For enterprise AI and RAG pipelines

Gate your AI's access to knowledge
with permission-aware retrieval

Permission-aware retrieval for enterprise teams building internal copilots and AI agents on existing vector databases. Five lines of Python. The access control, auditability, and governance your security team requires.

Adds <25ms policy-layer overhead per query|Fail-closed, no silent pass-through on errors|SOC 2 Type II audit underway

Your AI agents bypass every access control you built

You invested in SSO, IAM, ACLs, and RBAC for every system in your organization. Then you deployed RAG, and created a new access surface that bypasses all of it. Vector databases retrieve by semantic similarity, not authorization. When your AI copilot is asked about compensation data, it returns the most relevant chunks, not the most appropriately authorized ones. This is the RAG authorization gap.

Security that works with your stack

Gateco sits between your AI agents and vector databases, enforcing policies at retrieval time without changing your existing architecture.

Deny-by-Default Retrieval

Your AI agents can only access data they're explicitly authorized for. No policy match, no data, eliminating the #1 cause of RAG data leakage.

12 Vector DB Connectors

Plug into your existing vector infrastructure in minutes. No migration, no vendor lock-in. Security layers on top of databases you already use.

Semantic Readiness (L0-L4)

See exactly where each connector stands on the path to full policy enforcement. A clear, actionable roadmap instead of vague security posture scores.

Classification Suggestions

Stop manually labeling thousands of resources. Gateco scans and suggests classifications; you review and approve, turning weeks of work into minutes.

Full Audit Trail

Answer "who accessed what through AI, and when?" instantly. Every retrieval decision recorded with the exact policy logic, audit-ready from day one.

SDK + CLI

Add permission-aware retrieval in 5 lines of code. Python and TypeScript SDKs, CLI for operations, Access Simulator to dry-run policies before they go live.

Multi-Mode Search

Four retrieval modes: semantic similarity, keyword relevance, hybrid fusion, and deterministic grep. Every query finds the right lens.

Identity Provider Sync

Connect Okta, Azure Entra ID, AWS IAM, or GCP Cloud Identity. Principals, groups, and departments sync automatically, so policies reference real identities, not static lists.

Policy Templates

Seven ready-made templates for common patterns: group RBAC, department access, classification ceilings, deny-sensitive. Pick a template, fill in your values, deploy a draft in seconds.

Grounded Answers

Ask a natural language question and get an answer synthesized only from policy-allowed chunks, with citations. Denied content never reaches the LLM context.

Access Simulator

Dry-run policy evaluation or run a live preview against real data. See exactly what each principal would be allowed or denied before activating policies in production.

SCIM Provisioning

Enterprise inbound SCIM v2 for real-time user and group provisioning. Your IDP pushes changes to Gateco as they happen, with no sync delay and no stale principals.

MCP Server

Give AI coding assistants like Claude and Cursor permission-aware retrieval via the Model Context Protocol. Six tools, markdown output, zero denied-content leakage.

Five questions buyers ask

What about latency?

<25ms p95 policy-layer overhead. Per-connector benchmarks are public.

See the SLO →

What about pgvector RLS?

Works until you need an audit trail, IDP sync, or a second vector DB.

Read the comparison →

What about Cerbos?

Cerbos is engine-shaped. Gateco is RAG-specific and ships with 12 connectors.

Read the comparison →

Won't Microsoft bundle this?

Purview secures M365 Copilot. Gateco secures the AI you ship in your own product.

See the difference →

What if you're unavailable?

Fail-closed by default. Every error-time denial is logged. No ambiguous access.

Read the failure model →

Works with your stack

Connect your vector databases and identity providers in minutes

Vector Databases

pgvectorT1
SupabaseT1
NeonT1
PineconeT1
QdrantT1
Weaviate
Milvus
Chroma
OpenSearch
Azure AI Search
Vertex AI Vector Search
Vertex AI Search

Identity Providers

OktaGrowth+
Azure Entra IDGrowth+
AWS IAMGrowth+
GCP Cloud IdentityGrowth+

Three steps to secure retrieval

No infrastructure changes required. Connect, configure, and enforce, and your AI agents keep working, now with permission boundaries.

Connect

Point Gateco at your vector DB

Step 1

Define Policies

Set who can access what data

Step 2

Secure Retrieval

Every query is permission-checked

Step 3

Demo track

Connect and make your first policy-filtered retrieval call in minutes.

Point Gateco at a vector DB, define one policy, and retrieve. No IDP sync required.

Production track

Full governance deployment: connector, search config, resource registration, IDP sync, policy authoring, and Access Simulator validation.

Median time to L3 readiness: ~2 weeks. Full deployment guide →

Integrate in minutes

Python and TypeScript SDKs make permission-aware retrieval a one-liner. The CLI handles everything else.

from gateco_sdk import GatecoClient

client = GatecoClient(api_key="gck_...")

# Deny-by-default retrieval
result = client.retrievals.execute(
    query="quarterly revenue forecast",
    principal_id="user-uuid",
    search_mode="hybrid",
)
# Returns only what this principal is authorized to see

Trusted by engineering teams shipping AI in regulated industries

What practitioners say about building with Gateco.

Senior ML Engineer

Senior ML Engineer

Financial Services

We needed ABAC on our RAG pipeline before shipping to customers. Gateco got us there in a day, not a quarter.

VP of Engineering

VP of Engineering

Healthcare Tech

The audit trail alone justified the cost. Every retrieval decision is logged with the exact policy reason, and compliance teams love it.

AI Platform Lead

AI Platform Lead

Enterprise SaaS

Deny-by-default was the feature that sold us. Our previous setup was allow-unless-explicitly-denied. That's backward for sensitive data.

Staff Software Engineer

Staff Software Engineer

Legal Tech

Connecting to our existing pgvector setup took 15 minutes. Policy configuration took another hour. We were in production the same day.

Head of Data & AI

Head of Data & AI

InsurTech

The Access Simulator let us test policies before enforcing them. No other tool we evaluated had this. It removed all the deployment risk.

Simple, transparent pricing

Start free, scale as your AI retrieval needs grow.

Team

$499

per month

  • 3 connectors
  • 50,000 retrievals/mo
  • ABAC + ReBAC policies
  • Grounded Answers
  • Priority support
Most popular

Growth

$1,999

per month

  • 10 connectors
  • 500,000 retrievals/mo
  • SSO & SCIM
  • Access Simulator
  • Audit export

Enterprise

from $24K

per year

  • Unlimited everything
  • SIEM integration
  • Private Data Plane
  • Custom SLAs

Free tier available with no credit card required. 1,000 retrievals/mo.

Start securing your AI retrieval today

Free tier available. No credit card required. Connect your first vector DB in minutes, and reach production-grade governance with our structured deployment path.