The latest articles on DEV Community by Arthit P. (@arthit_p_ee593ec801bb01a). https://dev.to/arthit_p_ee593ec801bb01a https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3796912%2Fb6ee609a-b024-42e4-89e9-ca01cc1b8153.png https://dev.to/arthit_p_ee593ec801bb01a en Arthit P. Sat, 25 Apr 2026 22:06:17 +0000 https://dev.to/arthit_p_ee593ec801bb01a/governance-first-rag-58ek https://dev.to/arthit_p_ee593ec801bb01a/governance-first-rag-58ek <p><a href="https://dev.tourl"></a>Governance‑First! Before Retrieval? Most RAG pipelines are still built the old way: retrieve broadly → filter → hope nothing leaks</p> <p>That pattern is convenient, but in multi‑tenant or regulated workloads it’s structurally unsafe. Once the model has already seen unauthorised embeddings, you’ve lost the guarantee.</p> <p>TenantSage flips the pattern: , tenant scope, and legal‑hold rules are applied before retrieval, so restricted content never reaches the ranking step — and never touches the model.</p> <p>Why Post‑Filtering Fails in Multi‑Tenant RAG<br> When filtering only happens after semantic retrieval, several predictable risks emerge:<br> • Permission drift<br> Embedding chunks don’t automatically update when source permissions change.<br> • Cross‑tenant leakage<br> Similarity search doesn’t respect tenant boundaries unless enforced upfront.<br> • Legal‑hold exposure<br> Restricted documents can still enter the candidate set before filtering removes them.<br> • Weak auditability<br> You can’t reliably prove why the model was allowed to see a given document.<br> If you can’t prove it, you can’t certify it — which is a nonstarter for regulated workloads.</p> <p>The Shift: The Database Enforces Governance (Not the LLM)<br> TenantSage pushes governance into the retrieval layer itself:<br> • Identity‑derived scoping<br> Tenant + role pulled directly from the auth token.<br> • Policy predicates applied before ranking<br> Only authorized content is even considered during retrieval.<br> • Deterministic audit logs<br> Every retrieval decision becomes explainable and reproducible.<br> This moves safety from “application‑layer hopes and prayers” to data‑layer guarantees.</p> <p>Real-Time Inheritance: No More Chunk-Level Permissions<br> A key design choice: chunks don’t carry their own authorization state.<br> Instead:<br> • Each chunk inherits visibility from its parent document at query time.<br> • When the document’s policy changes, the retrieval view updates instantly.<br> • No re‑indexing and no permission drift.<br> This eliminates the classic “embedding index is out of sync with ACLs” problem.</p> <p>High‑Level Retrieval Path</p> <ol> <li>Authenticate Derive tenant, role, and policy context from the identity token.</li> <li>Governed retrieval Similarity search + policy rules execute in a single governed path: • tenant scoping • role‑based access • retention and legal‑hold predicates all applied before ranking</li> <li>Generate The LLM only receives prompts assembled from the authorized set.</li> </ol> <p>What This Enables<br> • Pre‑retrieval policy enforcement<br> No more “retrieve then panic‑filter.”<br> • Strong family tenant isolation<br> Cross‑tenant retrieval returns zero results by design.<br> • Legal‑hold quarantine<br> Held documents stay stored but never retrievable.<br> • No permission drift<br> Authorization always reflects source‑of‑truth policies.<br> • Audit‑ready behavior<br> Deterministic logs ensure compliance and traceability.</p> <p>Family‑Tenant is TenantSage’s canonical multi‑tenant architecture pattern (Family → Child).</p> <p>Related repositories</p> <p>TenantSage core: <a href="https://github.com/arty-hospitality/TenantSag_Canonical" rel="noopener noreferrer">https://github.com/arty-hospitality/TenantSag_Canonical</a></p> ai architecture rag governance