“Implement fine-grained access controls and permission-aware vector stores.” Tag every document with owner, group, and sensitivity level at ingest. Enforce those tags at retrieval: a query should only return documents the requesting user is authorized to see, regardless of cosine similarity score.

The cross-tenant leakage scenario (Slide 12, Scenario 2): HR queries surfaced clinical documents because the retrieval system ranked by similarity without checking authorization tags. A permission-aware query that pre-filters by authorized_groups includes HR before ranking would have returned only HR-accessible documents.

→ Tag every document at ingest with owner, department, sensitivity tier, and access group
→ Apply authorization filters as a pre-filter on the vector query — before similarity ranking, not after
→ Consider separate vector indexes per sensitivity tier for high-sensitivity environments — physically isolating embeddings is stronger than metadata-based filtering alone

Query as a low-privilege test user for content belonging to a high-privilege group. If restricted documents surface in results, retrieval-time ACLs are not enforced.