How do I prevent cross-tenant data leakage in a multi-tenant RAG system?

To prevent cross-tenant data leakage in a multi-tenant RAG system, implement strict data isolation and access controls across all data lifecycle stages, including memory, derived data, and storage.

Concrete controls include:

• Strict per-tenant memory scoping and explicit access control on memory retrieval to prevent memory contamination across sessions or tenants (OWASP LLM Top 10: L2 Memory Contamination).
• Utilize separate physical or logical vector indexes for confidential data to ensure tenant data isolation.
• Implement classification inheritance so that any data derived from classified inputs inherits at least the classification of its inputs, addressing PII leakage through derived data (OWASP LLM Top 10: L2 Sensitive Information Disclosure, L5 Supply Chain Vulnerabilities).
• Treat vector databases as containing the original text for access control purposes and encrypt embeddings at rest where warranted to mitigate embedding inversion attacks (OWASP LLM Top 10: L2 Sensitive Information Disclosure).
• Establish a data classification service that all data-producing and data-consuming components consult, ensuring source data is classified at ingestion and derived data inherits classifications.
• Maintain a per-user data inventory across all stores and implement deletion workflows that propagate to derived data to prevent right-to-erasure failures (OWASP LLM Top 10: L2 Sensitive Information Disclosure, L6 Insecure Output Handling).