Tenant-Scoped Tool Binding
Bind every tool call and retrieval to the active tenant in code at the execution layer, so a multi-tenant agent can never be talked into reading or writing another tenant's data.
Problem
If the tenant boundary is expressed only as an instruction in the system prompt — telling the model to act for organisation 42 and refuse anything else — the boundary depends on the model continuing to honour that instruction under adversarial input. A retrieved document, a tool result, or a crafted user message can pull the model into emitting a tool argument scoped to a different organisation, and the model will sometimes comply. Prompt-level scoping also leaves no enforceable contract at the data layer: a single missing filter in one tool silently exposes every tenant's rows. The boundary that matters most for trust is the one the model is least reliable at holding.
Solution
Derive the tenant identifier from the authenticated session or token at the trust boundary, not from anything the model produces. Pass it out of band into the tool-execution layer through a request-scoped context, closure, or middleware, and have every tool and retriever apply it as a mandatory predicate: a WHERE tenant_id = ? filter, a Postgres row-level-security policy keyed on the connection's tenant, or a vector-store namespace selected from the token rather than from a model argument. Tools accept business arguments only; the tenant scope is injected beneath them and is not part of the model's action schema. Retrieval requests carry the tenant id before they reach the index, so a query can only ever match the calling tenant's partition. Make the scoped accessor the only path to tenant data, so a newly added tool inherits the boundary by construction instead of by the author remembering to add a filter.
When to use
- One agent serves many customer organisations over shared storage and the data must stay strictly per-tenant.
- Untrusted content (retrieved documents, user messages, tool results) can reach the model and could influence a tool argument.
- A data leak across tenants is a serious commercial or regulatory event.
- New tools and data paths are added often and must inherit the boundary automatically.
Open the full interactive page →
Diagram, neighbourhood map, code examples, related patterns and full provenance.