What is tenant isolation in RAG systems?

Each customer receives a dedicated vector store and retrieval pipeline. Embeddings and queries never cross tenant boundaries, enforced with separate namespaces, encryption keys, and routing logic.

Is application-level isolation enough?

Application-enforced workspaceId predicates are primary. PostgreSQL row-level security and dedicated infrastructure per enterprise customer add defense in depth.

All articles

Security12 min readJune 20, 2026

RAG Tenant Isolation: A CTO Guide to Safe Executive AI Deployments

Shared vector stores are a liability for executive AI. Here is the architecture CTOs should require before connecting finance and hiring data.

RAGTenant isolationSecurityCTO

By AethelLayer Editorial · Executive Layer Insights

Multi-tenant RAG isolation architecture with dedicated vector stores per customer

Your CEO will ask one question before you connect Xero and Greenhouse to an AI layer: can another customer's data ever appear in our retrieval results? If the answer involves "shared index with logical separation," schedule a longer security review.

Architecture diagram of per-tenant RAG instances with encryption boundaries

Architecture layers you should verify

Dedicated vector namespace per workspace
No shared embedding index across customers.
Separate encryption keys per tenant
AES-256 at rest, TLS 1.3 in transit.
Query routing enforced at infrastructure layer
Not only ORM filters in application code.
Zero cross-tenant training on proprietary data
Subprocessor list and DPA available pre-pilot

What gets embedded (and what does not)

AethelLayer compiles operational snapshots: finance metrics, pipeline stage durations, compliance task severity, and policy rules. Raw vendor JSON dumps and source code are not ingested by default. Scope is documented in the integration map during onboarding.

Data type	Stored	Embedded for RAG
Burn and runway metrics	Yes	Yes, workspace-scoped
Greenhouse candidate PII	Minimal fields	Policy-controlled
OAuth tokens	Encrypted secrets vault	Never
Audit logs	PostgreSQL	Searchable, not in shared index

Question for vendors

Ask to see a diagram of physical or logical separation at the vector store layer, not just the application API.

Read the full security architecture at /security for implementation detail on containerized deploys, CI gates, and workspace-scoped audit logs.

FAQ

What is tenant isolation in RAG systems?: Each customer receives a dedicated vector store and retrieval pipeline. Embeddings and queries never cross tenant boundaries, enforced with separate namespaces, encryption keys, and routing logic.
Is application-level isolation enough?: Application-enforced workspaceId predicates are primary. PostgreSQL row-level security and dedicated infrastructure per enterprise customer add defense in depth.

Private Pilot