🤖 AI Security

1USER LAYER — authentication, authorization, session management for copilots and chat systems. Prevent unauthorized agent invocation.

2AI AGENT LAYER — agent identity, capability boundaries, permission scoping. Each agent type (Research, Coding, Data, DevOps) needs least-privilege permissions.

3ORCHESTRATION — workflow integrity, preventing task injection, securing inter-agent communication. Orchestration frameworks (CrewAI, LangGraph) must validate task chains.

4MODEL LAYER — model integrity, preventing poisoning, prompt injection defense, output filtering. Secure model serving infrastructure.

5CONTEXT & KNOWLEDGE — RAG security: data poisoning in vector DBs, unauthorized knowledge access, document-level access control. Embedding injection attacks.

6TOOLING — API security, database access controls, preventing agents from executing unintended actions. Tool-use audit trails are critical.

7IDENTITY & ACCESS — the most critical security layer: cryptographic agent identity, policy-based access authorization, runtime enforcement, comprehensive audit logging. Without this, agents become uncontrolled.

8INFRASTRUCTURE — K8s security, cloud IAM, network segmentation for agent workloads. Infrastructure must be isolated from production systems.

9OBSERVABILITY — complete audit trail of all agent actions, anomaly detection on agent behavior, compliance reporting. Key principle: security must be embedded at EVERY layer, not bolted on at the perimeter.

1Server Authentication — verify MCP Server identity before connecting. Prevent MITM attacks on agent-to-server communication.

2Authorization — implement least-privilege per MCP Server. An agent connecting to a database server shouldn't have admin access.

3Input Validation — MCP Servers must validate all tool call parameters. Prevent injection attacks through crafted tool arguments.

4Data Exfiltration — monitor data flowing from MCP Servers back to agents. Prevent sensitive data leakage through agent responses. A2A ARCHITECTURE: Enables agent-to-agent collaboration with secure collaboration, task and state management, UX negotiation, and capability discovery. A2A Security:

1Agent Identity — cryptographic identity for each agent. Verify agent authenticity before accepting collaboration requests.

2Capability Discovery — agents advertise capabilities via Agent Cards (JSON). Validate claimed capabilities. Prevent capability spoofing.

3Task Integrity — ensure task state cannot be tampered with during multi-agent workflows.

4Communication Encryption — all A2A traffic must be encrypted in transit. Enterprise Deployment: Deploy MCP Servers behind API gateways. Implement audit logging on all MCP/A2A interactions. Use network segmentation to limit agent reach. Monitor for anomalous agent-to-agent communication patterns.

1DISCOVERY — REST requires reading docs and hardcoding. MCP exposes machine-readable tool schemas that agents automatically understand.

2STATE — REST is stateless. MCP maintains stateful sessions between client and server.

3TRANSPORT — REST uses HTTP request/response. MCP uses stdio for local connections (fast, no network overhead) and SSE for remote.

4AUTH — REST uses API keys/OAuth per request. MCP delegates auth from the Host — the Host authenticates once and the agent's tool calls inherit that context.

• MCP introduces new risks — tool injection (malicious MCP Server returning crafted tool definitions), excessive permissions (agent accessing tools it shouldn't), data exfiltration via tool responses
• Mitigations: validate MCP Server identity, implement least-privilege per server, monitor all tool call parameters and responses, deploy MCP Servers behind API gateways
• When to use what: REST/GraphQL for traditional web/mobile apps. gRPC for service-to-service communication
• MCP for AI agent tool integration
• A2A for multi-agent collaboration

• Run MCP Servers as isolated microservices with minimal permissions
• Each server gets only the database access, API scopes, or file system paths it needs — no broad access
• Pin server versions, sign server binaries, and verify integrity at startup

• MCP Hosts authenticate to servers using mTLS or OAuth2 client credentials flow
• Never use static API keys
• Implement server-to-server auth — the MCP Server verifies the Host's identity before accepting connections

• Tool-level RBAC — not all agents get all tools
• A 'research agent' can read data but not write
• A 'deployment agent' can run CI/CD but not access customer databases
• Implement tool call approval workflows for high-risk actions (database writes, code deployments, external API calls)

• MCP Servers MUST validate all tool call parameters
• Treat every parameter as untrusted input
• Prevent SQL injection through database tool parameters, command injection through shell tool parameters, SSRF through URL parameters

• Monitor data flowing from MCP Servers back to agents
• Apply DLP rules — redact PII, credentials, internal IPs from tool responses
• Prevent agents from exfiltrating sensitive data through conversation responses

• Log every tool call with full parameters, agent identity, timestamp, and response
• Feed logs into SIEM for anomaly detection
• Alert on unusual patterns — agent calling tools outside normal hours, high-volume data reads, accessing tools it has never used before

• Deploy MCP Servers behind API gateways with rate limiting
• Use network segmentation — MCP Servers in a dedicated subnet
• No direct internet access for internal MCP Servers

8A2A SECURITY: When agents collaborate via A2A protocol, verify agent identity using cryptographic certificates. Validate capability claims — prevent agent spoofing. Encrypt all A2A communication. Monitor for anomalous inter-agent communication patterns.

