Client-Tenant Segregation Governance

2. Summary

Client-Tenant Segregation Governance requires that in any multi-tenant deployment — where a single AI agent platform serves multiple clients, customers, or organisational tenants — each tenant's data, state, configuration, and operational context is completely isolated from every other tenant at the infrastructure layer. No agent action, query, or reasoning process operating on behalf of Tenant A may access, infer, or contaminate data belonging to Tenant B. This is not a permission model refinement; it is a structural guarantee that tenants are invisible to each other. The failure mode is among the most damaging in AI governance: cross-tenant data leakage in a SaaS AI platform exposes every customer simultaneously and typically triggers contractual, regulatory, and legal consequences across multiple jurisdictions.

3. Example

Scenario A — Shared Vector Store Cross-Tenant Leakage: A SaaS provider operates an AI assistant platform serving 340 enterprise clients. Each client's knowledge base is embedded into a shared vector database with tenant identifiers stored as metadata. A query from Client A's agent searches for "Q3 revenue projections." The vector similarity search returns the 10 nearest neighbours, 8 from Client A and 2 from Client B, because Client B's Q3 revenue projections happen to be semantically similar. The tenant metadata filter is applied in the application layer after retrieval. Due to a caching bug, the filter fails to remove Client B's results for 0.3% of queries under high load. Over 6 months, approximately 4,100 queries leak cross-tenant data.

What went wrong: Tenant isolation relied on application-layer filtering rather than infrastructure-level separation. The vector store was shared, and the tenant filter was a post-retrieval application check that failed under load. The caching bug was intermittent and escaped testing. Consequence: Data breach affecting 340 enterprise clients, mandatory notification to 23 data protection authorities across 14 jurisdictions, class action lawsuit from affected clients, estimated liability of $12.8 million, loss of 89 enterprise contracts within 90 days.

Scenario B — Shared Context Window State Contamination: A multi-tenant AI platform reuses agent instances across tenants for efficiency. Between tenant sessions, the platform clears the conversation history but does not fully reset the model's context state. Residual token patterns from Tenant A's session influence the agent's responses to Tenant B. In one incident, a healthcare client's patient diagnosis discussion leaves statistical patterns in the context that cause the agent to reference "patient outcomes" terminology when responding to a subsequent retail client's inventory query. The retail client escalates, concerned about data contamination.

What went wrong: Tenant isolation did not extend to the full computational state of the agent. Session clearing removed conversation history but not all residual state. The shared agent instance created a channel for cross-tenant information leakage through statistical context contamination. Consequence: Healthcare client invokes breach notification clause, retail client terminates contract citing security concerns, regulatory investigation by HHS Office for Civil Rights under HIPAA, platform-wide security audit costing $2.1 million.

Scenario C — Cross-Tenant Configuration Drift Through Shared Infrastructure: A multi-tenant platform deploys agents on shared Kubernetes infrastructure. Tenant-specific configuration is managed through ConfigMaps and environment variables. A deployment error causes Tenant A's database connection string to be injected into Tenant B's agent pod. Tenant B's agent begins writing operational data to Tenant A's database. The error persists for 72 hours before monitoring detects the anomalous write pattern. During that period, 14,000 records from Tenant B are written to Tenant A's database, and Tenant B's agent has read access to Tenant A's data through the same connection.

What went wrong: Shared infrastructure without structural tenant isolation at the deployment layer. Configuration injection relied on correct labelling and deployment ordering rather than structural guarantees. No runtime verification confirmed that each agent's data connections pointed to the correct tenant's resources. Consequence: Bilateral data breach between Tenant A and Tenant B, mandatory deletion and certification of deleted data, contractual penalties of $1.4 million, FCA investigation for the financial services tenant.

4. Requirement Statement

Scope: This dimension applies to any AI agent platform, service, or deployment model where agents or agent infrastructure is shared across multiple clients, customers, or organisational tenants. A tenant is any entity whose data must be isolated from other entities using the same platform — this includes external customers in a SaaS model, internal business units treated as separate tenants, or partner organisations sharing a federated platform. Single-tenant deployments where one organisation exclusively owns and operates the entire infrastructure are excluded, though organisations using third-party AI platforms should verify that their provider's multi-tenant implementation meets this dimension's requirements. The scope extends to all shared components: compute, storage, networking, caching layers, vector databases, model context, logging infrastructure, configuration management, and any other component where tenant data or state could intermingle.

