How does governed retrieval prevent data leakage?

Each caller has an authorization boundary (REBAC). Before retrieval, only evidence the caller is authorized to access goes into the retrieval pool. The model cannot retrieve what it's not allowed to see. Evidence boundary becomes data boundary.

Can governed retrieval prevent prompt injection attacks?

Not directly. Governed retrieval controls what evidence is available. Prompt injection attacks manipulate the model's reasoning. The two are separate. But governed retrieval makes injection attacks less harmful — the model can only claim things that are in the bounded evidence.

What's the difference between governed retrieval and simple access control?

Simple access control prevents a user from accessing a database. Governed retrieval prevents a model from retrieving unauthorized evidence for a specific query. It's granular (per-query, per-caller-role) rather than blanket (you have access or you don't).

Does governed retrieval work with semantic search?

Yes. The search happens in the authorized evidence pool. Vector similarity is calculated only across evidence the caller can access. REBAC filtering happens before the semantic search, not after.

Can I audit what evidence each model retrieval had access to?

Yes. The Claim Ledger records which evidence was in scope for each retrieval, which chunks were actually retrieved, and which were excluded and why (out of scope, rate-limited, coverage budget). Full auditability.

How does governed retrieval handle evidence that's sensitive but relevant?

The system distinguishes between evidence the caller can retrieve for reasoning (policy-bearing, must-ground claims in this) and evidence that informs the system but stays hidden (advisory, for internal gates only). A claim might require grounding in policy evidence, but not in advisory evidence.

Does governed retrieval add latency?

Minimally. REBAC filtering (checking authorization) is a database query — typically single-digit milliseconds. Semantic search on a filtered pool is the same speed as search on the full pool. Negligible latency cost.

Can an attacker bypass governed retrieval by manipulating the model?

No. The boundary is enforced in software, before the model even gets the data. An attacker would need to compromise the retrieval system itself, not just the model. The attack surface is smaller.

AI Security

What is governed retrieval security?

Last updated April 16, 2026

Governed retrieval security is the practice of enforcing access control, evidence integrity, and policy compliance at the moment an AI system retrieves information — not after generation, not at output filtering, but at the retrieval boundary itself. It prevents unauthorized data access (the model never sees evidence the principal isn't authorized to retrieve), guarantees evidence integrity (the chunks reaching the model are byte-identical to authoritative source versions), and enforces policy compliance per query (each retrieval scope is computed deterministically from the SIRE-tagged corpus and the principal's authorization).

Why this matters

Traditional RAG systems treat retrieval as invisible. The model asks for information, the system returns it, and nobody audits who accessed what. In regulated industries, that’s a data-governance violation.

Governed retrieval means:

Every retrieval request is authenticated and authorized (REBAC).
Only documents matching the requester’s clearance are returned.
The retrieval is logged with cryptographic proof.
An auditor can later verify what was accessed and by whom.

How it works

When a model requests information from the knowledge base:

Authentication: Verify the caller’s identity.
Authorization: Check their REBAC profile against the document’s access tags.
Retrieval: Return only documents they’re authorized to access.
Integrity: Sign the retrieval response with a tamper-evident hash.
Logging: Record the retrieval in the Claim Ledger — integrity-protected audit trail for every AI inference with the caller’s identity and clearance.

If a caller lacks authorization, they get nothing — not a redacted version, not an inference, nothing. The boundary is enforced before data leaves the database.

How Kenshiki Labs, the runtime AI governance control plane implements this

Kenshiki Labs’ Kura retrieval engine provides:

REBAC integration: Caller identity and clearances are checked against evidence access tags.
Evidence scoping: The retrieval pool is filtered based on authorization.
Tamper-evident responses: Retrieval results are cryptographically signed.
Claim Ledger integration: Every retrieval is logged with caller identity, authorization decision, and data returned.

This means cardholder data in your knowledge base stays protected even when the model has access to the knowledge base. The boundary is enforced at the retrieval layer, not the model layer.

Related concepts

REBAC (relationship-based access control) — How retrieval boundaries are enforced
What is runtime AI governance? — The architecture that enables governed retrieval