• Catalog every AI agent deployed — customer service, billing, sales, research, deployment agents
• Document each agent's purpose, owner, and business criticality

• For each agent, map all MCP Server connections
• Document what each MCP Server exposes — tools, resources, data sources
• Flag MCP Servers with excessive capabilities (50+ tools is a red flag)

• Map downstream technologies each MCP accesses — databases, Kubernetes clusters, SaaS APIs (Salesforce, Shopify, Confluence)
• Track capability counts per technology

• Assign risk scores at every node
• High-risk indicators: agent with write access to payment systems, MCP Server with no authentication, vendor integration with 70+ capabilities, agent accessing PII through multiple MCP chains
• Aggregate scores into organizational agentic risk posture

Continuously scan for misconfigurations — MCP Servers without auth, agents with excessive permissions, vendor integrations with unused capabilities, sensitive data accessible through unmonitored chains.

• Map exactly which agents can reach sensitive data through their MCP chains
• Apply DLP at the MCP layer
• Alert on anomalous data access patterns

• For each MCP Server, calculate blast radius if compromised — which agents are affected, what data is exposed, which downstream systems are reachable
• Use this for incident response planning

• Treat each third-party vendor integration as a supply chain risk
• Monitor for vendor capability sprawl
• Implement vendor access reviews — quarterly audit of all external integrations

• Real-time alerting on new agent deployments, new MCP connections, permission changes, anomalous tool call patterns
• Feed into existing SIEM/SOAR workflows

1Deploy CASB/DLP rules to detect AI tool usage (ChatGPT, Claude, Gemini, Copilot, Perplexity). Analyze DNS logs, proxy logs, browser extensions.

2Survey all business units on AI tool usage — most will surprise you.

3Build an AI Asset Registry — catalog every AI model, tool, agent, and API key in the organization.

4Quick risk assessment: what data is flowing to external AI services? DAYS 30-60 — POLICY:

5Publish an AI Acceptable Use Policy — classify data tiers for AI (public data OK, internal OK with approved tools, confidential/PII never).

6Establish an AI Governance Committee — CISO, CTO, Legal, Privacy, HR, business representatives.

7Create an approved AI tools list with security-reviewed options. Deploy enterprise versions (ChatGPT Enterprise, Azure OpenAI) that offer data residency and no-training guarantees.

8Shadow AI Policy — don't ban AI (employees will work around it). Instead, provide secure alternatives. DAYS 60-90 — CONTROLS:

9Implement DLP policies for AI tools — block PII, source code, financial data from flowing to unapproved AI services.

0Deploy AI-specific monitoring — telemetry on all approved AI tool usage, prompt logging (for compliance, not surveillance).

1Access Controls — RBAC for AI tools, API key management, least-privilege for AI agents.

2Bias & Drift Audits — establish baseline metrics for AI model performance. ONGOING:

3AI-specific incident response playbooks (prompt injection, data leak via AI, model compromise).

4Report to Board quarterly using NIST AI RMF structure (Govern, Map, Measure, Manage).

5Align with EU AI Act risk tiers and OWASP Top 10 for LLMs.

• AI infra has massive dependency chains — LangChain alone pulls 100+ packages
• An SCA scan of AI projects reveals libraries most security teams have never evaluated (transformers, tokenizers, GGML, vLLM, SGLang)
• You must extend SCA coverage to ML-specific packages and monitor advisories from ML security researchers, not just NVD

• ML frameworks heavily use pickle, ONNX, and custom serialization formats
• The SGLang CVE (pickle.loads on untrusted input → RCE with CVSS 9

8is a pattern — PyTorch, TensorFlow, and Hugging Face models have all had deserialization vulns. Policy: never load untrusted models. Use safetensors format instead of pickle.

