Skip to main content

Volume 4 · RAG and agents

Data boundaries in the retrieval-and-agent era: cross-tenant / cross-user retrieval leakage from vector stores, cross-session memory bleed, tool calls sending private data outward, and data boundaries in multi-agent collaboration.

RAG retrieval leakage

In multi-tenant RAG, two intuitions both fail — "vectorized means anonymized" and "filtered by user means isolated." In some studied embedding settings a vector can be inverted back to approximate original text (including PII), so don't treat it as anonymization; retrieval ranks by similarity, not permission, so if the ACL runs after retrieval instead of before it, the most relevant private chunk may come from another tenant; and a single boundary bug in a shared cache / long-term memory can carry one user's private context into another's session.

HighExperimental

Cross-session memory bleed

In one sentence in March 2023 a redis-py concurrency race in ChatGPT let some users see others' chat titles and the first message of a new conversation, and about 1.2% of active Plus users had their name / email / billing address / last-four card digits exposed in a roughly 9-hour window (OpenAI's official postmortem). Conclusion first: cross-session isolation is the system's responsibility, not "I'll be careful not to mix things up" — scope every cache / memory / session by user, with concurrency safety + ownership checks + auditing.

HighProduction

MCP data flow & least collection

In one sentence the MCP spec states plainly that "hosts must obtain explicit user consent before exposing user data to servers," and Anthropic's software directory policy goes further — software "must only collect data from the user's context that is necessary to perform their function" and "must not collect extraneous conversation data, even for logging purposes." Yet in practice a server is routinely granted far more scope than it needs (the entire home directory to serve one folder), credentials concentrate into a single high-value target across servers, and data detours through someone else's infra on a third-party-hosted server. Conclusion first: map which context fields each server actually receives, and whether those fields are what it needs, before you decide to connect it. Treating "only connect official servers" or "one consent prompt is enough" as the whole boundary is the most common operational false security at this layer.

MediumProduction

Computer-use screen-capture privacy

In one sentence other open apps, pop-up notifications, background documents, other browser tabs, other people's data on a shared / screen-shared display, even a password manager that happens to be visible. All of it rides the screenshot into the model — ambient private data far beyond what the task needs. This isn't injection (that goes to Agent tool exfiltration) and it isn't MCP data flow (MCP data flow & least collection); it's input-surface over-capture Anthropic's computer use tool and OpenAI's Operator have both shipped, and both flag this surface in their own docs (keep sensitive data off-screen, isolate in a dedicated VM, hand sensitive input to a human, supervise on sensitive sites). The real boundary isn't "the model looks at less on its own" — it's the capture surface: get the unrelated and sensitive stuff off the screen before you screenshot it.

HighProduction