Securing the Agent: Why RAG Leaks Cross-Tenant Data 98% of the Time
Picture the query. An employee at one company types a question into their AI assistant. The retrieval system underneath does exactly what it was built to do: it converts the question into a vector, searches the shared index, and ranks every document by how closely it matches. The closest match is a confidential memo belonging to a different company on the same infrastructure. The system serves it up, because at no point in that pipeline did anything ask whether it should.
This is not a hypothetical. Two engineers at Red Hat AI, Francisco Javier Arceo and Varsha Prasad Narsing, published a paper in May 2026 called "Securing the Agent: Vendor-Neutral, Multitenant Enterprise Retrieval and Tool Use," and they ran the probe. Ungated retrieval leaked cross-tenant data in 98 to 100 percent of their attempts. Not occasionally, not under adversarial pressure. Nearly every time, under ordinary use.
The uncomfortable part is that nothing malfunctioned. The retrieval system succeeded, completely, at the objective it was given. As the authors put it, retrieval systems "rank documents by relevance, whether through semantic similarity, keyword matching, or hybrid approaches, not by authorization." Every search method the field has built optimizes for the same thing: find the closest match. Dense vectors, keyword matching, hybrid rerankers, all of them. None of them natively enforce who is allowed to see it. Relevance and authorization are different questions, and the entire stack only ever asks the first one.
Academic prototypes and consumer chatbots never surface this, because they quietly assume one user, one corpus, uniform access. Real enterprises look nothing like that. Multiple business units, customers, and partners share infrastructure because cost demands it. Data varies in sensitivity. Regulators require auditable access. The naive fix is to copy the whole stack for every tenant: separate vector stores, dedicated endpoints. But then infrastructure scales with the number of tenants instead of actual usage, which is exactly the economics shared infrastructure exists to escape.
And the problem compounds as systems become agentic. The paper catalogs the ways: a tool call can reach resources outside the user's scope. Conversation history accumulates context across turns, so the agent's memory itself becomes a leak, carrying one boundary's information into the next exchange. And when the application client manages the reasoning loop, security-critical logic ends up distributed to machines nobody should trust. Each generation of the technology, from simple completions to retrieval to tool-using agents, added capability while inheriting every security gap of the phase before it.
The fix the authors propose is almost anticlimactic. Tag documents with policy at ingestion. Gate retrieval with attribute-based access control, a deterministic check of user attributes against document attributes before anything reaches the model. Move the orchestration loop server-side, where tool authorization and state isolation have a natural enforcement point. They built it into an open-source framework called OGX and measured the result: leakage eliminated, overhead negligible. No new model. No clever prompt. A boolean, checked in the right place.
That anticlimax is the actual lesson, and it reaches well past multitenant retrieval. Relevance is a judgment; authorization is a fact. Judgment is what you want from a probabilistic system, and facts are what you must never delegate to one. A model asked to respect a boundary will respect it most of the time, and most of the time is another way of saying 98 to 100 percent leakage under sustained probing. The rule that cannot be broken has to live in code, where it is checked deterministically, every request, at zero marginal intelligence. Never spend inference on what can be codified. The gate costs nothing precisely because it does not think.
There is a sharper edge underneath. Making the model smarter makes ungated retrieval worse, not better. A stronger ranker finds the forbidden document more reliably, summarizes it more fluently, weaves it more seamlessly into an answer. Intelligence amplifies whatever the architecture permits. Which means the security of an agentic system is not a property of the model at all. It is a property of the cage around the model. Cage quality dominates model quality, and most teams have the priority exactly backwards. The industry debates which frontier model to deploy while the load-bearing decision goes unexamined: where does judgment end and enforcement begin? That one gets made by default, by whoever wired the retrieval pipeline without asking the second question.
Every organization connecting an agent to its data is drawing that line right now, mostly without knowing it. The ones that draw it in architecture get shared infrastructure, full model capability, and boundaries that hold at 3 a.m. under loads nobody anticipated. The ones that draw it in prompts get a system that behaves until the day the most relevant document is the one thing it should never have touched.
So what stops your agent from serving a document it was never allowed to see? Inside the model, nothing. Nothing in the weights, nothing in the prompt, nothing in the ranking math, because every one of those layers is built to answer a different question. The stop has to be structural, a deterministic check standing between relevance and response. The model decides what is relevant. The architecture decides what is possible. Only one of them is allowed to be wrong.
Liked “Securing the Agent: Why RAG Leaks Cross-Tenant Data 98% of the Time”?
Get notified when new TIA™ articles are ready.