• The Amazon Bedrock DNS escape proves that 'no network access' doesn't mean no network access
• AI sandboxes are leaky — always deploy in VPC mode with explicit egress controls, DNS filtering, and IAM least-privilege (no broad S3 access from model inference)

• Tools like LangSmith expose HTTP APIs that handle credentials, API keys, and internal data
• The SSRF vulnerability (missing baseUrl validation) is classic OWASP but in a new context — AI observability tools become credential harvesting vectors
• Apply DAST scanning to all AI platform endpoints

• AI infra moves fast — weekly releases, breaking changes, rapid CVE disclosure
• Establish a dedicated AI infra patching SLA: Critical (CVE ≥9

0→ 24 hours, High → 72 hours. Monitor AI-specific advisory sources: Protect AI's Huntr, Trail of Bits, HiddenLayer reports.

1Connector governance — block unapproved connectors (DLP policies in Power Platform admin center).

2Data exfiltration — custom agents could send corporate data to external APIs.

3Authentication — ensure agents authenticate users properly (Azure AD).

4Topic safety — prevent agents from answering outside their scope. AZURE AI FOUNDRY (Engineering): Full enterprise AI platform requires the complete AI security stack. Key concerns:

1Model security — fine-tuned models may memorize training data (PII leakage).

2Prompt injection — custom RAG applications are vulnerable to indirect injection attacks.

3Content safety — deploy Azure AI Content Safety for output filtering.

4Network isolation — use private endpoints and VNet integration.

5Compliance — ISO 42001, SOC 2, GDPR, EU AI Act (risk classification for AI systems).

6Responsible AI — bias testing, fairness auditing, transparency documentation. OVERALL RECOMMENDATION: Start with M365 Copilot (lowest risk, fastest ROI), then Copilot Studio (medium risk, custom value), then Azure AI Foundry (highest capability and risk). Apply defense-in-depth at each layer.

• Copilot surfaces content from SharePoint, OneDrive, Teams, Exchange based on Microsoft Graph permissions
• If a user has access to an HR SharePoint site with salary data, Copilot will include it in answers
• MITIGATION: Run Microsoft 365 Copilot Readiness Assessment
• Audit SharePoint permissions (remove 'Everyone except external users' from sensitive sites)
• Implement sensitivity labels (Confidential, Highly Confidential) and configure Copilot to respect label restrictions

• Users may paste confidential data into Copilot prompts
• MITIGATION: Deploy Microsoft Purview DLP policies for Copilot interactions
• Configure sensitivity label-based restrictions on Copilot responses

• Malicious content in SharePoint documents could contain hidden instructions that manipulate Copilot responses (indirect prompt injection via Microsoft Graph)
• MITIGATION: Content safety filters, document scanning, and monitoring Copilot response quality

• Copilot interactions are logged in Microsoft Purview for eDiscovery and audit
• Ensure retention policies cover Copilot conversations
• Configure geographic data boundaries for data residency requirements

• Establish a Copilot governance policy — define which users/groups get Copilot licenses, configure admin controls in Microsoft 365 admin center, and monitor usage analytics
• KEY CONTROLS: Conditional Access policies apply to Copilot sessions, Information Barriers restrict cross-group data sharing, and Microsoft Purview Insider Risk Management can flag anomalous Copilot usage patterns

• Configure Data Loss Prevention policies in the Power Platform admin center
• Classify connectors into Business, Non-Business, and Blocked categories
• Block high-risk connectors (HTTP, custom connectors to external APIs) for non-admin users
• Prevent agents from connecting to unapproved external services

• Every Copilot Studio agent connects to data via connectors (SharePoint, Dataverse, SQL, custom APIs)
• Each connector is an attack surface
• Audit all connectors monthly
• Remove unused connectors
• Implement connector-level authentication (no anonymous access)

• Enforce Azure AD SSO for all Copilot Studio agents
• Require MFA for agent access
• Configure Teams channel-specific auth policies
• For customer-facing agents, implement proper identity verification before sharing sensitive data

• Configure topic restriction guardrails — prevent agents from answering off-topic questions
• Block code generation, personal advice, and potentially harmful content categories
• Test with adversarial prompts

• Custom agents can send data to external APIs via HTTP connectors
• Monitor outbound data flows
• Implement DLP at the connector level
• Alert on large data transfers

• Use separate Power Platform environments for dev/test/prod
• Apply environment-specific DLP policies
• Restrict who can create agents (use security groups)

• Enable Copilot Studio analytics
• Monitor conversation volumes, user satisfaction scores, and escalation rates
• Alert on unusual patterns (single user making thousands of queries, agent accessing unexpected data sources)
• Feed audit logs into Microsoft Sentinel for SIEM correlation

