Vector Store and RAG Governance

2. Summary

Vector Store and RAG Governance requires that every retrieval-augmented generation system used by AI agents operates under explicit governance controls covering what data enters the vector store, how retrieval results are filtered and ranked, how source provenance is preserved through the embedding and retrieval pipeline, and how access controls prevent agents from retrieving content above their authorisation scope. A vector store without governance is an uncontrolled knowledge base where any ingested document — regardless of its accuracy, sensitivity, currency, or source trust tier — can influence any agent's output through semantic similarity alone. AG-132 mandates that vector stores are governed as first-class data systems with ingestion controls, access policies, provenance tracking, and quality assurance equivalent to any production database.

3. Example

Scenario A — Poisoned Vector Store Drives Fraudulent Advice: A customer-facing financial advisory agent uses RAG to retrieve regulatory guidance and product documentation from a vector store containing 45,000 document chunks. An attacker compromises a low-security document upload endpoint and injects 200 document chunks designed to mimic legitimate product documentation. The injected chunks contain fabricated claims: "Product X carries a government guarantee of capital protection" and "Risk disclosure requirements are waived for accounts under £50,000." The vector store has no ingestion controls — any document uploaded through the endpoint is chunked, embedded, and indexed without verification. The advisory agent retrieves the poisoned chunks when customers ask about Product X and presents the fabricated claims as factual. Over 3 weeks, 890 customers receive advice based on the poisoned content. When the poisoning is discovered, the firm faces: £12.4 million in potential redress for customers who invested based on fabricated guarantees, FCA enforcement action for misleading advice, and reputational damage that triggers a 15% increase in customer complaints across all product lines.

What went wrong: The vector store had no ingestion governance. Any content could enter without classification, verification, or provenance tracking. The retrieval system did not filter by source trust tier — poisoned chunks were treated identically to legitimate regulatory documents. No integrity verification existed to detect that the injected chunks did not match any authorised source.

Scenario B — Cross-Tenant Data Leakage Through Shared Vector Store: A SaaS platform serves 340 enterprise tenants. Each tenant's documents are chunked, embedded, and stored in a shared vector store with a tenant ID metadata field for filtering. A retrieval query from Tenant A's agent accidentally omits the tenant filter due to a code deployment bug. For 4 hours, Tenant A's agent retrieves chunks from Tenant B's confidential strategic planning documents. The agent incorporates this content into 23 advisory responses served to Tenant A's executives. Tenant B's competitive strategy is now in Tenant A's hands. The exposure triggers breach notification obligations under multiple jurisdictions, contract termination by Tenant B with a $8.5 million damages claim, and loss of confidence from other tenants who learn of the incident.

What went wrong: The vector store relied on application-layer tenant filtering rather than structural access controls. A single code bug — an omitted filter parameter — bypassed all multi-tenancy isolation. The retrieval layer did not enforce access controls independently of the query construction logic. No monitoring detected cross-tenant retrieval patterns.

Scenario C — Stale Legal Guidance Persists in Vector Store: A legal compliance agent uses RAG to retrieve regulatory guidance from a vector store containing 28,000 document chunks sourced from regulatory publications. A key regulation is amended — the previous version's guidance on data transfer requirements is superseded by a stricter version with new adequacy requirements. The compliance team updates the primary document repository, but the vector store is re-indexed on a monthly schedule. For 26 days, the agent retrieves and cites the superseded guidance, advising internal teams that their existing data transfer arrangements comply with the regulation. Three data transfers conducted based on this stale guidance violate the new requirements, creating regulatory exposure.

What went wrong: The vector store's re-indexing schedule created a staleness window of up to 30 days. No mechanism existed to push urgent updates to the vector store when the source documents changed. The agent had no way to know that the retrieved guidance was based on a superseded regulatory version. This intersects with AG-129 (Stale Data Actuation Prevention).

4. Requirement Statement

Scope: This dimension applies to every AI agent system that uses vector stores, embedding databases, or any form of retrieval-augmented generation to provide context, knowledge, or reference material to agents during inference. The scope includes: purpose-built vector databases (Pinecone, Weaviate, Qdrant, Milvus, Chroma, pgvector), document stores with embedding-based retrieval, hybrid search systems combining keyword and semantic search, and any other system where pre-processed content is retrieved based on semantic similarity and injected into an agent's context. The scope covers the full lifecycle: ingestion (what enters the store), indexing (how content is organised), retrieval (how content is selected for a query), filtering (how content is scoped to authorised users/agents), and maintenance (how content is updated, corrected, or removed). Systems that use only keyword search without embedding-based retrieval are not in scope for AG-132 but may be in scope for AG-128 and AG-129.

