After a user reports the assistant quoting another company's internal doc, run the postmortem
Same topic, related formats. Practice these next.
Same topic, related formats. Practice these next.
A customer reports that your multi-tenant RAG assistant answered their question using content from a different company's internal document. Run the postmortem: what most likely went wrong at retrieval time, and what immediate and structural fixes do you put in place?
A cross-tenant leak means retrieval wasn't scoped to the tenant's ACL. Fix it with a mandatory pre-filter at search time from authenticated identity, ideally per-tenant isolation. The prompt is never the boundary.
Imagine a shared filing cabinet for many companies, where a clerk fetches papers for whoever asks. The right design is: before the clerk even opens a drawer, the building checks your badge and only unlocks your company's drawer. The leak happened because the clerk was allowed to pull papers from every drawer and was merely asked, politely, to ignore the ones that weren't yours — and one slipped through. Telling the clerk 'please don't read other companies' files' is not security; it's a suggestion. The fix is to lock the other drawers at the door, based on who you actually are (your badge, not a name you typed in). The strongest version gives each company its own locked cabinet entirely, so there is nothing to mix up.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example.
Everything important, quickly.
Open by naming it a cross-tenant data leak and the governing principle: the boundary must be enforced at retrieval, before any chunk can enter context. Walk the three root-cause shapes — shared index with no pre-filter, filter applied post-generation or in the UI, and missing or stale ACL metadata. Hammer that the prompt is not a security boundary. Cover incident response: scope via logs, contain, notify. Then the structural fixes: mandatory pre-filter from authenticated identity, hard per-tenant isolation over a trusted filter, deny by default metadata, and continuous authorization tests. Close by rejecting the prompt-instruction control outright.
Real products, models, and research that use this idea.
What an interviewer would ask next. Try answering before peeking at the approach.
Red flags and common mistakes that signal junior thinking. Click to expand.
Trying to fix a cross-tenant leak with a prompt instruction telling the model to ignore other tenants' data — the prompt is not a security boundary, and once a foreign chunk is in context the model can quote it.
The night-before-the-interview bullets. Scan these on the way to the call.
Primary sources. Skim if you want the original framing.