• Deploy Azure AI Foundry in a VNet with private endpoints
• No public internet access to model endpoints
• Use Azure Private Link for all service connections
• Configure NSG rules to restrict traffic to approved IP ranges

• Fine-tuned models may memorize training data — run membership inference tests
• Sign model artifacts and verify integrity before deployment
• Implement model versioning with rollback capability
• Scan models for backdoors before promotion to production

• Deploy Azure AI Content Safety for input/output filtering
• Implement custom guardrails using Azure AI Foundry's built-in safety features
• Configure content filtering categories (hate, violence, self-harm, sexual)
• Test with Microsoft's PyRIT red teaming framework

• If building RAG on Azure AI Search — enforce document-level security trimming
• Use managed identities (no API keys in code)
• Implement vector store access controls
• Monitor retrieval patterns for anomalies

• Use Azure AI Foundry's built-in evaluation tools for bias testing, groundedness scoring, and relevancy metrics
• Document model cards
• Conduct fairness assessments across protected categories

• ISO 42001 alignment through Azure AI Foundry's governance features
• EU AI Act risk classification — determine if your AI system falls into high-risk, limited-risk, or minimal-risk categories
• SOC 2 Type II coverage through Azure's compliance certifications
• GDPR — configure data residency, implement right-to-deletion for training data

• Set token budgets per deployment
• Configure auto-scaling limits
• Monitor inference costs
• Alert on spending anomalies — sudden cost spikes may indicate abuse or prompt injection attacks generating excessive tokens

1Input validation and sanitization,

2Separating system and user prompts architecturally,

3Output validation,

4Guardrails and content filtering,

5Least privilege for LLM tool access,

6Human-in-the-loop for sensitive actions.

2Training: secure compute environments, verify data integrity, test for poisoning.

3Model: robustness testing (adversarial testing), model signing, version control.

4Deployment: API authentication/rate limiting, input validation, output filtering.

5Monitoring: drift detection, anomaly monitoring, audit logging.

6Governance: model cards, bias testing, regulatory compliance. Reference NIST AI RMF and OWASP ML Top 10.

1AI_REQUEST_PROTECTION (Input Layer): Every developer request hits a Secure Input Gateway first. A Prompt Injection Firewall detects and blocks adversarial prompts (ignore previous instructions, reveal system prompt). Input Sanitization and Policy Checks validate the request against organizational policies. A Context Builder assembles safe, sanitized context for the model — stripping sensitive data and enforcing scope boundaries.

2AI_REASONING_SYSTEM (Processing Layer): The Model Reasoning Layer processes the sanitized request. A Task Planning Engine decomposes the request into steps and makes a critical decision — does this task require tool execution (running code, accessing files, executing commands) or just a text response? This decision point determines the security path.

3TOOL_SECURITY_LAYER (Execution Layer): If tool execution is needed, a Tool Permission Manager validates whether the AI has authorization for the requested action (principle of least privilege). All tool execution happens in a Sandbox Execution Environment — isolated from the host system, with restricted network access, filesystem boundaries, and resource limits. The sandboxed result is returned without exposing the host.

4SECURITY_MONITORING (Continuous Scanning): A Security Scanner runs in parallel throughout all processing, monitoring for threats — data exfiltration attempts, malicious code generation, policy violations, or anomalous behavior. Decision point: if a threat is detected, the Block/Alert System immediately terminates the session. If safe, processing continues to response delivery.

5RESPONSE_DELIVERY (Output Layer): The Enhanced Code/Response passes through output validation before reaching the developer. A Developer Review step ensures human-in-the-loop — the developer reviews and accepts or rejects the AI output before it is applied to their codebase.

6LEARNING_AND_IMPROVEMENT (Feedback Loop): A Feedback Learning Module captures outcomes — accepted responses, rejected suggestions, detected threats. This feeds into Model Behavior Adjustment to continuously improve security detection, reduce false positives, and adapt to new attack patterns. Key principle — no single layer is sufficient. The architecture implements defense-in-depth where each layer catches what the previous layer might miss.

1AGENT HIJACKING — Prompt injection causes the agent to execute unintended actions using its granted tool permissions. An attacker crafts input that makes the agent delete files, exfiltrate data, or execute malicious code instead of the intended task.

2CONFUSED DEPUTY — The agent has elevated privileges (file system access, database access, API keys). An attacker tricks the agent into using these privileges on their behalf — similar to SSRF but at the AI agent level.

