Design partner program
See where your AI is leaking, in 10 business days
The Gateco AI Retrieval Access Risk Review is a guided, time-boxed engagement that finds where your RAG pipelines and copilots can retrieve data a user should never see, shows that access blocked in your own stack, and leaves you with a written risk report and a recommended architecture. No fee. You start on the free plan.
Read-only access. We never store your retrieved content. Limited design-partner slots each month.
10 days
Time-boxed, guided
No fee
Runs on the free plan
Read-only
We never store your content
Who it is for
Teams shipping AI on sensitive data
You run a RAG pipeline, internal copilot, or agent over HR, finance, legal, support, or customer data, and you need to be sure it only surfaces what each user is allowed to see.
Security and compliance leaders
You have to sign off before AI reaches production, and you need evidence: who the AI can access, what it retrieved, and whether it fails safely.
AI platform and data teams
You own the retrieval layer across one or more vector databases and want a permission model that holds up without rebuilding it for every app.
The problem we look for
You invested in SSO, IAM, and access controls for every system you run. Then you deployed RAG, and created a new way in that bypasses all of it. A vector search ranks by semantic similarity, not by permission, so when a copilot is asked about compensation, severance, or a customer record, it returns the closest chunks, not the ones the asker is cleared to see.
Most teams cannot answer one simple question today: where, exactly, does our AI retrieve data it should not? The Risk Review answers it with evidence, in your own stack.
What you walk away with
Six concrete deliverables, not a slide deck.
A leakage-risk map
The specific paths where your retrieval can return unauthorized content, ranked by severity, against your real data or a representative sample.
A live before-and-after demo
We run real queries as real users and show unauthorized retrieval happening today, then blocked once policy is enforced, using the Access Simulator and Live Preview.
Prioritized findings
A short, executive-readable report your security team can act on, mapped to the controls they care about: SOC 2, ISO 27001, and the EU AI Act.
A recommended architecture
How permission-aware retrieval fits your stack, with the policy model (RBAC, ABAC, ReBAC) and metadata approach that suit your data.
An audit-trail sample
Real retrieval decisions logged with principal, resource, policy, and outcome, so you can see the evidence you would have in production.
A readiness level and path
Where your setup lands on the L0 to L4 scale, and the shortest path to L3 production readiness.
How the 10 days work
Days 1 to 2
Kickoff and connect
A 45-minute kickoff to scope the review. You connect one vector database, or hand us a representative sample, on the free plan, and we agree on the 10 to 20 queries we will test.
Days 3 to 7
The review
We find the leakage paths, run the before-and-after as the principals you care about, and tune a first policy set with you. You see results as we go, not only at the end.
Days 8 to 10
Report and readout
We deliver the written risk report and recommended architecture, and walk your team through the findings on a readout call. You leave with a clear go or no-go for production.
What we need from you
- Read-only access to one connector, or a representative sample of your vectors. Least-privilege; we only read.
- Your identity provider (Okta, Microsoft Entra ID, AWS IAM Identity Center, or GCP), or a sample set of users and groups if you would rather not connect one yet.
- 10 to 20 representative queries that reflect how people actually use your AI.
- Two short calls: a kickoff and a readout.
- About two to three hours of an engineer's time across the ten days.
We do not store the content of your retrieved documents. Connector credentials are encrypted, and access is read-only throughout.
Terms
The Risk Review is free for qualified design partners. You run it on the free plan, or on your existing plan if you already have one. There is no separate review fee.
We take a limited number of design-partner teams each quarter so the support stays hands-on. In exchange, we ask for honest feedback and, only with your approval, a short reference. The revenue, when it comes, is a paid plan when you take this to production. Nothing about the review commits you to that.
Free for design partners
No review fee. Hands-on support for ten days.
What success looks like
- You can see, and quantify, where your AI retrieves data it should not.
- You have watched unauthorized retrieval blocked in your own stack, not a demo environment.
- You hold a written risk finding and a recommended architecture your security team can act on.
- You have a clear, evidence-based go or no-go decision for production.
What happens after
If the review shows you need permission-aware retrieval in production, the next step is a paid plan: Team or Growth, depending on your volume and connectors. Teams that want hands-on help going live can continue into the full implementation pilot, which takes you to L3 governance with dedicated support.
Apply for a Risk Review
Tell us what you are building and the stack you are on. We review applications within 2 business days and reach out to schedule your kickoff. Slots are limited each month.
Prefer email? Reach us at pilots@gateco.ai.
Questions teams ask
Is it really free?
Yes, for qualified design partners. You run the review on the free plan and there is no separate fee. We are selective about how many teams we take each quarter so we can stay hands-on.
What access do you need, and is it safe?
Read-only access to one connector, or a representative sample of your vectors. Connector credentials are encrypted and we only read. We never store the content of your retrieved documents; we store policy decisions and audit records, not your data.
We have not connected an identity provider yet. Can we still do this?
Yes. You can give us a sample set of users and groups instead, and connect your real IDP later. The review still shows the leakage paths and how policy closes them.
How much of our time does it take?
Two short calls and roughly two to three hours of an engineer's time across the ten days. We do the heavy lifting.
What do we commit to?
A start date, the access above, and the two calls. The review does not commit you to a paid plan; that decision comes after you have seen the findings.
Which vector databases and identity providers do you support?
Twelve vector databases, including pgvector, Pinecone, Qdrant, Weaviate, Azure AI Search, and the two Vertex AI options, plus Okta, Microsoft Entra ID, AWS IAM Identity Center, and GCP Cloud Identity for identity.