Pre-Retrieval vs Post-Retrieval Authorization
A RAG pipeline can enforce access inside the vector query or in the app after results return. Each has a distinct failure mode. Here is what breaks.
June 21, 2026·7 min read
4 posts
A RAG pipeline can enforce access inside the vector query or in the app after results return. Each has a distinct failure mode. Here is what breaks.
Embeddings throw away the permissions your source systems already track. Here is the recipe to carry document-level permissions into a RAG pipeline.
Gateco is not a RAG framework. It is the authorization layer you insert at the retrieval step of LangChain or LlamaIndex. Here is where it goes, and why.
Vector databases retrieve by embedding similarity. They don't know who's asking or check permissions. That is the RAG security gap, and it is wide.