3EXCESSIVE AGENCY (OWASP LLM #

8— Agents granted more permissions than needed. If an agent only needs to read files but has write/delete access, a prompt injection becomes catastrophic.

4TOOL POISONING — Malicious MCP server tool descriptions contain hidden instructions that manipulate agent behavior. The agent trusts tool descriptions as part of its system context.

5MULTI-STEP ATTACK CHAINS — Adversaries exploit the agent's planning loop to build complex attacks across multiple tool calls — each individual call looks benign, but the sequence achieves a malicious outcome. Mitigations: Enforce least privilege per tool (read-only file access, scoped DB queries), sandbox all tool execution in isolated containers, implement human-in-the-loop for high-risk actions (delete, write, execute), validate output between every agent step, rate limit tool calls, maintain full audit trail of every action, and use canary tokens to detect unauthorized data access.

1INDIRECT PROMPT INJECTION DEFENSE — This is the #1 RAG threat. Attackers plant instructions in documents that get retrieved and processed by the LLM. Defense: Sanitize retrieved chunks before feeding them to the model — strip markdown/HTML that could contain hidden instructions. Use a separate 'retrieval prompt' that explicitly marks retrieved content as untrusted data. Implement a classifier that scores retrieved chunks for injection attempts before inclusion.

2ACCESS CONTROL AT RETRIEVAL — Multi-tenant RAG must enforce document-level access control at query time. Filter retrieved documents by user permissions BEFORE passing to the LLM. Use metadata-based filtering on the vector store. Never rely on the LLM to enforce access — it will leak if asked creatively.

3DATA POISONING PREVENTION — Validate documents before indexing. Implement content integrity checks (hashing) to detect tampered documents. Monitor for bulk uploads that could be poisoning attempts.

4CROSS-TENANT ISOLATION — Separate embedding spaces per tenant where feasible. At minimum, enforce strict metadata filtering. Regularly audit cross-tenant retrieval with canary documents.

5PII PROTECTION — Scan documents for PII before indexing. Implement output filters to catch PII leakage in responses. Use differential privacy techniques for sensitive knowledge bases.

1TOOL PERMISSION MANAGEMENT — Each MCP server exposes capabilities (file access, database queries, API calls, code execution). Without proper scoping, an AI agent could be given unrestricted access to sensitive systems. Best practice: Define explicit permission boundaries per MCP server — read-only file access, scoped database queries (specific tables only), allowlisted API endpoints.

2SERVER AUTHENTICATION — MCP servers must authenticate connecting AI agents. Without auth, any process could connect to an MCP server and access its tools. Implement mutual TLS, API key validation, or OAuth for server connections.

3INPUT VALIDATION ON TOOL CALLS — AI agents generate tool call parameters dynamically. A compromised agent could inject SQL into a database MCP tool, or command injection into a shell MCP tool. Every MCP server must validate and sanitize incoming parameters.

4DATA EXFILTRATION RISK — A malicious MCP server could harvest sensitive context from the AI agent's conversation — system prompts, user data, API keys in context. Only use trusted, audited MCP servers from verified sources.

5SUPPLY CHAIN — Third-party MCP servers from public registries may contain backdoored tool definitions that subtly manipulate agent behavior. Audit tool descriptions for hidden prompt injection. Best practices: Allowlist approved MCP servers, sandbox server execution, enforce TLS, log all tool invocations, and implement tool-level rate limiting.

1INPUT GUARDRAILS (Pre-Processing): Deploy a prompt injection classifier (fine-tuned model or rule-based) to detect and block adversarial inputs — both direct injection and encoding-based bypasses (base64, ROT13, Unicode). Implement topic restriction — if the AI should only answer about cybersecurity, block out-of-scope queries. PII detection and redaction before the query reaches the model — use regex + NER models to catch SSNs, credit cards, emails. Rate limiting and abuse detection — flag users sending rapid-fire queries or systematically probing the system.

2OUTPUT GUARDRAILS (Post-Processing): Content safety filtering with a classifier (LlamaGuard, Azure AI Content Safety) — check for toxicity, hate speech, violence, self-harm, and illegal content. PII leakage prevention — scan model output for any PII before delivering to the user. Code safety scanning — if the model generates code, check for known vulnerable patterns (SQL injection, command injection, hardcoded secrets). Factuality grounding — if using RAG, verify that the response is grounded in retrieved sources, not hallucinated. Brand safety — ensure responses align with company policies and don't make unauthorized commitments.

