Agents & Retrieval
PlannedEnterprise Agentic RAG Copilot + Incident Commander
A permission-aware agentic copilot that assists incident response.
This system is planned. The case study describes the intended design; metrics are targets or planned, not measured results.
Problem
Naive RAG agents retrieve across everything and execute tools directly, leaking documents across tenants and taking risky actions with no audit trail or approval step.
Why this matters
Enterprises adopting agents need permissioned retrieval, guarded tools, and audit. That governance layer is what decides whether agentic products are actually shippable for AI platform vendors and their enterprise customers.
Constraints
- Retrieval must enforce per-document and per-tenant permissions.
- Risky tools require explicit human approval.
- Every tool call and decision is logged for audit.
- Prompt-injection is treated as an expected attack, not an edge case.
Architecture
Interface
- Copilot UI
- Approval queue
Agent
- Planner
- Guarded tools
- Injection defenses
Retrieval
- Permission filter
- Vector + keyword search
Audit
- Decision log
- Trace by incident ID
Data flow
A query is planned, retrieval is filtered by permissions, tools run (risky ones pause for approval), and every step is written to an incident-correlated audit log.
Control plane vs data plane
Control: Approval queue, policy for which tools are risky, and the audit log.
Data: The agent loop: planning, permission-filtered retrieval, and tool execution.
Core capabilities
- Permission-aware retrieval evaluated at query time.
- A tool layer with an approval gate for high-risk actions.
- Incident workflows: triage, summarize, propose mitigations.
- Full auditability of what the agent saw and did.
Staff-level tradeoffs
Human approval for risky tools instead of full autonomy.
Auditable, safe-by-default behavior matters more than a flashy fully-autonomous demo.
Permissions enforced at retrieval, not just in the UI.
Tenant isolation has to hold at the data boundary; UI checks are not security.
Tech stack
Frontend
- Next.js
- React
- TypeScript
Backend
- Python
- LLM tool layer
ML / Data
- Vector search
- hybrid ranking
Infrastructure
- Kubernetes
Observability
- structured audit logs
- traces
Metrics
- Cross-tenant retrieval leakage Target
- 0 (permission-filtered)
- Risky actions without approval Planned
- 0 (approval-gated)
- Prompt-injection test suite Planned
- Baseline + regression cases
- Retrieval p95 latency Target
- Bounded for interactive use
Metrics are labeled measured, target, or planned. Nothing here is an achieved result unless it is marked measured.
Failure modes
Prompt-injection attempt
Blocked by injection defenses and recorded in the audit log.
Over-broad retrieval request
Permission filter denies out-of-scope documents before the model sees them.
Risky tool invoked
Held in the approval queue until a human approves; nothing executes silently.
What's next
- Stand up permission-filtered retrieval with a small governed corpus.
- Add the approval queue and injection test suite.