4.1. A conforming system MUST implement ingestion controls that verify the source classification (AG-128), integrity, and authorisation of every document or data record before it is chunked, embedded, and added to a vector store.

4.2. A conforming system MUST preserve source provenance metadata through the chunking and embedding pipeline such that every chunk in the vector store is linked to its source document, source classification, ingestion timestamp, and authorised access scope.

4.3. A conforming system MUST enforce retrieval-time access controls that prevent agents from retrieving chunks whose source classification, sensitivity level, or access scope exceeds the agent's authorisation — independent of the query content.

4.4. A conforming system MUST implement retrieval-time freshness filtering that excludes chunks whose source data has been superseded, retracted, or invalidated, consistent with AG-129 staleness requirements.

4.5. A conforming system MUST support erasure propagation from source documents to vector store chunks, consistent with AG-130 — deletion of a source document triggers deletion or tombstoning of all derived chunks and embeddings.

4.6. A conforming system MUST log every retrieval event, including: the query (or query embedding), the chunks retrieved, the source documents of retrieved chunks, the filtering criteria applied, and the agent identity.

4.7. A conforming system SHOULD implement chunk integrity verification that detects unauthorised modification of stored chunks or embeddings after ingestion.

4.8. A conforming system SHOULD enforce structural multi-tenancy isolation in shared vector stores — through separate indexes, separate databases, or cryptographic isolation — rather than relying solely on application-layer query filters.

4.9. A conforming system MAY implement retrieval quality scoring that evaluates the relevance and consistency of retrieved chunks before they enter the agent's context, filtering out low-relevance or contradictory results.

5. Rationale

Vector stores and RAG systems have become the primary mechanism for giving AI agents access to domain-specific knowledge without fine-tuning. This is powerful but introduces governance risks that traditional database access controls do not address. A vector store is fundamentally different from a relational database: queries are semantic similarity matches, not exact lookups; results are ranked by embedding distance, not by logical predicates; and the content that influences an agent's output is selected by mathematical proximity in embedding space, not by explicit business rules.

This creates several governance gaps. First, ingestion control: in a relational database, schema constraints prevent malformed data from entering. In a vector store, any text can be chunked, embedded, and indexed — there is no structural barrier to ingesting inaccurate, malicious, or unauthorised content. Second, access control: in a relational database, row-level security restricts which rows a query can return based on the querier's identity. In a vector store, retrieval is based on semantic similarity to a query embedding — access control must be applied as a post-retrieval filter or a pre-retrieval scope restriction, neither of which is inherent to the vector similarity search. Third, provenance: in a relational database, each row has a clear identity and can be traced to its insert operation. In a vector store, chunks are derived from source documents through a chunking strategy that may split, overlap, or reformat the original content, making provenance tracking non-trivial.

AG-132 requires that organisations treat vector stores with the same governance rigour as production databases. Ingestion must be controlled. Access must be enforced. Provenance must be preserved. Quality must be assured. The vector store is not an informal knowledge dump — it is a governed data system whose content directly determines agent outputs.

6. Implementation Guidance

The core implementation architecture has three layers: an ingestion gateway, a governed vector store with provenance metadata, and a retrieval governance layer.

Recommended patterns:

• Ingestion gateway with classification enforcement. All documents entering the vector store pass through an ingestion gateway that: (1) verifies the document's source classification against AG-128 — unclassified sources are rejected; (2) validates document integrity — checksums, digital signatures, or hash comparisons confirm the document has not been modified since its source of truth was last verified; (3) assigns ingestion metadata — ingestion timestamp, source document ID, source classification labels, authorised access scope, and freshness expiry timestamp; (4) chunks the document according to a governed chunking strategy; (5) generates embeddings; and (6) stores chunks with their metadata in the vector store. No document enters the store without passing through the gateway.
• Metadata-enriched embedding storage. Store each chunk with a metadata payload that includes: source document ID, source classification (trust tier, sensitivity level, jurisdiction), ingestion timestamp, freshness expiry (derived from AG-129 staleness thresholds for the source type), access scope (which agents or tenants may retrieve this chunk), chunk position in source document (for reconstruction), and a hash of the chunk text (for integrity verification). This metadata enables retrieval-time filtering without requiring the retrieval layer to query external systems.
• Retrieval governance layer. Implement a retrieval governance layer between the agent's query and the vector store's similarity search. The layer: (1) injects access control filters into the vector query based on the requesting agent's identity and authorisation scope — the agent can only retrieve chunks within its access scope; (2) applies freshness filters that exclude chunks past their freshness expiry; (3) applies source classification filters that exclude chunks below the minimum trust tier for the agent's use case; (4) checks retrieved chunks for conflicts (AG-131) before presenting them to the agent; (5) logs the complete retrieval event.
• Structural multi-tenancy isolation. For shared vector stores serving multiple tenants, implement isolation at the infrastructure level: separate indexes per tenant (in databases that support multiple indexes), separate database instances per tenant (for high-security deployments), or per-tenant encryption keys where chunks are encrypted at rest with tenant-specific keys and only decryptable by that tenant's retrieval layer. Application-layer filter-only isolation is an anti-pattern because a single filter omission bypasses all isolation.

