Aravind Anchala
← All projects

Agents & Retrieval

Planned

Enterprise Agentic RAG Copilot + Incident Commander

A permission-aware agentic copilot that assists incident response.

This system is planned. The case study describes the intended design; metrics are targets or planned, not measured results.

Problem

Naive RAG agents retrieve across everything and execute tools directly, leaking documents across tenants and taking risky actions with no audit trail or approval step.

Why this matters

Enterprises adopting agents need permissioned retrieval, guarded tools, and audit. That governance layer is what decides whether agentic products are actually shippable for AI platform vendors and their enterprise customers.

Constraints

  • Retrieval must enforce per-document and per-tenant permissions.
  • Risky tools require explicit human approval.
  • Every tool call and decision is logged for audit.
  • Prompt-injection is treated as an expected attack, not an edge case.

Architecture

Interface

  • Copilot UI
  • Approval queue

Agent

  • Planner
  • Guarded tools
  • Injection defenses

Retrieval

  • Permission filter
  • Vector + keyword search

Audit

  • Decision log
  • Trace by incident ID
A planner coordinates permission-filtered retrieval and a guarded tool layer; high-risk tools route through a human-approval queue; all steps emit an audit trail correlated by incident ID.

Data flow

A query is planned, retrieval is filtered by permissions, tools run (risky ones pause for approval), and every step is written to an incident-correlated audit log.

Control plane vs data plane

Control: Approval queue, policy for which tools are risky, and the audit log.

Data: The agent loop: planning, permission-filtered retrieval, and tool execution.

Core capabilities

  • Permission-aware retrieval evaluated at query time.
  • A tool layer with an approval gate for high-risk actions.
  • Incident workflows: triage, summarize, propose mitigations.
  • Full auditability of what the agent saw and did.

Staff-level tradeoffs

  • Human approval for risky tools instead of full autonomy.

    Auditable, safe-by-default behavior matters more than a flashy fully-autonomous demo.

  • Permissions enforced at retrieval, not just in the UI.

    Tenant isolation has to hold at the data boundary; UI checks are not security.

Tech stack

Frontend

  • Next.js
  • React
  • TypeScript

Backend

  • Python
  • LLM tool layer

ML / Data

  • Vector search
  • hybrid ranking

Infrastructure

  • Kubernetes

Observability

  • structured audit logs
  • traces

Metrics

Cross-tenant retrieval leakage
Target
0 (permission-filtered)
Risky actions without approval
Planned
0 (approval-gated)
Prompt-injection test suite
Planned
Baseline + regression cases
Retrieval p95 latency
Target
Bounded for interactive use

Metrics are labeled measured, target, or planned. Nothing here is an achieved result unless it is marked measured.

Failure modes

  • Prompt-injection attempt

    Blocked by injection defenses and recorded in the audit log.

  • Over-broad retrieval request

    Permission filter denies out-of-scope documents before the model sees them.

  • Risky tool invoked

    Held in the approval queue until a human approves; nothing executes silently.

What's next

  • Stand up permission-filtered retrieval with a small governed corpus.
  • Add the approval queue and injection test suite.