Multi-Tenant Isolation for AI Agents: Preventing Cross-User Data Leaks
Written by Rafter Team
February 7, 2026
In March 2023, a ChatGPT bug exposed active users' chat history titles and payment information to other users. The root cause: a caching vulnerability in the Redis cluster that served conversation data. For several hours, users could see others' private conversations—a catastrophic multi-tenant isolation failure.
This isn't theoretical. When AI agents serve multiple users through a shared infrastructure, tenant isolation becomes critical. A single bug in session management, caching, or database queries can leak User A's sensitive data to User B. Traditional web application isolation techniques are necessary but insufficient—AI agents introduce new isolation challenges through shared models, vector databases, and persistent memory.
Multi-tenant data leaks combine confidentiality breaches with compliance violations. A single isolation failure can expose thousands of users' PII, triggering GDPR fines and class-action lawsuits.
Multi-Tenant Isolation Challenges
AI agent systems have unique isolation requirements beyond traditional SaaS applications:
Shared Model Context
Multiple users often share the same LLM instance. Without proper boundaries, one user's conversation could "bleed" into another's context:
- Cache pollution: User A's prompt cached, accidentally served to User B
- Context window contamination: Batched inference mixes users' contexts
- Fine-tuning data leaks: Model fine-tuned on one tenant's data, memorizes and leaks to others
Vector Database Cross-Contamination
AI agents use vector databases (Pinecone, Weaviate, Chroma) for semantic search and long-term memory. Without strict partitioning:
- User A's documents retrieved in User B's search results
- Similarity search returns nearest neighbors across tenant boundaries
- Metadata leaks expose other tenants' existence and document titles
Persistent Memory Isolation
Agent memory stores (conversation history, learned facts, user preferences) must be strictly partitioned:
- Session state isolated per user
- Long-term memory namespaced by tenant
- Caching layers tenant-aware
- Background processing (embeddings, indexing) doesn't mix tenant data
Isolation Failure Scenarios
Scenario 1: Database Query Missing Tenant Filter
The most common mistake—forgetting the tenant check:
# ✗ Vulnerable: Missing tenant_id filter
def get_user_conversations(user_id: str):
return db.query(
"SELECT * FROM conversations WHERE user_id = ?",
user_id
)
If user_id isn't globally unique (e.g., "user-123" exists in multiple tenants), this query returns conversations from ALL tenants with that ID.
Impact: User sees others' private conversations. In production, this happened to a major AI startup—users reported seeing strangers' chats.
Scenario 2: Cache Key Collision
Caching improves performance but introduces isolation risks:
# ✗ Vulnerable: Cache key doesn't include tenant_id
def get_user_data(user_id: str):
cache_key = f"user:{user_id}"
if cached := cache.get(cache_key):
return cached
data = db.query_with_tenant_filter(user_id, tenant_id)
cache.set(cache_key, data, ttl=3600)
return data
If user_id isn't unique across tenants, Tenant A's cache entry overwrites Tenant B's. Later requests for the same user_id get wrong tenant's data.
The ChatGPT incident: Redis cache keys didn't properly isolate tenant data. When one user's conversation was cached, another user with overlapping session timing saw it.
Scenario 3: Vector Search Across Tenants
Vector databases enable semantic search, but most don't enforce tenant boundaries automatically:
# ✗ Vulnerable: Search across all embeddings
def semantic_search(query: str, user_id: str):
query_embedding = embed(query)
# This searches ENTIRE vector DB, not just user's data
results = vector_db.search(
embedding=query_embedding,
top_k=10
)
return results
Without metadata filters, search returns most similar vectors from ANY tenant. User A searching "confidential project" might get User B's confidential documents.
Scenario 4: Shared Model Fine-Tuning
One tenant's data used to fine-tune a shared model:
# ✗ Vulnerable: Fine-tuning on one tenant, serving to all
def fine_tune_model(tenant_id: str):
tenant_data = get_tenant_conversations(tenant_id)
# Fine-tune shared model
model.fine_tune(tenant_data)
# Deploy fine-tuned model for ALL tenants
deploy_model(model)
The fine-tuned model memorizes Tenant A's data. When Tenant B uses it, the model can leak Tenant A's information through completions.