Anti-patterns to avoid:

• Open ingestion without verification. Allowing any document to be uploaded and indexed without source verification, classification checking, or integrity validation. This is the vector store equivalent of disabling input validation on a web form — it allows arbitrary content to influence agent behaviour.
• Filter-only multi-tenancy. Relying solely on a metadata filter (e.g., WHERE tenant_id = 'A') in the query to enforce tenant isolation. A code bug, a missing parameter, or a crafted query can omit the filter. Multi-tenancy must be structural — separate indexes, separate instances, or cryptographic isolation.
• Embedding-only storage without source linkage. Storing embeddings without preserving a link to the source document and chunk text. When an embedding needs to be updated, deleted, or audited, the organisation cannot determine what the embedding represents without the source linkage.
• Monthly re-indexing as the only update mechanism. A monthly re-index creates a staleness window of up to 30 days. For rapidly changing content (regulatory guidance, market data summaries, product documentation), an event-driven update mechanism must supplement scheduled re-indexing.
• Treating vector store retrieval as non-sensitive logging. Retrieval queries and results can reveal what questions agents are asking and what knowledge they are accessing. Retrieval logs are sensitive operational data and must be retained and protected accordingly.

Industry Considerations

Financial Services. Vector stores containing financial product documentation must be governed under the same controls as client-facing communications — FCA rules require that financial promotions are fair, clear, and not misleading. Poisoned or stale content in a RAG system driving client-facing responses creates the same regulatory exposure as a misleading brochure. Ingestion controls should include review by compliance before financial product content enters the vector store.

Healthcare. Clinical knowledge bases used for RAG must reflect current clinical guidelines. Superseded guidelines must be removed or flagged when new guidelines are published. The NICE (National Institute for Health and Care Excellence) regularly updates clinical guidelines — a RAG system serving clinical decision support must have a mechanism to propagate these updates within days, not months.

Legal. Legal knowledge bases must distinguish between current law, proposed legislation, repealed provisions, and judicial commentary. A RAG system that retrieves a repealed statute as if it were current law exposes the organisation to incorrect legal advice. Freshness metadata must capture the legal status of each document (current, amended, repealed, proposed).

Maturity Model

Basic Implementation — The organisation has implemented ingestion controls that require source classification before indexing. Chunks are stored with source document ID and ingestion timestamp metadata. Retrieval queries include access scope filters. Retrieval events are logged. Re-indexing occurs on a scheduled basis. This level meets the minimum mandatory requirements but relies on application-layer access controls, does not implement real-time freshness filtering, and may have staleness windows between re-indexing cycles.

Intermediate Implementation — An ingestion gateway enforces classification, integrity, and authorisation checks. Chunks are stored with full provenance metadata including freshness expiry. Retrieval-time governance filters apply access control, freshness, and trust tier constraints. Multi-tenancy isolation is structural (separate indexes or instances). Event-driven updates supplement scheduled re-indexing for high-priority content changes. Erasure propagation reaches the vector store per AG-130. Chunk integrity is verifiable through stored hashes.

Advanced Implementation — All intermediate capabilities plus: continuous ingestion quality monitoring detects content drift, poisoning attempts, and anomalous ingestion patterns. Retrieval quality scoring evaluates chunk relevance and filters low-quality results before they enter the agent's context. Adversarial testing has verified that ingestion poisoning, access control bypass, and cross-tenant retrieval attacks fail. The vector store integrates with AG-131 conflict detection for contradictory retrieved chunks. Full forensic replay capability (AG-066) can reconstruct exactly which chunks influenced any historical agent response.

