06-reference/research

multi tenant governance shared vector store

2026-06-17·research-brief·source: deep-research
phDataCAFmulti-tenantgovernancevector-storesnowflake

Multi-Tenant Governance for a Shared Client-Intelligence Vector Store Under Financial-Services + Healthcare Isolation/Retention Rules

The question

For a phData client intelligence layer (call transcripts, D&B/PitchBook data), what multi-tenant data governance architectures allow shared embedding/vector stores while meeting financial-services and healthcare data isolation + retention requirements? Context: the CAF restructure brief (2026-06-14) flags this as the single biggest open question — "Can intel live in a shared multi-tenant store, or does each client need isolation + retention rules?" — an active phData project decision blocker that intersects Snowflake row-access policies, Iceberg table isolation, and a likely SOC 2 / HIPAA surface.

What we already know (from the vault)

What the web says

Convergences and contradictions

Synthesis for RDCO

The decision framework is a 2x2 on two independent axes, not one shared-vs-isolated switch. Axis 1 = isolation (shared store with structurally-enforced row/namespace boundaries vs physically separate stores per client). Axis 2 = retention (uniform policy vs per-source/per-client retention + erasure rules). CAF has already chosen shared on axis 1 for the internal plane, which is the right default for a 12-engineer internal tool: a shared Snowflake catalog with a client_id spine, Cortex Search for embeddings inside the perimeter, and RAPs only if/when an internal-isolation need appears. The honest caveat from the 2026-04-28 KM brief still stands — if a single admin-role compromise leaking all clients' intel is an unacceptable outcome (it may be for transcripts carrying PHI or for licensed PitchBook data under redistribution terms), then the shared store needs either per-client namespaces (silo on axis 1) or per-tenant CMK + crypto-shredding to bound the blast radius. For a phData-internal discovery tool this is likely acceptable as shared; the moment the same store backs an external, client-facing surface, the calculus flips to silo.

For the embedding/vector layer specifically, the cleanest CAF-aligned pattern is Cortex Search inside Snowflake, governed by the same session attributes + RAPs as the typed spine. This keeps embeddings in one governed perimeter (no permissions duplication across a separate Pinecone/Weaviate that gets audited independently), inherits Snowflake Horizon lineage, and lets the immutable session attribute be the hard tenant boundary if internal isolation is ever required. If a regulated client contractually requires hard physical separation that Snowflake RBAC "handles awkwardly" (the edge case the KM brief named), the fallback is namespace-per-tenant in a dedicated managed vector DB or a per-client Iceberg table set with catalog-level isolation — chosen per-client, not as the default. Iceberg table-per-client under a governed REST catalog is the open-table-format equivalent of silo, and the right reach when intel must live outside one warehouse's RBAC.

Retention is the axis CAF's locked decision is currently silent on, and it's where the real financial-services/healthcare exposure sits. Call transcripts can carry PHI; D&B/PitchBook are licensed feeds with contractual retention/redistribution limits. The recommended move is to tag every record in the VARIANT spine with source, sensitivity_tier, and retention_class at ingest (cheap to add now to the thin typed spine already designed), then drive retention via Snowflake's native time-based policies / dynamic tables and crypto-shred by per-source KEK where erasure-on-demand is contractually required. This satisfies the "outcome-based" posture of HIPAA/SOC 2 without forcing per-client physical isolation, and keeps the flat-internal model intact.

What this implies for the CAF decision blocker: the answer is "shared store is fine for the internal plane — the question was mis-framed as binary." Isolation and retention are separable; CAF can keep shared on isolation and still meet financial-services/healthcare requirements by adding (a) source/sensitivity/retention tagging to the spine, (b) Cortex Search in-perimeter embeddings, (c) immutable-session-attribute RAPs available but not default, and (d) a documented per-client silo fallback (namespace or Iceberg-table-per-client) triggered only by a contract that demands physical separation. The external demo boundary remains the one hard wall, exactly as locked. This unblocks the project: no internal RLS rebuild required, retention handled by tagging + policy, and a clear escalation path when a regulated client's contract demands more.

Open follow-ups

Related

Sources

Vault:

Web: