Permission-aware retrieval for AI

Gate your AI's
access to knowledge

Permission-aware retrieval for AI. Five lines of Python. Every vector DB. Audit-ready from day one.

Secure your first RAG pipeline — freeRead the docs
Adds <25ms per query|Fail-closed \u2014 no silent pass-through on errors|SOC 2 Type II audit underway
I'mBuilding AI featuresorSecuring AI systems

Your AI agents bypass every access control you built

You invested in SSO, IAM, ACLs, and RBAC for every system in your organization. Then you deployed RAG — and created a new access surface that bypasses all of it. Vector databases retrieve by semantic similarity, not authorization. When your AI copilot is asked about compensation data, it returns the most relevant chunks, not the most appropriately authorized ones. This is the RAG authorization gap.

Security that works with your stack

Gateco sits between your AI agents and vector databases — enforcing policies at retrieval time without changing your existing architecture.

Deny-by-Default Retrieval

Your AI agents can only access data they're explicitly authorized for. No policy match, no data — eliminating the #1 cause of RAG data leakage.

12 Vector DB Connectors

Plug into your existing vector infrastructure in minutes. No migration, no vendor lock-in — security layers on top of databases you already use.

Semantic Readiness (L0-L4)

See exactly where each connector stands on the path to full policy enforcement. A clear, actionable roadmap instead of vague security posture scores.

Classification Suggestions

Stop manually labeling thousands of resources. Gateco scans and suggests classifications — you review and approve, turning weeks of work into minutes.

Full Audit Trail

Answer "who accessed what through AI, and when?" instantly. Every retrieval decision recorded with the exact policy logic — audit-ready from day one.

SDK + CLI

Add permission-aware retrieval in 5 lines of code. Python and TypeScript SDKs, CLI for operations, Access Simulator to dry-run policies before they go live.

Multi-Mode Search

Four retrieval modes — semantic similarity, keyword relevance, hybrid fusion, and deterministic grep — so every query finds the right lens.

Identity Provider Sync

Connect Okta, Azure Entra ID, AWS IAM, or GCP Cloud Identity. Principals, groups, and departments sync automatically — so policies reference real identities, not static lists.

Policy Templates

Seven ready-made templates for common patterns — group RBAC, department access, classification ceilings, deny-sensitive. Pick a template, fill in your values, deploy a draft in seconds.

Grounded Answers

Ask a natural language question and get an answer synthesized only from policy-allowed chunks — with citations. Denied content never reaches the LLM context.

Access Simulator

Dry-run policy evaluation or run a live preview against real data. See exactly what each principal would be allowed or denied before activating policies in production.

SCIM Provisioning

Enterprise inbound SCIM v2 for real-time user and group provisioning. Your IDP pushes changes to Gateco as they happen — no sync delay, no stale principals.

MCP Server

Give AI coding assistants like Claude and Cursor permission-aware retrieval via the Model Context Protocol. Six tools, markdown output, zero denied-content leakage.

Five questions buyers ask

What about latency?

<25ms p95 policy overhead. Per-connector benchmarks are public.

See the SLO →

What about pgvector RLS?

Works until you need an audit trail, IDP sync, or a second vector DB.

Read the comparison →

What about Cerbos?

Cerbos is engine-shaped. Gateco is RAG-specific and ships with 12 connectors.

Read the comparison →

Won't Microsoft bundle this?

Purview secures M365 Copilot. Gateco secures the AI you ship in your own product.

See the difference →

What if you're unavailable?

Fail-closed by default. Every error-time denial is logged. No ambiguous access.

Read the failure model →

Works with your stack

Connect your vector databases and identity providers in minutes

Vector Databases

pgvectorT1
SupabaseT1
NeonT1
PineconeT1
QdrantT1
Weaviate
Milvus
Chroma
OpenSearch
Azure AI Search
Vertex AI Vector Search
Vertex AI Search

Identity Providers

OktaGrowth+
Azure Entra IDGrowth+
AWS IAMGrowth+
GCP Cloud IdentityGrowth+
View all integrations

Three steps to secure retrieval

No infrastructure changes required. Connect, configure, and enforce — your AI agents keep working, now with permission boundaries.

Connect

Point Gateco at your vector DB

Step 1

Define Policies

Set who can access what data

Step 2

Secure Retrieval

Every query is permission-checked

Step 3

Integrate in minutes

Python and TypeScript SDKs make permission-aware retrieval a one-liner. The CLI handles everything else.

View SDK docsPython SDKTypeScript SDK
from gateco_sdk import GatecoClient

client = GatecoClient(api_key="gck_...")

# Deny-by-default retrieval
result = client.retrievals.execute(
    query="quarterly revenue forecast",
    principal_id="user-uuid",
    search_mode="hybrid",
)
# Returns only what this principal is authorized to see

Trusted by engineering teams shipping AI in regulated industries. Case studies coming soon →

Simple, transparent pricing

Start free, scale as your AI retrieval needs grow.

Team

$499

per month

  • 3 connectors
  • 50,000 retrievals/mo
  • ABAC + ReBAC policies
  • Grounded Answers
  • Priority support
Most popular

Growth

$1,999

per month

  • 10 connectors
  • 500,000 retrievals/mo
  • SSO & SCIM
  • Access Simulator
  • Audit export

Enterprise

from $24K

per year

  • Unlimited everything
  • SIEM integration
  • Private Data Plane
  • Custom SLAs

Free tier available — no credit card, 1,000 retrievals/mo.

View full pricing details

Start securing your AI retrieval today

Free tier available. No credit card required. Connect your first vector DB in under 5 minutes.

Start for freeTalk to sales