The Folder as a Permission Boundary
Folders aren't just for finding things. They're one of the oldest security primitives in computing, and the right unit of control for AI access to your knowledge.
Most people organize files so they can find them later. That's the obvious reason: reduce the cost of retrieval, give things a home, keep the desktop from becoming chaos. But the Unix filesystem was designed around a different idea from the start. The directory hierarchy was always an access control boundary. When you put something in /etc, you were saying something about who should be able to touch it. When you chmod a file, you were drawing a line between owners and outsiders. The folder was always a security primitive. We just stopped thinking of it that way.
That gap in thinking matters now, because AI agents need a permission model, and they need one that humans can actually reason about.
The 1973 idea that keeps getting rediscovered
David Bell and Leonard LaPadula built their security model at MITRE Corporation in 1973, under contract for the US Department of Defense. The Air Force was trying to figure out how to run classified and unclassified workloads on the same time-sharing system without information leaking upward through clearance levels. Bell and LaPadula's answer was compartmentalization: divide information by sensitivity, and enforce that subjects can only access material at or below their clearance.
The insight wasn't the formal math. It was the recognition that organizing information into separate containers, by sensitivity and by need-to-know, makes access control tractable. You don't need to think about every file individually. You think about which container it's in, and the policy follows from that.
Fifty-two years later, AI tools are fumbling toward the same realization.
The current default model for AI agent permissions is roughly: everything, or a granular whitelist you'll never maintain. Give an agent access to your filesystem and it can read your medical notes alongside your grocery lists. Build a whitelist and you'll spend an afternoon enumerating file paths, then forget about it when you create new folders next month. Neither option is good. One is reckless; the other is theater.
The folder as policy
The better answer is what Unix figured out in the 1970s: use the hierarchy you already have.
If something is in Sensitive/, the AI needs explicit approval before touching it. If something is in Work/, the agent can read freely but proposes patches you review. If something is in Inbox/, it can write there without asking. The folder becomes the policy.
This isn't complicated. Most people already have an intuition for what should be walled off. Medical records, financial documents, private messages feel like they belong somewhere different from your notes on a book or your half-finished to-do list. The problem with most tools is that they don't let you act on that intuition. The permission model lives in a settings panel somewhere, disconnected from where you actually store things.
Connecting the two, folder location and permission tier, makes the model visible and maintainable. You move a file, the permissions follow. You understand the policy by looking at where things are. You can audit it in thirty seconds.
Sensitivity as geography
There's a deeper point here. The way we think about physical documents maps naturally onto folder-as-boundary. You wouldn't leave a signed legal contract on the kitchen counter. You'd put it somewhere more deliberate, a filing cabinet, a lockbox, somewhere the location itself signals importance. Physical filing isn't just organization. It's a statement about access.
Digital tools severed that connection. Everything lives in the same flat namespace of a cloud app, behind the same login screen, accessible by default to every integration you've ever authorized. Placing something somewhere stopped meaning anything.
File hierarchies restore that signal. Not perfectly. A folder structure is not a lockbox, and anyone who needs real security needs real security tooling. But for the threat model most people actually face, which is AI agents with overly broad permissions doing things they didn't intend, the folder is the right primitive. Legible to humans. Actionable for software. Easy to maintain as the knowledge base grows and changes shape over time.
The thing I keep coming back to is that most people don't need a formal access control language. They don't need policy files or role definitions. They need to be able to put something in a folder called Private and trust that the AI won't touch it without asking. That's it. The hard part is building software that honors that expectation consistently rather than making it your problem to configure.
The question of how to give AI appropriate access to personal knowledge is going to matter a lot over the next few years. The answer most products will reach for is some version of elaborate permission dashboards with toggles and checkboxes, the same solution that made enterprise software feel like enterprise software. There's a simpler option already sitting in front of us. Put the sensitive stuff in one folder. Tell the AI what the folders mean. Let geography do the work.
Bell and LaPadula figured this out when machines cost more than houses. It still holds.
Asgeir Albretsen is the founder of Harbor.