Retrieval-Augmented Generation and agentic AI are increasingly common in enterprise deployments, but real enterprise environments introduce challenges largely absent from academic treatments and consumer-facing APIs: multiple tenants with heterogeneous data, strict access-control requirements, regulatory compliance, and cost pressures that demand shared infrastructure. This paper identifies a fundamental problem underlying existing RAG architectures in these settings. Retrieval systems rank documents by relevance, not by authorization, so a query from one tenant can surface another tenant’s confidential data simply because it scores highest. The authors formalize this relevance-authorization gap alongside related shortcomings (tool-mediated disclosure, context accumulation across turns, client-side orchestration bypass) and introduce a layered isolation architecture combining policy-aware ingestion, retrieval-time gating, and shared inference, enforced through server-side orchestration. They validate it through an open-source implementation in OGX, a vendor-neutral OpenAI-compatible Responses API, showing empirically that ABAC gating eliminates cross-tenant leakage while introducing negligible overhead.

James Everingham is the CEO and Co-founder of Guild.ai — the AI agent control plane for production teams. With roots at Netscape, Instagram (Head of Engineering), and Meta (Head of Dev Infra, leading a 1,000-person org), James brings rare, hard-won expertise to the challenge of operating AI agents at scale.