Defense Architecture
Isolation must be enforced at every layer.
Layer 1: Database-Level Isolation
Always include tenant_id in queries:
# ✓ Secure: Tenant filter on every query
def get_user_conversations(user_id: str, tenant_id: str):
return db.query(
"SELECT * FROM conversations WHERE user_id = ? AND tenant_id = ?",
user_id,
tenant_id
)
Use composite primary keys:
-- ✓ Secure: Primary key includes tenant
CREATE TABLE conversations (
id UUID,
tenant_id UUID NOT NULL,
user_id UUID NOT NULL,
content TEXT,
PRIMARY KEY (tenant_id, id)
);
CREATE INDEX ON conversations(tenant_id, user_id);
Makes it impossible to query without tenant context.
Row-level security (RLS):
-- PostgreSQL RLS policy
ALTER TABLE conversations ENABLE ROW LEVEL SECURITY;
CREATE POLICY tenant_isolation ON conversations
USING (tenant_id = current_setting('app.current_tenant_id')::uuid);
Database enforces isolation even if application code fails.
Layer 2: Cache Isolation
Include tenant_id in all cache keys:
# ✓ Secure: Tenant-aware caching
def get_user_data(user_id: str, tenant_id: str):
cache_key = f"tenant:{tenant_id}:user:{user_id}"
if cached := cache.get(cache_key):
return cached
data = db.query_with_tenant(user_id, tenant_id)
cache.set(cache_key, data, ttl=3600)
return data
Namespace cache per tenant:
# ✓ Secure: Separate cache instance per tenant
class TenantCacheManager:
def get_cache(self, tenant_id: str):
return Redis(db=hash(tenant_id) % 16) # Separate Redis DB per tenant
Layer 3: Vector Database Isolation
Metadata filters on all searches:
# ✓ Secure: Filter by tenant_id
def semantic_search(query: str, tenant_id: str, user_id: str):
query_embedding = embed(query)
results = vector_db.search(
embedding=query_embedding,
filter={"tenant_id": tenant_id, "user_id": user_id},
top_k=10
)
return results
Separate collections per tenant:
# ✓ Secure: Dedicated collection per tenant
class VectorDBManager:
def get_collection(self, tenant_id: str):
collection_name = f"tenant_{tenant_id}_vectors"
return vector_db.get_or_create_collection(collection_name)
Guaranteed no cross-tenant contamination—different collections entirely.
Layer 4: Model Isolation
Separate model instances per tenant (resource-intensive but most secure):
# ✓ Secure: Per-tenant model instances
class ModelManager:
def __init__(self):
self.models = {} # tenant_id -> model_instance
def get_model(self, tenant_id: str):
if tenant_id not in self.models:
self.models[tenant_id] = load_model_for_tenant(tenant_id)
return self.models[tenant_id]
Stateless shared models (more common):
- No fine-tuning on tenant data
- No persistent context between requests
- Each request tagged with tenant_id for audit
Context isolation:
# ✓ Secure: Clear context between tenant requests
def process_request(prompt: str, tenant_id: str):
# New conversation context per request
conversation = Conversation(tenant_id=tenant_id)
conversation.add_message(prompt)
response = model.generate(conversation)
# Don't persist context across different tenant requests
conversation.clear()
return response
Testing Isolation Boundaries
Automated tests catch isolation failures before production.
