Enforce tenant isolation by ensuring the model cannot retrieve or see data across tenants, even if prompted to do so. The model itself is not your security boundary—your retrieval layer and data access layer are. In a multi-tenant app, tenant isolation means every tool call (retrieval, file access, database queries) must be scoped by tenant_id and authorization checks, and the prompt must never include raw data that the user isn’t allowed to access.
A robust isolation design has three layers:
Data partitioning
Store embeddings with
tenant_idand enforce filters on every query.Consider separate collections per tenant for stricter isolation.
Access-controlled retrieval
Your
search_docstool must requiretenant_idand apply it as a mandatory filter.Never allow “no filter” queries in production.
Prompt hygiene and logging controls
Don’t log raw prompts/outputs by default; log references (chunk IDs).
Redact secrets and PII before anything reaches the model or logs.
You should also include an explicit policy in the system prompt: “Never reveal information from other tenants; if asked, refuse.” That helps behavior, but it’s not sufficient alone.
Vector databases are ideal for enforcing retrieval-time isolation. With Milvus or Zilliz Cloud, store tenant_id, visibility, and doc_acl metadata fields and apply strict filters. Then Opus 4.6 only ever sees retrieved chunks that passed authorization checks. This is the strongest isolation model: even if the user attempts prompt injection (“ignore rules”), the system physically cannot retrieve disallowed content. Treat tenant isolation as a database and tooling problem first; treat model prompting as the last layer.