Enforce output format (JSON schema validation for structured outputs), length limits, citation requirements, and confidence thresholds.

NVIDIA NeMo Guardrails (programmable guardrails as code), Guardrails AI (Pydantic-based validation), LlamaGuard (Meta's safety classifier), Azure AI Content Safety, and Rebuff (prompt injection detection).

• Log all guardrail triggers, track false positive rates, and continuously tune thresholds
• Key architecture: guardrails should be defense-in-depth — multiple layers catching different threat categories, with graceful degradation (fallback responses) rather than hard failures

1IDENTITY LAYER (Core) — Agent Authentication, NHIs, RBAC, Least Privilege, Session Binding, JIT Access, Privileged Access Monitoring.

2AGENT CONTROL LAYER — Autonomy Restrictions, Human-in-the-Loop, Behavioral Guardrails, Rate Limiting, Goal Boundary Enforcement, Safe Failure Mechanisms.

3TOOL SECURITY LAYER — Permission Sandboxing, Tool Allowlisting, Secure Function Calling, API Validation, Plugin Verification, Execution Isolation.

4MCP LAYER — URI Validation, Scope Minimization, MCP Auth Flows, Token Enforcement, Per-Client Consent, Policy-as-Code.

5GOVERNANCE LAYER — AI Usage Policies, TPRM, Responsible AI Frameworks, Risk Classification, Model Lifecycle Governance.

6MONITORING & OBSERVABILITY — Agent Activity Logging, Prompt Auditing, Behavioral Anomaly Detection, Incident Alerting.

7COMPLIANCE & REGULATION (Outer) — Regulatory Risk Assessment, Privacy Protection, Data Retention, EU AI Act Alignment.

1Prompt Injection — jailbreaks, instruction hijacking; mitigate with input sanitization, prompt firewalls.

2Data Leakage — cross-session leaks, API key exposure; mitigate with session isolation, secure logging.

3Tool Misuse — command injection, privilege escalation; mitigate with sandboxing, allowlisting.

4Hallucination — false outputs, fabricated citations; mitigate with output verification, RAG grounding.

5Access Control — weak auth, identity spoofing; mitigate with strong NHI identity, RBAC.

6Agent Overreach — infinite loops, resource exhaustion; mitigate with scope limits, kill switches.

7Supply Chain — library backdoors, model poisoning; mitigate with dependency scanning, SBOM.

8Memory Exploits — context poisoning, stored prompt attacks; mitigate with memory integrity checks.

9Infrastructure — cloud misconfig, DDoS; mitigate with defense-in-depth.

0Governance Gaps — absent policies, audit failures; mitigate with AI governance framework, compliance automation.

1QUERY CONSTRUCTION — Transforms user questions into database-appropriate queries. For relational databases, it generates SQL. For graph databases, Cypher/SPARQL. For vector stores, it creates embedding vectors. Each requires different security controls (SQL injection prevention, query scoping).

2RAG TYPES — Advanced retrieval strategies beyond basic similarity search. Multi-Query generates multiple reformulated queries for better coverage. RAG Fusion uses reciprocal rank fusion to combine results from different query formulations. HyDE (Hypothetical Document Embeddings) generates a hypothetical answer and uses its embedding for retrieval. Decomposition breaks complex queries into sub-queries.

3ROUTING — Decides which retrieval path to take. Logical routing chooses the right database (graph vs relational vs vector). Semantic routing selects the optimal prompt template based on query type. This prevents unnecessary data exposure by routing to scoped data sources.

4RETRIEVAL — Fetches and refines relevant documents from Graph DBs, Relational DBs, Vector Stores, and document collections. Includes refinement (filtering and cleaning) and reranking with cross-encoders to improve relevance. Security: enforce access controls at retrieval time, sanitize retrieved content.

5GENERATION — Produces the final answer. Active Retrieval iteratively fetches more context when needed. Self RAG uses self-reflection to decide when to retrieve. RRR (Retrieve, Rewrite, Respond) refines the response cycle.

6INDEXING — Prepares documents for retrieval. Semantic splitting chunks by meaning. Multi-representation indexing creates summaries for coarse retrieval. Special embeddings (ColBERT) enable token-level matching. Hierarchical indexing (RAPTOR) builds cluster trees for multi-scale retrieval. EVALUATION uses RAGAS (faithfulness, relevancy, context recall), Grouse (grounded unit scoring), and DeepEval for end-to-end testing. Security considerations across all components: input validation at query construction, access controls at retrieval, output filtering at generation, and content integrity checks at indexing.