Multi-Tenant LLM Isolation
Shared LLM-Infrastruktur für mehrere Mandanten erfordert strikte Datentrennung auf jeder Schicht — Konversation, RAG, Verschlüsselung und Monitoring. Vier Isolation-Schichten mit konkreter Moltbot-Konfiguration.
Was ist Multi-Tenant LLM Isolation? Einfach erklärt
Multi-Tenant LLM Isolation garantiert strikte Datentrennung zwischen Mandanten auf allen Ebenen: Conversation & Context Isolation trennt Konversationen mit tenant_id-tagging und cross-tenant context denial. Per-Tenant RAG Partitionierung isoliert Vector Stores mit Namespace-Strategien oder separaten Collections pro Mandant. Per-Tenant Encryption Keys verwenden separate Vault-Keys pro Mandant damit ein Key-Compromise nur einen Mandant betrifft. Cross-Tenant Leakage Detection scannt LLM-Outputs auf fremde Tenant-Fingerprints und validiert Context-Items vor LLM-Submission.
↓ Springe zu Isolation-Schichten
4 Isolation-Schichten
Each tenant's conversation history, system prompts, and context windows must be strictly isolated. No conversation data from Tenant A should ever appear in Tenant B's LLM context.
# Moltbot multi-tenant conversation isolation:
multi_tenant:
isolation_model: strict # strict | permissive | none
# Each request is tagged with tenant_id from authenticated JWT:
tenant_id_source: jwt_claim # Extract tenant_id from JWT "sub" or "org_id"
tenant_id_claim: "org_id"
conversation_isolation:
storage_key_prefix: "tenant:{tenant_id}:conv:{session_id}"
# Conversations physically separated by tenant prefix in storage
# NEVER allow cross-tenant context injection:
cross_tenant_context: deny
# This means: a user cannot reference another tenant's conversation history
# System prompt isolation:
system_prompt:
per_tenant_config: true # Each tenant has own system prompt
tenant_cannot_override_base: true # Base safety rules always apply
# Session isolation validation (paranoid mode):
session_validation:
verify_tenant_on_every_request: true # Don't trust session cache — re-verify
session_token_binding: true # Session token bound to tenant_id at creation
# Emergency isolation: if cross-tenant leak suspected:
on_isolation_breach:
action: terminate_all_tenant_sessions
alert: immediate
log_forensic: trueEach tenant's vector store (RAG) must be physically or logically isolated. A retrieval query from Tenant A must never return documents from Tenant B's corpus.
# Moltbot RAG multi-tenant partitioning:
rag:
isolation_strategy: namespace # namespace | separate_collection | separate_db
# Strategy: namespace (most common — single vector DB, logical separation):
namespace_config:
namespace_key: "tenant_id"
namespace_format: "t_{tenant_id}" # e.g., t_acme, t_beta_corp
# All queries are automatically namespaced:
# query(text, tenant_id="acme") → searches ONLY in namespace "t_acme"
# Cannot be overridden by user input
# Namespace enforcement at query layer (not application layer):
enforce_at: vector_db_client # Not at app level — harder to bypass
# Strategy: separate_collection (stronger isolation, more resources):
# Each tenant gets their own Chroma/Weaviate/Qdrant collection
# Physical separation — no shared index structures
# Strategy: separate_db (strongest — for high-compliance tenants):
# Each high-value tenant gets dedicated vector DB instance
# Used for: enterprise tiers, regulated industry tenants
# Cross-tenant retrieval prevention:
retrieval_validation:
verify_namespace_before_return: true # Double-check every result
on_namespace_mismatch: drop_and_alert # Drop result + alert security
# Tenant data deletion (GDPR Art. 17):
tenant_offboarding:
delete_namespace: true # Delete entire namespace on tenant deletion
verification_scan: true # Verify no documents remain after deletionDifferent tenants should have different encryption keys for their stored data — a key compromise for one tenant does not expose another's data.
# Moltbot per-tenant encryption key management via Vault:
encryption:
key_strategy: per_tenant
vault_config:
# Each tenant has a dedicated encryption key in Vault:
key_path_template: "transit/keys/tenant-{tenant_id}"
# Create key for new tenant:
# vault write transit/keys/tenant-acme type=aes256-gcm96
# Encrypt tenant data:
# vault write transit/encrypt/tenant-acme plaintext=$(base64 <<< "conversation data")
# Tenant key rotation (without re-encrypting all data — Vault handles):
rotation_policy:
auto_rotate_days: 90
min_decryption_version: 1 # Keep old versions for decryption
# What is encrypted per tenant:
encrypted_per_tenant:
- conversation_logs # Full conversation history
- rag_document_store # Vector store documents
- agent_memory # Persistent agent memory
- user_preferences # User-level personalisation data
- audit_logs # Encrypted separately for tamper evidence
# Key access audit:
key_access_logging: true
# Every time tenant key is used, log: tenant_id, operation, timestamp, requestor
# Alert if: key used from unexpected service, key accessed outside business hoursEven with isolation in place, monitor for cross-tenant data leakage — LLMs can inadvertently reproduce data from previous requests if context boundaries fail.