4.1. A conforming system MUST ensure that each tenant's data — including input data, output data, intermediate state, embeddings, logs, configuration, and cached artefacts — is isolated from every other tenant at the infrastructure layer.

4.2. A conforming system MUST implement tenant isolation such that no agent action, query, or reasoning process operating on behalf of one tenant can access, retrieve, infer, or modify data belonging to another tenant.

4.3. A conforming system MUST prevent cross-tenant data leakage through shared components including but not limited to: shared vector stores, shared caches, shared model instances, shared logging pipelines, shared configuration stores, and shared temporary storage.

4.4. A conforming system MUST verify tenant identity at the infrastructure layer for every data access operation, not solely at session initiation.

4.5. A conforming system MUST ensure that agent instances serving one tenant carry no residual state, context, or cached data from previous tenant sessions when reused across tenants.

4.6. A conforming system SHOULD implement tenant isolation through physically or logically separate data stores per tenant, rather than shared data stores with application-layer filtering.

4.7. A conforming system SHOULD conduct automated cross-tenant access testing on a continuous basis, verifying that operations executed on behalf of Tenant A cannot retrieve data belonging to Tenant B.

4.8. A conforming system SHOULD implement tenant-specific encryption keys such that even infrastructure-level access to the shared storage layer cannot read another tenant's data without that tenant's key.

4.9. A conforming system MAY implement tenant isolation verification as part of the CI/CD pipeline, blocking deployments that introduce shared components without tenant isolation controls.

5. Rationale

Multi-tenant AI platforms are the dominant deployment model for enterprise AI. Economics drive this: shared infrastructure reduces cost per tenant, shared model instances reduce compute requirements, and shared operational tooling reduces management overhead. But multi-tenancy creates a fundamental tension with data isolation: every shared component is a potential channel for cross-tenant data leakage.

The risk is structurally different from traditional multi-tenant SaaS. In a traditional SaaS application, cross-tenant leakage requires a specific bug — a missing WHERE clause, a broken authorisation check. In an AI platform, the leakage channels are more numerous and more subtle. Vector similarity search can return cross-tenant results if the index is shared. Model context can carry statistical residue from previous sessions. Caching layers can serve responses intended for one tenant to another. Logging pipelines can intermingle tenant data in ways that create cross-tenant visibility for operational staff.

The consequence of cross-tenant leakage in an AI platform is disproportionate to the technical failure. A single cross-tenant data leak affects every tenant on the platform simultaneously — not because every tenant's data leaked, but because every tenant must assume their data could have leaked and must be notified accordingly. The regulatory burden multiplies across jurisdictions: 340 enterprise clients across 14 jurisdictions means 23 data protection authority notifications. The reputational damage is existential for the platform provider.

AG-300 requires that tenant isolation be structural — enforced by the infrastructure, not by the application's correctness. The principle is that even a bug in the application layer cannot cause cross-tenant data leakage because the infrastructure does not permit it. This is the multi-tenant equivalent of AG-001's principle that enforcement must be at the infrastructure layer, not in the agent's reasoning.

6. Implementation Guidance

Tenant segregation must be implemented as defense in depth across every shared component. The governing principle is that no single-layer failure should create a cross-tenant data path.

Recommended patterns:

• Tenant-per-database isolation. Each tenant receives a dedicated database instance or schema with separate credentials. The agent's database connection is established at session initiation using tenant-specific credentials. No query can reach another tenant's database because the connection does not have access. This is the strongest isolation model for structured data. Cost: approximately 15-20% higher than shared-database with row-level filtering, but eliminates the entire class of cross-tenant query leakage.
• Tenant-partitioned vector stores. Instead of a shared vector index with tenant metadata filtering, deploy a separate vector index per tenant. Queries execute against only the tenant's index. Cross-tenant results are structurally impossible because the search space contains only one tenant's embeddings. For platforms with thousands of tenants, index-per-tenant can be implemented using namespaces or collections within the vector database, provided the database enforces namespace isolation at the storage layer.
• Stateless agent instances with clean-room initialisation. When agent instances are reused across tenants, implement a clean-room protocol: after each tenant session, the instance is fully reset — conversation history cleared, context window flushed, any in-memory caches purged, and temporary files deleted. The next session begins with a verified clean state. For maximum assurance, destroy and recreate the agent container between tenant sessions rather than attempting to clean it.
• Tenant-specific encryption envelopes. Encrypt each tenant's data at rest and in transit using tenant-specific keys managed in a key management service. Even if an infrastructure bug exposes raw storage, the data is encrypted with a key that only the owning tenant's agent sessions can access. This provides defense in depth against storage-layer cross-tenant exposure.
• Tenant context injection at the infrastructure layer. Inject the tenant identifier into every agent request at the infrastructure layer (e.g., through a sidecar proxy or API gateway) rather than trusting the application to set it. The agent cannot influence its own tenant identity. All downstream data access operations use this infrastructure-injected tenant identifier.

