AI Safety & Governance

Tenant scoping at the prompt boundary,
so the model sees one tenant per session

Context Redactor enforces tenant scoping at the prompt level. When an agent loads context (recent incidents, runbooks, knowledge-base pages) into a prompt, the redactor confirms every piece belongs to the calling tenant. Anything from a different tenant is stripped. The model never sees a foreign org id, even by accident.

Get Started Talk to Sales
app.novaaiops.com / context-redactor
● LIVE
Per-tenant
Scope enforced
< 1ms
Per-context overhead
Defense
in depth (data + prompt)
0
Cross-tenant leaks
Why a Second Layer

Data plane, then prompt plane

The data plane already filters by org_id, so cross-tenant reads should be impossible. Context Redactor is defense in depth: a second, independent enforcement that does not trust the data plane to be perfect. If a bug or a misindexed cache returns a foreign item, the redactor catches it before the model sees it.

  • Independent enforcement: redactor does not share code paths with the data plane filter; one failing does not silently bypass the other
  • Per-tenant signature: every context item gets re-tagged with org_id at fetch time; mismatched tags trigger redaction
  • Logged but not page-worthy: redactor catches are usually benign (legacy index entries), counted, not paged, unless rate climbs
app.novaaiops.com / context-redactor · layers
What Gets Redacted

Anything not signed for this tenant

Context items include runbooks, past-incident summaries, knowledge-base pages, and schema descriptions. Every item carries a signature including its origin org_id. The redactor compares the signature to the calling tenant. Match is allowed. Mismatch is replaced with a [REDACTED] placeholder. Missing signature is treated as mismatch.

  • Signed origin: every context item carries a small signature (32 bytes) recording which org wrote it
  • Compare on load: mismatch becomes [REDACTED]; agents see the placeholder, not the foreign data
  • Missing signature treated as foreign: unsigned items are an audit gap; we err on the side of redaction
app.novaaiops.com / context-redactor · scope
Audit Mode

Show me what would have been redacted

Audit mode runs the redactor in shadow. It logs everything that would have been redacted but does not actually strip from the prompt. Use it to debug context loaders that are over-fetching, or to validate a new signature scheme before turning it on. Production tenants always run with redactor live.

  • Per-tenant audit toggle: turn on for a non-prod tenant to see the rate without changing model behavior
  • Helpful for migrations: rolling out a new signing scheme? Audit mode shows you what breaks before it does
  • Off by default in prod: production never runs in audit only, redaction must be live
app.novaaiops.com / context-redactor · audit
Reporting

Redactor metrics on Service Health Matrix

The redactor exposes its own SLIs: redaction rate, cross-tenant attempts, signature coverage. These show up as a meta-row on Service Health Matrix so the platform itself is held to the same reliability standard as the services it watches.

  • Redaction rate SLI: redactions / total contexts; should stay below a few per thousand
  • Coverage SLI: fraction of context items with a valid signature; target is 100%
  • Cross-tenant attempts: attempts to load foreign data; target is 0; > 0 pages platform-admin
app.novaaiops.com / context-redactor · sli
Video walkthrough coming soon

Subscribe to Nova AI Ops on YouTube for demos, tutorials, and feature deep-dives.

The prompt boundary is a security boundary

Even when a query plan accidentally returns cross-tenant context, the redactor catches it before the model ever reads it.

Get Started Request a Demo