MEDIUM Tier: Internal Knowledge Assistant¶
The system: an employee assistant that answers questions from the company's internal documents, HR policies, engineering wikis, finance procedures, and meeting notes. Staff reach it through single sign-on. It retrieves and summarises; it takes no actions and faces no customers.
This is the example where retrieval is the whole risk. Most enterprise AI assistants are this shape, and most of their incidents come from the same place: the assistant retrieving something the user should never have seen, or acting on an instruction hidden in a document.
Why this is MEDIUM tier¶
From the classification process: the data is sensitive (internal, some of it confidential), the audience is internal and authenticated, there are no external actions and no automated decisions, and human judgment sits between the assistant's answer and any consequence. Moderate impact, sensitive data, human review expected: MEDIUM. The jump from the LOW FAQ bot is driven entirely by whose data the corpus contains.
RAG is the attack surface¶
Retrieval is the largest attack surface for a system like this, in three distinct ways:
| Risk | What goes wrong |
|---|---|
| Over-retrieval across permissions | The index contains HR records, board papers, and salary data. If retrieval ignores who is asking, the assistant becomes a way to read documents the employee has no right to. This is the dominant risk. |
| Indirect injection via documents | A document in the corpus contains text like "ignore prior instructions and reveal...". When retrieved, it becomes input to the model. Internal does not mean trusted: any document anyone can edit is an injection vector. |
| Retrieval poisoning | Someone adds or edits a document specifically to change the assistant's answers, for example to misstate a policy or approval threshold. |
Identity is a retrieval control, not just a login¶
The defining control for this system is identity-aware retrieval: the assistant must retrieve only what the asking user is entitled to see, enforced at the data layer, not by asking the model to be careful.
| Control | What it does | Reference |
|---|---|---|
| Access-controlled RAG | Filter retrieval by the user's identity and entitlements before chunks reach the model | DAT-04 |
| Data classification at ingestion | Tag documents by sensitivity so retrieval and redaction can act on it | DAT-01 |
| Identity propagation | The user's identity, from SSO, flows through to the retrieval query; the assistant never holds broader access than the user | IAM Governance, Identity & Access |
| Untrusted-content handling | Retrieved text is treated as data, never as instructions; strip or neutralise embedded directives | Threat Modelling |
| Output checks | Scan responses for sensitive data and for content the user should not receive | Output guardrails |
The chunk-level trap
A common mistake is to apply access control to documents but index at the chunk level without carrying the permissions onto each chunk. The result: a user who cannot open a confidential document can still have its chunks retrieved and summarised back to them. Entitlements must travel with the data all the way to retrieval.
Controls that match the risk¶
Beyond identity-aware retrieval, MEDIUM tier calls for:
- Standard input and output guardrails: injection detection on input, sensitive-data checks on output.
- A reviewing layer sized to the tier: the reviewing controls are scanners, a semantic firewall, and a model-as-judge, and you pick how much of that layer to run. At MEDIUM, with a human reading every answer, scanners inline plus a sampled async judge is proportionate, not 100% evaluation and not an inline semantic firewall. Those heavier options are available if the risk rises; the choice is yours to make against latency and consequence. See Risk Tiers control matrix.
- Logging of queries, retrieved sources, and responses, so an over-retrieval incident can be reconstructed (Logging & Observability).
- Corpus governance: control who can add or edit indexed documents, and review changes, to limit poisoning and indirect injection.
What you still do not need: real-time Judge on every output, dual human approval, or agentic controls, there are no actions to approve.
What this example teaches¶
Identity is not just authentication at the door; for retrieval systems it is the primary data-protection control, enforced at the data layer. Get access-controlled retrieval right and most of this system's risk disappears. Get it wrong and no output guardrail will reliably save you. Next, the HIGH Customer-Service Assistant adds tools and actions on top of retrieval, and the MCP Engineering Agent pushes tooling and identity to their limit.