Anti-patterns to avoid:

• Shared database with application-layer WHERE clause filtering. Relying on the application to add WHERE tenant_id = ? to every query is the most common and most fragile tenant isolation pattern. A single missing filter, a query builder bug, or an ORM misconfiguration exposes cross-tenant data. This is not structural isolation.
• Shared vector index with post-retrieval filtering. Retrieving the top-N nearest neighbours from a shared index and then filtering by tenant metadata in the application layer means cross-tenant embeddings are retrieved before filtering. Under load, caching bugs, or filter failures, those cross-tenant results can be returned to the wrong tenant.
• Session-based tenant identity without per-request verification. Verifying tenant identity at session initiation but not on each subsequent request allows session hijacking or tenant context drift to cause cross-tenant access mid-session.
• Shared logging pipelines without tenant partitioning. If all tenants' agent logs flow into a shared logging system without tenant-level access controls, operational staff or log analysis tools can access cross-tenant data. Logs must be partitioned with the same rigour as primary data.
• Reusing agent instances across tenants without verified state clearing. Clearing conversation history but not verifying that all context, cache, and temporary state is purged creates statistical leakage channels through residual model state.

Industry Considerations

Financial Services. Multi-tenant AI platforms serving financial institutions must demonstrate tenant isolation equivalent to the segregation requirements for client assets under CASS rules. The FCA expects that one client's data is as isolated from another's as their client money would be. Firms using third-party multi-tenant AI platforms should require contractual guarantees of infrastructure-level tenant isolation and the right to audit.

Healthcare. HIPAA requires that covered entities ensure their business associates (including AI platform providers) protect PHI. In a multi-tenant AI platform, cross-tenant leakage of PHI triggers breach notification obligations for every affected covered entity. BAA agreements should specify infrastructure-level tenant isolation as a required safeguard.

Legal Services. Attorney-client privilege creates an absolute obligation to prevent cross-client data leakage. A law firm using a multi-tenant AI platform cannot risk any channel for cross-client data exposure. The duty of competence (ABA Model Rule 1.1) requires lawyers to understand the technology sufficiently to ensure client confidentiality.

Maturity Model

Basic Implementation — Tenant data is stored in separate database schemas or tables with tenant ID columns. The application layer filters queries by tenant ID. Agent instances are assigned to tenants at session initiation. Logs include tenant identifiers. Limitations: reliance on application-layer filtering for tenant isolation; shared vector stores with metadata-based filtering; no automated cross-tenant access testing.

Intermediate Implementation — Tenant data is stored in dedicated per-tenant data stores with separate credentials. Vector stores are partitioned by tenant with separate indices or namespace isolation. Agent instances are reset between tenant sessions with verified state clearing. Tenant identity is injected at the infrastructure layer. Automated cross-tenant access testing runs weekly. Tenant-specific encryption keys protect data at rest.

Advanced Implementation — All intermediate capabilities plus: tenant isolation has been verified through independent adversarial testing including side-channel analysis, cache timing attacks, and statistical context leakage detection. Agent containers are destroyed and recreated between tenant sessions. Tenant isolation is verified in the CI/CD pipeline — deployments that introduce shared components without isolation controls are blocked. Real-time anomaly detection flags any data access pattern that could indicate cross-tenant leakage. The platform can demonstrate to each tenant's auditors that no known attack vector permits cross-tenant data access.

7. Evidence Requirements

Required artefacts:

• Tenant isolation architecture document. A detailed technical document describing how tenant isolation is implemented at each layer: compute, storage, networking, caching, vector stores, logging, and configuration. Format: architecture diagram with supporting technical specification.
• Per-tenant data store evidence. Database configurations, connection strings, or IAM policies demonstrating that each tenant's data is stored in a separate data store or namespace with separate credentials.
• Cross-tenant access test results. Results from automated testing demonstrating that operations executed on behalf of Tenant A cannot retrieve, modify, or infer data belonging to Tenant B. Minimum quarterly execution.
• State clearing verification logs. Evidence that agent instances are verified clean between tenant sessions — logs of state clearing operations and verification checks.
• Incident log. Any cross-tenant data exposure incidents, including root cause analysis, affected tenants, notification records, and remediation actions.

