Blog

Gateco now supports per-organization OpenAI API keys for Grounded Answers, encrypted with AES-256-GCM envelope encryption and per-tenant KMS context binding. Here is how the key model, credit system, and storage architecture work.

When a policy evaluation hits an error — timeout, missing metadata, misconfigured condition — Gateco denies the retrieval and logs the decision. Here is why fail-closed is the right default, how to read error-deny events, and when fail-open is appropriate.

Google has two distinct retrieval products under the Vertex AI brand. Vector Search (formerly Matching Engine) is a managed ANN index. Vertex AI Search is a full Discovery Engine service with keyword, hybrid, and listing capabilities. Gateco supports both — here is when to use each.

The Gateco MCP server gives Claude Desktop, Cursor, and any MCP-compatible host policy-enforced access to your vector knowledge bases. Six tools, markdown-only output, denied content never surfaces. Available on all plans for retrieval tools; Grounded Answers requires Growth+.

Gateco now supports 1-hop relationship-based access control: policies can check whether a principal has a named relationship to a resource. Owner, assignee, project member — any relationship you define. Here is how it works and when to use it over RBAC and ABAC.

IAM authenticates the agent. Gateco authorizes the data. Why a single IAM role is not enough when your chatbot serves thousands of distinct end users — and the three integration patterns that fix it.

August 2, 2026 is the EU AI Act enforcement deadline for high-risk AI systems. If your RAG pipeline touches employment, credit, healthcare, or education decisions, you are in scope. Here is the practical article-by-article mapping.

Cerbos is a well-designed generic authorization engine. Gateco is a retrieval-specific security layer built for AI and RAG pipelines. They solve different problems — and can be used together. Here is when to choose each.

pgvector Row Level Security is the most common DIY pattern for RAG authorization. Here is when it works, when it breaks, and the five triggers that make teams outgrow it — usually within 6 to 12 months.

Every RAG pipeline your engineering team ships creates a new access surface that bypasses application-layer authorization. Here is how to close the gap — in security language, not developer language.

The most common question about adding an authorization layer to RAG: "How much latency does it add?" Here is exactly how Gateco achieves <25ms p95 policy overhead, what drives variance across connectors, and what happens when the policy engine is slow.

A summary of everything that shipped this month: relationship-based access control, API key authentication, SDK v1.0, and our new Trust Center.

Enterprise AI teams increasingly span multiple clouds. Gateco now enforces the same deny-by-default policies across AWS OpenSearch, Azure AI Search, and Google Vertex AI — so your RAG governance story is consistent regardless of where your vectors live.

Gateco now integrates with Google Vertex AI Vector Search — bringing deny-by-default retrieval, ABAC policies, and audit trails to GCP-hosted vector workloads. Vertex AI Search is also now available.

Azure AI Search gives you world-class hybrid retrieval. Gateco decides who's allowed to see the results. Here's why enterprise RAG needs both — and how they compose.

Azure AI Search has powerful retrieval capabilities. But for enterprises with compliance requirements, it leaves three critical security gaps: no dynamic ABAC, no deny-by-default, and no audit trail.

Azure AI Search is a managed search platform. pgvector, Pinecone, and Qdrant are retrieval primitives. The choice shapes your RAG architecture — and your governance options — more than most teams realize.

A step-by-step guide to connecting your identity provider to Gateco for policy-enforced AI retrievals.

Gateco now supports four distinct retrieval modes. Here's when to reach for each one — and why hybrid might be your new default.

Metadata filters are the most common approach to RAG access control. They're also fundamentally insufficient. Here's why app-level filtering can't replace a dedicated permission layer.

Four approaches to RAG authorization, compared: no auth, metadata filters, app-layer RBAC, and a dedicated permission layer. Pros, cons, and when each makes sense.

DIY RAG authorization requires a policy engine, metadata resolution, audit logging, connector adapters, and identity sync. Here's what it actually takes to build it yourself.

Vector databases retrieve based on embedding similarity. They don't know who's asking. They don't check permissions. They just return the closest matches. This is the AI security gap — and it's wider than most teams realize.

Today we're launching Gateco — the security middleware between AI agents and organizational knowledge. Deny-by-default retrieval, 12 vector DB connectors, and full audit trails. Here's why we built it.

Gateco assigns each connector a readiness level from L0 to L4 based on its security capability — not a percentage, but a progression through increasingly granular enforcement. Here's what each level means and how to reach it.

Gateco resolves policy-relevant metadata through a configurable 3-step hierarchy. Choose sidecar for simplicity, inline for existing payload metadata, or SQL views for Postgres-based systems. Here's when to use each.

A step-by-step walkthrough: install the Python SDK, connect a vector database, create a policy, and execute your first permission-aware retrieval. With actual code that runs.

The Access Simulator lets you dry-run policy evaluation to see exactly what a principal would be allowed or denied before activating policies in production. Here's how to use it.

Regulations are catching up to AI. When auditors ask "who accessed what data through your AI system?", you need an answer. Gateco's audit trail covers 25 event types across every operation.

Financial services firms face unique RAG authorization challenges: information barriers, SOX compliance, and classification-based access to market-sensitive data. Here's how Gateco addresses them.

Healthcare organizations using RAG systems must protect PHI at every retrieval. Gateco's ABAC policies, classification-based access, and audit trails support HIPAA's minimum necessary standard.

SaaS platforms embedding LLM features must prevent cross-tenant data leakage in shared RAG infrastructure. Here's how to enforce tenant isolation at the retrieval layer.