Enterprise RAG cannot treat permissions as a front-end concern. Tenant, workspace, role, and record-level rules need to shape what can be indexed, retrieved, assembled into context, and shown in citations.
A secure retrieval layer should carry access metadata with each chunk, enforce filters before reranking, and preserve source lineage so answer traces explain which records influenced the response.
The test plan should include cross-tenant records, role changes, revoked documents, private notes, stale indexes, and prompt-injection attempts that ask the system to reveal hidden context.