Retention requirements:

• Tenant isolation architecture documents, cross-tenant test results, and incident logs: minimum 7 years for regulated financial services; minimum 5 years for other regulated sectors; minimum 3 years otherwise.

Access requirements:

• Producible to regulators, auditors, or affected tenants within 48 hours of request.

8. Test Specification

Test 8.1: Cross-Tenant Data Retrieval Prevention

• Stimulus: Operating as Tenant A's agent, attempt to query, search, or retrieve data known to belong to Tenant B. Test across all data access paths: database queries, vector searches, cache lookups, file system access, and API calls.
• Expected behaviour: All attempts return only Tenant A's data or empty results. No Tenant B data is returned.
• Pass criteria: Zero cross-tenant data returned across all access paths.
• Fail criteria: Any Tenant B data is returned to Tenant A's agent through any access path.

Test 8.2: Cross-Tenant Write Prevention

• Stimulus: Operating as Tenant A's agent, attempt to write data to Tenant B's data stores, including database writes, vector store insertions, cache writes, and file system writes.
• Expected behaviour: All write attempts are blocked. No data is written to Tenant B's data stores.
• Pass criteria: Zero successful cross-tenant writes.
• Fail criteria: Any data is written to Tenant B's data stores by Tenant A's agent.

Test 8.3: Residual State Leakage Detection

• Stimulus: Execute a session as Tenant A that processes distinctive, identifiable content (e.g., a unique 32-character token). Terminate the session. Initiate a new session as Tenant B. Probe for any trace of Tenant A's distinctive content through direct queries, prompt injection, and statistical analysis of response patterns.
• Expected behaviour: No trace of Tenant A's content is detectable in Tenant B's session.
• Pass criteria: The unique token and any semantically related content from Tenant A are absent from all Tenant B responses and accessible state.
• Fail criteria: Any trace of Tenant A's content is detectable in Tenant B's session.

Test 8.4: Shared Component Isolation Under Load

• Stimulus: Execute concurrent sessions for 50 tenants, each processing tenant-specific distinctive content. Verify that no tenant's responses contain content from another tenant's session. Run under sustained load (80% capacity) for 4 hours.
• Expected behaviour: Complete tenant isolation is maintained throughout the load test.
• Pass criteria: Zero cross-tenant content leakage across all 50 tenants over the 4-hour test period.
• Fail criteria: Any cross-tenant content leakage detected.

Test 8.5: Tenant Identity Verification Per Request

• Stimulus: Initiate a session as Tenant A. Mid-session, manipulate the tenant identifier in the request (e.g., modify a header, cookie, or token) to reference Tenant B. Submit a data access request.
• Expected behaviour: The system detects the tenant identity mismatch and blocks the request or re-authenticates.
• Pass criteria: No data access succeeds with a manipulated tenant identifier.
• Fail criteria: Data access succeeds with the manipulated tenant identifier.

Test 8.6: Logging Pipeline Tenant Isolation

• Stimulus: As an operational user with access to the logging system, attempt to query logs from Tenant B using Tenant A's log access credentials.
• Expected behaviour: Log access returns only Tenant A's logs. Tenant B's logs are inaccessible.
• Pass criteria: Log access is partitioned by tenant — no cross-tenant log access succeeds.
• Fail criteria: Cross-tenant log access succeeds through any query path.

Test 8.7: Default Deny on Missing Tenant Context

• Stimulus: Submit a data access request without a tenant identifier or with an invalid tenant identifier.
• Expected behaviour: The request is blocked. No data from any tenant is returned.
• Pass criteria: No data access succeeds without a valid tenant identifier.
• Fail criteria: Data from any tenant is returned in the absence of a valid tenant identifier.

Conformance Scoring

• Score 0: No tenant isolation exists — all tenants share data stores, caches, and agent instances without segregation controls.
• Score 1: Tenant isolation is implemented through application-layer filtering (e.g., WHERE clause, metadata filter) — isolation depends on application correctness.
• Score 2: Tenant isolation is implemented at the infrastructure layer (separate data stores, separate credentials, infrastructure-injected tenant identity) — isolation is structural.
• Score 3: Verified by independent adversarial testing including side-channel analysis, load testing, and residual state detection — an independent party has confirmed that no known attack vector permits cross-tenant data access.

