After a user reports the assistant quoting another company's internal doc, run the postmortem
A customer reports that your multi-tenant RAG assistant answered their question using content from a different company's internal document. Run the postmortem: what most likely went wrong at retrieval time, and what immediate and structural fixes do you put in place?
A cross-tenant leak means retrieval wasn't scoped to the tenant's ACL. Fix it with a mandatory pre-filter at search time from authenticated identity, ideally per-tenant isolation. The prompt is never the boundary.
Imagine a shared filing cabinet for many companies, where a clerk fetches papers for whoever asks. The right design is: before the clerk even opens a drawer, the building checks your badge and only unlocks your company's drawer. The leak happened because the clerk was allowed to pull papers from every drawer and was merely asked, politely, to ignore the ones that weren't yours — and one slipped through. Telling the clerk 'please don't read other companies' files' is not security; it's a suggestion. The fix is to lock the other drawers at the door, based on who you actually are (your badge, not a name you typed in). The strongest version gives each company its own locked cabinet entirely, so there is nothing to mix up.
Detailed answer & concept explanation~7 min readEverything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example.
Everything important, quickly.
Open by naming it a cross-tenant data leak and the governing principle: the boundary must be enforced at retrieval, before any chunk can enter context. Walk the three root-cause shapes — shared index with no pre-filter, filter applied post-generation or in the UI, and missing or stale ACL metadata. Hammer that the prompt is not a security boundary. Cover incident response: scope via logs, contain, notify. Then the structural fixes: mandatory pre-filter from authenticated identity, hard per-tenant isolation over a trusted filter, deny by default metadata, and continuous authorization tests. Close by rejecting the prompt-instruction control outright.
Real products, models, and research that use this idea.
- Pinecone and Qdrant support per-tenant namespaces precisely so cross-tenant retrieval is physically impossible rather than filter-dependent
- SaaS RAG products derive the tenant ID from the authenticated JWT or session, never from a request body field the client controls
- Mature teams run an automated authorization test that queries as tenant A and asserts zero chunks tagged tenant B ever return
- Incident runbooks for these leaks scope exposure from per-query retrieval logs that record requesting tenant versus returned chunk tenants
What an interviewer would ask next. Try answering before peeking at the approach.
QWhy is deriving the tenant ID from a user-supplied request field a vulnerability even with a correct pre-filter?
QWhen does a shared index with a filter become acceptable, and what extra controls does it need?
Don't say thisRed flags and common mistakes that signal junior thinking. Click to expand.
Red flags and common mistakes that signal junior thinking. Click to expand.
Trying to fix a cross-tenant leak with a prompt instruction telling the model to ignore other tenants' data — the prompt is not a security boundary, and once a foreign chunk is in context the model can quote it.
The night-before-the-interview bullets. Scan these on the way to the call.
Primary sources. Skim if you want the original framing.
Same topic, related formats. Practice these next.