# Moltbot cross-tenant leakage detection:
leakage_detection:
enabled: true
# 1. Output scanning for other tenants' data patterns:
cross_tenant_output_scan:
# Scan LLM output for content that should only exist in another tenant's corpus
# Uses tenant-specific fingerprints (hashes of unique phrases per tenant)
fingerprint_check: true
fingerprint_store: redis # In-memory for speed
action_on_detect: block_and_alert_security
# 2. Context window validation before LLM submission:
context_validation:
# Before sending context to LLM, verify all items in context belong to
# the current tenant (by checking namespace/tenant_id metadata)
validate_all_context_items: true
on_foreign_item: remove_and_log # Remove foreign item, continue, log
# 3. Statistical anomaly detection:
# Track: distribution of tenant_ids in retrieved RAG results per request
# Alert if: results from unexpected tenant namespaces appear (even 1)
statistical_monitoring:
track_namespace_distribution: true
alert_threshold: 0 # Any cross-namespace result = alert
# 4. Periodic isolation audit:
isolation_audit:
schedule: "0 2 * * 0" # Weekly Sunday 2am
test: inject_canary_documents_per_tenant
# Inject unique canary documents per tenant — verify they never appear
# in queries from other tenants
on_canary_detected_cross_tenant: critical_alertHäufige Fragen
What are the biggest risks of multi-tenant LLM deployments?
The four primary multi-tenant LLM security risks: 1) Cross-tenant context contamination: if conversation history or RAG results from Tenant A leak into Tenant B's LLM context, the model may reveal confidential information. This can happen via bugs in context management, shared caching (e.g., KV cache sharing in batch inference), or missing namespace enforcement. 2) Prompt injection cross-tenant escalation: a malicious user in Tenant A crafts a prompt that affects system behaviour for Tenant B — particularly dangerous in shared agent deployments. 3) Shared model memorisation: if a shared fine-tuned model is trained on all tenants' data, the model may reproduce one tenant's data in another tenant's session. Mitigation: tenant-specific fine-tuned models or strictly public/anonymised training data for shared models. 4) Administrative over-privilege: platform administrators with access to all tenant data are a single-point insider risk. Mitigation: tenant-managed encryption keys (zero-knowledge architecture where platform admins cannot decrypt tenant data).
How does namespace isolation in a vector database work?
Namespace isolation in vector databases: a namespace is a logical partition within a single vector database — all vectors tagged with a namespace identifier. Query enforcement: when a query is executed, the namespace parameter filters results to only return vectors tagged with that namespace. Example with Chroma: collection.query(query_texts=['help'], where={'tenant_id': 'acme'}) — even if the query text would semantically match documents from 'beta_corp', the where filter prevents those results from being returned. Security depends on enforcement layer: application-level enforcement (app adds namespace filter) is weaker — a bug in the application can omit the filter. Client-library enforcement (Moltbot's RAG client always adds namespace) is stronger. Database-level enforcement (row-level security or separate collections) is strongest. Best practice: enforce namespace at the lowest level possible (closer to the database), and validate at retrieval time that every returned result matches the expected tenant namespace.
Can I use a shared LLM model across tenants or does each tenant need their own?
Shared model (single instance serving all tenants): Cost-efficient, easier to maintain. Safe if: tenant data is only passed in the context window (not baked into model weights), context isolation is enforced at the application layer, no KV cache sharing between tenant requests (check your inference framework settings). Risks: KV cache contamination in high-throughput deployments, shared fine-tuning with tenant data (don't do this). Per-tenant model (separate model instances): Higher resource cost. Required when: tenants have fundamentally different use cases requiring different fine-tunes, regulatory requirements mandate data separation at model level, enterprise tenants require dedicated infrastructure for compliance. Recommended architecture: shared base model + per-tenant LoRA adapters. The base model (shared) handles general capabilities. The LoRA adapter (per-tenant, small files) provides tenant-specific knowledge. Tenant-specific RAG handles dynamic knowledge without contaminating the base model.
How do I implement zero-knowledge architecture for maximum tenant isolation?
Zero-knowledge multi-tenant architecture: the platform operator cannot access tenant data even if they wanted to. Components: 1) Tenant-managed encryption keys: tenants hold their own Vault transit keys (or bring-your-own-key). Platform encrypts data with the tenant's key — cannot decrypt without tenant providing the key. 2) Client-side encryption for RAG corpus: tenant-side application encrypts documents before uploading to the vector store. Plaintext never reaches the platform infrastructure. 3) Separate vector DB instances per tenant (for high-compliance tiers): no physical sharing of infrastructure. 4) Audit log encryption with tenant key: audit logs encrypted with tenant's key — tenant can verify their own audit trail but platform cannot read it. Tradeoffs: reduces platform's ability to monitor for abuse (can't inspect encrypted content). Support and debugging are harder. More complex key management for tenants. Practical recommendation: offer standard (platform-managed keys) and premium (customer-managed keys) tiers. Zero-knowledge architecture as an optional enterprise add-on for regulated industries (healthcare, finance, government).