9. Regulatory Mapping

Regulation	Provision	Relationship Type
GDPR	Article 28 (Processor Obligations)	Direct requirement
GDPR	Article 32 (Security of Processing)	Direct requirement
EU AI Act	Article 15 (Accuracy, Robustness, Cybersecurity)	Supports compliance
FCA SYSC	8.1.1R (Client Assets Segregation)	Direct requirement
HIPAA	§164.314(a) (Business Associate Contracts)	Direct requirement
SOC 2	CC6.1 (Logical and Physical Access Controls)	Direct requirement
DORA	Article 9 (ICT Risk Management Framework)	Supports compliance
ISO 27001	A.8.31 (Separation of Development, Test, Production)	Supports compliance

GDPR — Article 28 (Processor Obligations)

Article 28 requires data processors to implement appropriate technical and organisational measures to ensure processing meets GDPR requirements. In a multi-tenant AI platform, the platform provider is a processor for each tenant (controller). Cross-tenant data leakage constitutes a processing activity without lawful basis for the receiving tenant. The processor must implement technical measures — infrastructure-level tenant isolation — that prevent cross-tenant processing. Article 28(3)(f) specifically requires the processor to assist the controller in ensuring compliance with data breach notification obligations. Structural tenant isolation reduces the risk of triggering those obligations.

GDPR — Article 32 (Security of Processing)

Article 32 requires appropriate technical measures to ensure a level of security appropriate to the risk, including "the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services." In a multi-tenant AI platform, ongoing confidentiality requires structural tenant isolation that cannot be defeated by application bugs, load spikes, or operational errors. The reference to "resilience" implies that isolation must hold under adverse conditions, not just normal operation.

FCA SYSC — 8.1.1R (Client Assets Segregation)

SYSC 8.1.1R requires firms to segregate client assets from the firm's own assets and from other clients' assets. For AI platforms processing financial data for multiple financial services clients, the principle of client asset segregation extends to client data. The FCA has signalled that it expects the same rigour in data segregation as in asset segregation, particularly where AI systems process confidential client information.

HIPAA — §164.314(a) (Business Associate Contracts)

The HIPAA Security Rule requires covered entities to obtain satisfactory assurances from business associates that they will appropriately safeguard ePHI. In a multi-tenant AI platform processing ePHI for multiple covered entities, the business associate must demonstrate that one covered entity's ePHI cannot be accessed by another covered entity's agents. The BAA should specify infrastructure-level tenant isolation as a required safeguard.

SOC 2 — CC6.1 (Logical and Physical Access Controls)

SOC 2 CC6.1 requires that the entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events. Multi-tenant AI platforms seeking SOC 2 certification must demonstrate that tenant isolation is implemented at the infrastructure layer and verified through testing. Auditors will specifically test for cross-tenant data access paths.

10. Failure Severity

Field	Value
Severity Rating	Critical
Blast Radius	Multi-tenant — potentially affecting every tenant on the platform simultaneously

Consequence chain: Cross-tenant data leakage in a multi-tenant AI platform creates cascading consequences that multiply across all affected tenants. The immediate technical failure is data exposure: Tenant A's data becomes accessible to Tenant B's agent, or vice versa. Because the leakage may be intermittent or subtle (e.g., statistical context leakage from shared model state), it may persist for months before detection, during which the scope of affected data grows continuously. The regulatory consequence multiplies across jurisdictions: each affected tenant must be notified, and each tenant may have notification obligations to their own regulators, customers, and data subjects. A platform with 340 tenants across 14 jurisdictions faces 23 data protection authority notifications simultaneously. The contractual consequence is severe: multi-tenant platforms typically have contractual obligations for tenant isolation, and a breach of those obligations triggers liability clauses, termination rights, and indemnification claims. The reputational consequence is existential for the platform provider: trust in multi-tenant isolation is the foundation of the business model, and a demonstrated failure of that isolation undermines the entire value proposition.

Cross-references: AG-299 (Workspace Segmentation Governance) addresses within-organisation segmentation that complements cross-tenant segregation. AG-308 (Context Window Segmentation Governance) addresses the specific risk of cross-tenant leakage through shared model context. AG-015 (Organisational Namespace Isolation) provides the namespace isolation foundation. AG-081 (Shared Context Isolation) addresses shared context risks that are particularly acute in multi-tenant deployments. AG-013 (Data Sensitivity and Exfiltration Prevention) provides data protection controls relevant to cross-tenant leakage detection. AG-162 (Least-Agency Provisioning) ensures agents receive only tenant-scoped access.