7. Evidence Requirements

Required artefacts:

• Ingestion control configuration. Documentation or configuration export showing the ingestion gateway's verification rules: source classification requirements, integrity checks, access scope assignment, and chunking strategy.
• Vector store metadata schema. The schema or specification showing what metadata is stored with each chunk, including source document ID, classification labels, freshness expiry, access scope, and integrity hash.
• Retrieval governance configuration. Configuration export showing the retrieval-time filters applied: access control rules, freshness filters, trust tier filters, and any quality scoring thresholds.
• Retrieval event logs. Timestamped records of every retrieval event, including: agent identity, query or query embedding hash, chunks retrieved (with source document IDs), filters applied, and response metadata. Minimum 12 months retention.
• Ingestion audit trail. Records of every document ingested into the vector store, including: source document identity, source classification at ingestion, ingestion timestamp, integrity verification result, and authorised access scope.
• Multi-tenancy isolation evidence. Architecture documentation or configuration export demonstrating the isolation mechanism (separate indexes, separate instances, or cryptographic isolation).

Retention requirements:

• Retrieval logs and ingestion audit trail: minimum 7 years for regulated financial services; minimum 5 years for other regulated sectors; minimum 3 years otherwise.

Access requirements:

• Producible to regulators or auditors within 48 hours of request. Evidence must exist as retained artefacts, not be reconstructable after the fact.

8. Test Specification

Testing AG-132 compliance requires verifying ingestion controls, access enforcement, provenance preservation, and retrieval governance.

Test 8.1: Ingestion Control — Unclassified Source Rejection

• Stimulus: Attempt to ingest a document from a source that has no AG-128 classification into the vector store.
• Expected behaviour: The ingestion gateway rejects the document. No chunks or embeddings from the document are added to the vector store.
• Pass criteria: The document does not appear in the vector store. A rejection record is logged with source identity and reason.
• Fail criteria: Chunks from the unclassified document are added to the vector store and are retrievable.

Test 8.2: Retrieval Access Control Enforcement

• Stimulus: Store chunks with access scope restricted to Agent A. Query the vector store as Agent B with a query that would be semantically similar to the restricted chunks.
• Expected behaviour: The retrieval governance layer excludes Agent A's restricted chunks from Agent B's results, regardless of semantic similarity.
• Pass criteria: Agent B's results do not contain any chunks restricted to Agent A. The access control filter is applied structurally, not advisorily.
• Fail criteria: Agent B retrieves chunks restricted to Agent A, or the access control relies on query construction that can be bypassed.

Test 8.3: Multi-Tenancy Isolation

• Stimulus: In a shared vector store, store chunks for Tenant A and Tenant B. Query as Tenant A with a query semantically similar to Tenant B's content. Intentionally omit the tenant filter from the query (simulating a code bug).
• Expected behaviour: Structural isolation (separate index, separate instance, or cryptographic boundary) prevents cross-tenant retrieval even when the application-layer filter is omitted.
• Pass criteria: Tenant A cannot retrieve Tenant B's chunks under any query construction, including queries missing filter parameters.
• Fail criteria: Omitting the application-layer filter allows cross-tenant retrieval.

Test 8.4: Freshness Filtering at Retrieval Time

• Stimulus: Store a chunk with a freshness expiry timestamp. Allow the timestamp to pass. Query the vector store with a query that would retrieve the expired chunk.
• Expected behaviour: The retrieval governance layer excludes the expired chunk from results.
• Pass criteria: Expired chunks are not returned in retrieval results. The freshness filter is applied at retrieval time, not at ingestion time.
• Fail criteria: Expired chunks are returned in retrieval results.

Test 8.5: Source Provenance Preservation

• Stimulus: Ingest a document, chunk it, embed it, and store it. Retrieve a chunk. Verify that the chunk's metadata links to the original source document with complete provenance.
• Expected behaviour: The retrieved chunk includes metadata identifying: source document ID, source classification, ingestion timestamp, freshness expiry, and access scope.
• Pass criteria: Full provenance chain from chunk to source document is traceable. No chunk exists without provenance metadata.
• Fail criteria: Any chunk lacks provenance metadata, or the provenance chain is broken (chunk cannot be linked to source document).

Test 8.6: Erasure Propagation to Vector Store

• Stimulus: Ingest a document into the vector store. Delete the source document (triggering AG-130 erasure propagation). Query the vector store for content from the deleted document.
• Expected behaviour: All chunks derived from the deleted document are tombstoned or deleted. Queries do not return content from the deleted document.
• Pass criteria: No retrieval query returns chunks from the deleted source document. Erasure propagation is verified in the audit trail.
• Fail criteria: Chunks from the deleted source document remain retrievable.

