Prove your multi-tenant AI keeps each customer's data separate.

Prove tenant A's data cannot reach tenant B through your vector DB, RAG pipeline, agent framework, semantic cache, fine-tunes, or MCP servers. You walk away with a tamper-evident PDF + machine-readable evidence pack your auditors, customers' security teams, and DPOs accept — and that anyone can verify independently, without trusting us.

Start an engagement OSS on GitHub

See it run

The four-command flagship workflow on a fresh checkout — seed synthetic tenants, run the probe suite, build the signed evidence pack, then verify it independently. Reproduce it from the runnable OSS example.

$ sectum-ai seed --workdir .sectum-ai
seeded 4 synthetic tenants and 96 documents → .sectum-ai/substrate.json

$ sectum-ai probe --workdir .sectum-ai --output json
{
  "retrieval_pivot_rate": 0.954,
  "confirmed_findings": 264,
  "false_positives": 0
}

$ sectum-ai report --workdir .sectum-ai --tsa --rekor
wrote .sectum-ai/evidence.json + audit-pack.pdf
anchored: RFC 3161 timestamp + Sigstore Rekor inclusion proof

$ sectum-ai verify .sectum-ai/evidence.json
VERIFIED  run digest ok · manifest hash ok · TSA token ok · Rekor inclusion ok

Use Sectum AI for…

Vendor security questionnaires

Drop a tamper-evident AI tenant-isolation attestation into your data room. Unblock the enterprise prospect whose security team is asking how you isolate tenant data in your AI features.

Sales engineering · CISO

SOC 2 audit evidence

Plug a control-mapped AI isolation attestation into your Type II audit. CC6.1, CC6.6, CC6.7 evidence the auditor accepts as testing coverage of your AI features.

Compliance · CISO

Pre-launch verification

Run the probe suite against a new AI feature before launch. Catch the cross-tenant retrieval-pivot, the cache contamination, the MCP confused-deputy bug while there's still time to fix it.

Platform engineering · Application security

CI regression baselines

Save a baseline. Re-run on every prompt / embedding / model change. Sectum AI flags the regression when a stronger embedding model accidentally raises your Retrieval-Pivot Rate.

Platform engineering

GDPR Article 17 erasure response

A churned tenant invoked their right to be forgotten. Prove their data has actually left every AI surface, in a DPO-ready cryptographically-timestamped attestation pack.

DPO · Privacy

EU AI Act Article 15

Documented cybersecurity and robustness measurements for high-risk AI systems under Article 15. Tamper-evident, control-mapped, and independently verifiable.

Compliance · Legal

The problem

Multi-tenant AI systems universally claim “tenant A's data cannot reach tenant B.” That claim is rarely verified, and published research shows it fails routinely:

OWASP LLM08:2025 — Vector and Embedding Weaknesses names multi-tenant context leakage a top-10 LLM risk.
Retrieval Pivot Attacks in Hybrid RAG (arXiv, 2026): 95.4% of benign queries triggered cross-tenant leakage via shared organic entities. Stronger embedding models leaked more.
Silent Leaks (arXiv 2505.15420): 91% extraction efficiency via benign queries, with no prompt injection required.

What Sectum AI does

Marker substrate

Synthetic tenants seeded with three classes of cryptographic canary markers and a hashed ground-truth manifest. Deterministic, reproducible, manifest-grounded zero false positives.

13 surfaces

Vector DB, RAG pipeline, semantic cache, KV cache, agent memory, MCP tool calls, fine-tunes / adapters, eval sets, backups, search indexes, tracing pipelines, prompt/completion logs, API. Live adapters for the common backends.

Tamper-evident evidence

Every run is canonicalized, hashed, RFC 3161 timestamped, Sigstore Rekor logged, wrapped in an in-toto attestation envelope, and rendered to an auditor PDF. sectum-ai verify validates the chain end-to-end — no Sectum AI installation required.

11 attack classes

Direct tenant-boundary fetch, organic entity-bleed RAG (the flagship), semantic-cache contamination, KV-cache timing side channel, embedding inversion, MCP confused-deputy + token passthrough, persistent memory contamination, LoRA cross-tenant influence, IKEA benign extraction, RAG poisoning, GDPR Article 17 erasure verification.

Open evidence layer

The marker substrate, attack catalog, adapters, evidence chain, and the independent sectum-ai verify are Apache-2.0. Anyone can reproduce a run and verify a Sectum AI evidence pack without us — by design. See ADR-0002.

Partnerships

Audit firms & compliance partners: white-label Sectum AI's multi-tenant isolation evidence into your SOC 2, ISO 27001, and GDPR engagements. Your clients get auditor-grade AI-isolation coverage — without your team becoming AI-security experts. We produce the signed, independently-verifiable pack; you deliver it under your brand.

Discuss a partnership

Sectum AI vs the alternatives

The 12 products buyers most often evaluate alongside Sectum AI — LLM red-team frameworks, runtime guardrails, GRC platforms, DSR / DSPM tools.

They test model behavior, govern how staff use AI, or track controls on a dashboard. None of them provision real tenants to measure cross-tenant leakage, and none produce evidence you can verify without trusting the vendor. That is the gap Sectum AI fills — which is why it sits alongside these tools rather than replacing them.

All 12 comparisons Engagements