Azure AI Search and Gateco: Better Together

Azure AI Search is one of the most capable managed search platforms available. It handles indexing, chunking, enrichment, BM25 keyword ranking, vector similarity, and native hybrid retrieval — all without you managing the underlying infrastructure. If you're building a RAG system on Azure, it's a genuinely strong starting point. But retrieval capability and retrieval authorization are two different problems, and Azure AI Search only solves the first one.

Gateco is now Azure AI Search's governance layer. As of this week, Azure AI Search joins pgvector, Pinecone, Qdrant, Weaviate, Milvus, Chroma, OpenSearch, Supabase, and Neon as Gateco's tenth supported connector. You can connect your Azure AI Search index to Gateco in minutes, and immediately apply deny-by-default ABAC policy enforcement to every retrieval — without changing your Azure configuration or re-indexing your data.

What Azure AI Search Is Built For

Azure AI Search is a full search platform. You point it at your data sources — Azure Blob Storage, Cosmos DB, SQL databases, SharePoint — and it handles the ETL: chunking documents, running AI enrichment pipelines (OCR, entity extraction, key phrase detection), generating embeddings, and building the search index. At query time, it supports keyword search with BM25 ranking, vector search with approximate nearest-neighbor algorithms, and hybrid search that fuses both via Reciprocal Rank Fusion. An optional semantic ranker re-scores results using a cross-encoder model trained on search relevance.

This is a lot of capability, delivered as a managed service. Teams that go all-in on Azure can have a production RAG pipeline running faster than teams building on raw vector database primitives. The tradeoff is that Azure controls the schema, the query interface, and the data plane. But for many Azure-native organizations, that tradeoff is entirely reasonable.

The Gap Azure Doesn't Close

Azure AI Search's security model is built around API keys and Azure RBAC. API keys grant access to an index — either read-only query keys or full admin keys. Azure RBAC roles (Search Index Data Reader, Search Index Data Contributor) operate at the index level: a principal either has access to an index or they don't. There is no native mechanism to return different results to different principals querying the same index based on their identity attributes.

This gap matters for enterprise RAG. Consider a legal firm's knowledge base: associates should see public filings and internal memos, partners should additionally see client communications, and engagement partners should see billing records. All three groups query the same index. Azure AI Search cannot differentiate their results based on their role — it can only decide whether they can query the index at all. The document-level access control problem is left entirely to the application.

Beyond the RBAC limitation, there is no deny-by-default behavior at the document level. If a document lacks access metadata — which happens more often than teams admit in real-world data pipelines — it is returned to any authorized requester. And there is no audit trail of retrieval decisions: Azure logs API calls, not authorization outcomes. When your compliance team asks who accessed the Q3 board presentation through the AI assistant last month, Azure AI Search has no answer.

How Gateco Sits Above Azure AI Search

Gateco does not replace Azure AI Search — it governs it. The architecture is a control plane above the retrieval plane. Azure handles the hard problem of finding relevant content; Gateco handles the equally hard problem of deciding who is allowed to see it.

When a principal sends a retrieval request through Gateco, Gateco routes the query to your Azure AI Search index using the full power of Azure's retrieval engine — vector, keyword, or hybrid search mode. Azure returns its ranked candidate set. Gateco then evaluates each result against your active RBAC and ABAC policies, filtering the set to only the documents the requesting principal is authorized to access. The filtered results are returned to the caller, and the full decision — query, principal, allowed documents, denied documents, and the policy reasoning — is written to the audit trail.

This means you get Azure's retrieval quality and Gateco's access governance simultaneously. The two layers are independently configurable: you can tune your Azure AI Search index without touching your Gateco policies, and you can update Gateco policies without changing anything in Azure.

What You Get When You Combine Them

The combination unlocks capabilities that neither layer provides alone. Deny-by-default enforcement means a document must be explicitly authorized before it appears in any retrieval result — missing metadata is a deny, not a pass. ABAC policies let you express conditions that Azure RBAC cannot: "allow principals in the legal-partners group to access documents classified as confidential or below." These policies apply consistently across every AI agent, chatbot, and internal tool that queries through Gateco, not just the ones where a developer remembered to implement filtering.

The audit trail records every retrieval decision with full context: the principal's identity (resolved from your connected identity provider), the search query, the number of results allowed and denied, and the specific policy that made each call. This is the evidence your compliance team needs for SOC 2 audit preparation, GDPR subject access requests, and internal security reviews.

Grounded Answers — Gateco's Pro and Enterprise feature for policy-aware answer synthesis — also works with Azure AI Search. When a principal asks a natural language question, Gateco retrieves policy-filtered chunks from your Azure index, passes them to an LLM, and returns a grounded answer with citations. Denied chunks never enter the LLM context. The answer reflects exactly what the principal is allowed to know.

If you're already using Azure AI Search and wondering whether you need a governance layer, the question to ask is: can you answer, per retrieval, who saw what and why? If not, read our post on why Azure AI Search isn't enough for enterprise RAG security — and then connect your first Azure AI Search connector in the Gateco dashboard.