Conformance Scoring

• Score 0: No vector store governance exists — any content can be ingested, any agent can retrieve any content, no provenance metadata is maintained, and no access controls are enforced.
• Score 1: Basic ingestion controls exist (e.g., manual review before bulk ingestion) but retrieval-time governance is absent. Provenance metadata is incomplete. Multi-tenancy relies on application-layer filters only.
• Score 2: Ingestion gateway enforces classification and integrity. Retrieval governance applies access control, freshness, and trust tier filters. Provenance metadata is complete. Multi-tenancy isolation is structural. Retrieval events are logged. Erasure propagation reaches the vector store.
• Score 3: Verified by independent adversarial testing — ingestion poisoning, access control bypass, cross-tenant retrieval, and stale content retrieval attacks have been tested and failed. Retrieval quality scoring filters low-relevance content. Full forensic replay capability exists.

9. Regulatory Mapping

Regulation	Provision	Relationship Type
EU AI Act	Article 10 (Data and Data Governance)	Direct requirement
EU AI Act	Article 15 (Accuracy, Robustness, and Cybersecurity)	Supports compliance
GDPR	Article 5(1)(f) (Integrity and Confidentiality)	Supports compliance
GDPR	Article 25 (Data Protection by Design)	Supports compliance
DORA	Article 9 (ICT Risk Management Framework)	Supports compliance
FCA SYSC	6.1.1R (Systems and Controls)	Supports compliance
NIST AI RMF	MAP 2.3, MANAGE 1.3, MANAGE 2.2	Supports compliance
ISO 42001	Clause 8.4 (AI System Development)	Supports compliance

EU AI Act — Article 10 (Data and Data Governance)

Article 10 requires data governance practices that ensure training and inference data meets quality standards. RAG systems inject retrieved content into the AI system's inference context — the quality of retrieved content directly determines the quality of the AI system's output. AG-132's ingestion controls, provenance tracking, and quality filtering implement the data governance requirements of Article 10 for the specific case of retrieval-augmented systems.

EU AI Act — Article 15 (Accuracy, Robustness, and Cybersecurity)

Article 15 requires high-risk AI systems to achieve an appropriate level of accuracy and robustness, including resilience against attempts by unauthorised third parties to alter the system's use by exploiting vulnerabilities. Vector store poisoning — injecting malicious content to influence agent outputs — is precisely the type of vulnerability that Article 15 requires systems to resist. AG-132's ingestion controls and integrity verification directly address this cybersecurity requirement.

GDPR — Article 5(1)(f) (Integrity and Confidentiality) and Article 25 (Data Protection by Design)

Article 5(1)(f) requires appropriate security of personal data, including protection against unauthorised access. A vector store containing personal data that lacks access controls (enabling cross-tenant retrieval, as in Scenario B) violates this principle. Article 25 requires data protection by design — access controls must be built into the vector store architecture, not bolted on as application-layer filters. AG-132's structural multi-tenancy isolation implements data protection by design for vector-based systems.

DORA — Article 9

DORA requires financial entities to identify and manage ICT risks. A vector store serving financial advisory agents is an ICT asset whose compromise (through poisoning, cross-tenant leakage, or stale content) creates direct financial and regulatory risk. AG-132's governance controls provide the ICT risk management framework for this specific technology component.

10. Failure Severity

Field	Value
Severity Rating	Critical
Blast Radius	Potentially all agents and all users relying on the affected vector store

Consequence chain: An ungoverned vector store is a single point of influence for every agent that uses it. Vector store poisoning (Scenario A) can drive thousands of incorrect agent responses before detection — 890 customers received fraudulent advice with £12.4 million in potential redress from a single poisoning event. Cross-tenant data leakage (Scenario B) creates immediate breach notification obligations and multi-million dollar damages claims. Stale content (Scenario C) drives agent advice based on superseded regulations, creating compliance exposure for every decision based on the outdated content. The blast radius is amplified by the centralised nature of vector stores: a single poisoned chunk, a single access control failure, or a single stale document affects every agent and every query that touches the affected content. The failure is silent — agents produce confident, plausible outputs based on poisoned, leaked, or stale retrieved content, with no visible indicator to the end user that the underlying retrieval is compromised. Cross-references: AG-128 (Data Source Classification Governance) provides the classification metadata that ingestion controls verify; AG-129 (Stale Data Actuation Prevention) defines the freshness thresholds that retrieval-time filtering enforces; AG-130 (Residual Data Erasure Propagation Governance) requires erasure to reach vector stores; AG-131 (Source Conflict Escalation Governance) must detect contradictions among retrieved chunks; AG-133 (Source Record Lineage Governance) requires provenance tracking from chunks back to source documents.