Cross-Tenant Access Tests
# Test: Tenant A cannot access Tenant B's data
def test_tenant_isolation():
# Create data for Tenant A
tenant_a_agent = Agent(tenant_id="tenant-a", user_id="user-1")
tenant_a_agent.store_memory("Confidential A data")
# Try to access from Tenant B with same user_id
tenant_b_agent = Agent(tenant_id="tenant-b", user_id="user-1")
memories = tenant_b_agent.retrieve_memory()
# Must not contain Tenant A's data
for memory in memories:
assert "Confidential A data" not in memory.content
def test_cache_isolation():
# Tenant A caches data
cache_user_data(user_id="user-123", tenant_id="tenant-a", data="SECRET_A")
# Tenant B requests same user_id
result = get_cached_user_data(user_id="user-123", tenant_id="tenant-b")
# Must not get Tenant A's cached data
assert result is None or "SECRET_A" not in result
def test_vector_search_isolation():
# Tenant A indexes document
vector_db.index(
text="Confidential merger plan",
metadata={"tenant_id": "tenant-a"}
)
# Tenant B searches for similar content
results = semantic_search(
query="merger plan",
tenant_id="tenant-b"
)
# Must not return Tenant A's document
for result in results:
assert result.metadata["tenant_id"] == "tenant-b"
Run these tests in CI on every deployment.
Penetration Testing
Actively try to break isolation:
- ID enumeration: Try incrementing IDs to access other tenants
- Cache key guessing: Attempt to construct cache keys for other tenants
- SQL injection: Inject tenant_id modifications in parameters
- Concurrent requests: Race conditions in multi-threaded access
- API parameter tampering: Modify tenant_id in API requests
Hire external security auditors for independent validation.
Encryption Per Tenant
Defense-in-depth: even if isolation fails, encrypted data stays protected.
Tenant-Specific Encryption Keys
# ✓ Secure: Different encryption key per tenant
class TenantDataManager:
def __init__(self, tenant_id: str):
self.key = derive_key_from_master(tenant_id)
self.cipher = Fernet(self.key)
def encrypt(self, data: str) -> bytes:
return self.cipher.encrypt(data.encode())
def decrypt(self, encrypted: bytes) -> str:
return self.cipher.decrypt(encrypted).decode()
# Store encrypted
manager_a = TenantDataManager("tenant-a")
encrypted = manager_a.encrypt("confidential data")
db.store(encrypted)
# Even if Tenant B accidentally retrieves it, can't decrypt
manager_b = TenantDataManager("tenant-b")
# This fails - wrong key
manager_b.decrypt(encrypted) # Raises DecryptionError
Each tenant's data encrypted with tenant-specific keys. Cross-tenant leaks yield ciphertext, not plaintext.
Incident Response
When isolation breaks:
1. Immediate containment:
- Identify scope: which tenants affected?
- Revoke affected sessions
- Disable compromised components
2. Data breach notification:
- GDPR requires notification within 72 hours
- Inform affected users with specifics: what leaked, when, to whom
3. Forensics:
-- Audit logs: find unauthorized cross-tenant access
SELECT * FROM audit_log
WHERE action = 'data_access'
AND accessed_tenant_id != requester_tenant_id
AND timestamp > '2025-03-20';
4. Remediation:
- Fix root cause (add missing tenant filters)
- Purge leaked data from caches, logs
- Rotate any compromised keys or tokens
5. Validation:
- Run full isolation test suite
- External security audit before resuming service
Conclusion
Multi-tenant AI agents require rigorous isolation at every layer: database queries, caching, vector search, model context, and encryption. A single missed tenant_id filter creates exposure.
Isolation checklist:
- All database queries include tenant_id in WHERE clause
- Primary keys and indexes include tenant_id
- Row-level security policies enforce tenant boundaries
- Cache keys namespace by tenant_id
- Vector database searches filter by tenant metadata
- Per-tenant encryption keys for data at rest
- Automated tests validate isolation on every deployment
- Regular penetration testing for isolation failures
- Incident response plan for cross-tenant leaks
The ChatGPT incident proves that even major providers get isolation wrong. Assume your first implementation has bugs. Layer defenses so that when (not if) one fails, others contain the breach.
Build systems where tenant isolation failure is architecturally difficult, not just procedurally required.