enterprise Generative AI
standards following internal solution design guidelines. Following a Design Science Research approach, the work answers four research questions, which are the comparison of multi-agent and single-agent architectures, the
comparison between hybrid and vector-only retrieval, the ability of RAG to generate correct and well-cited answers, and the robustness of the system against Role-Based Access Control (RBAC) violations and prompt injection. Five agents—Router, Retrieval, Reasoning, Guardrail and Generator—are orchestrated through LangGraph. The retrieval stage merges dense search and sparse search with Reciprocal Rank Fusion (RRF) and reranking across
heterogeneous IAM sources and each response is provided with explicit citations. Input validation, output guardrails and observability are integral parts of the design. The technology stack is based on models with open licenses and open source frameworks in order to ensure transparency, reproducibility, and data sovereignty. Statistically
significant improvements are confirmed by the evaluation. The multi-agent architecture enhances the correctness and decreases the hallucinations when compared with a single agent baseline. Hybrid retrieval consistently
outperforms vector only search. Layered security mechanisms ensure RBAC is not only fully enforced, but also
massively reduce the success rate of prompt injection attacks, aligned with Open Worldwide Application Security Project (OWASP) LLM Top 10 and expectations by regulators in the sense of Versicherungsaufsichtliche Anforderungen an die IT (VAIT) and Digital Operational Resilience Act (DORA).
Keywords: IAM, LLM, Security, AI, Agents, Agentic Software Development
PDF: Master Thesis
Reference: Mina Moshfegh. A Multi-Agent LLM Assistant for IAM: Design, Implementation, and Evaluation. Master Thesis. Friedrich-Alexander-Universität Erlangen-Nürnberg: 2026.
Discover more from Professorship for Open-Source Software
Subscribe to get the latest posts sent to your email.