Straterai/Field notes/05.07
§ 05.07·MAY · 15 · 2026·3 MIN
Architecture

Tenant isolation belongs in the database, not the application.

Roughly seventy percent of multi-tenant AI applications enforce tenant isolation in application code. Every one of them is one missing filter away from a cross-tenant leak.

CSCharlie StonerCo-founder · written from the build

Roughly seventy percent of multi-tenant AI applications enforce tenant isolation in the application layer. The handler pulls the tenant from the session and adds it as a filter on every query. Every route. Every agent.

Every one of those applications is one missing filter away from a cross-tenant leak.

A static analyzer catches the obvious cases. It misses the agent that builds a query at runtime. It misses the new code path a junior engineer adds without realizing the convention. It misses the dynamic export, the analytics job, the background worker. The residual risk is exactly the area where leaks happen.

Why this gets worse with AI

An AI agent given access to a database constructs queries based on user input and prior tool outputs. Auditing every possible query the agent might issue is not possible. There is no list to check against.

A working brain answering one user question might issue twelve queries inside a single turn. With application-layer isolation, that is twelve places to remember the tenant filter. Forget once. Twelve queries that should have returned one tenant's data return everyone's.

The data model knows which row belongs to which tenant. The code that writes the query does not always know. Putting the isolation in the layer that does not know is the bug.

Where it belongs

In the database. Tenant isolation should be a property of the data, not a property of the code that reads it. A handler that forgets to filter returns nothing. An agent that constructs an unexpected query returns nothing. A junior engineer's new code path returns nothing. The database refuses to give up rows that do not belong to the current tenant, regardless of what the application asks for.

This is not a 2026 insight. The database features that make it work have been mature for over a decade. The reason most AI startups do not use them is not technical. It is that the engineer building the prototype did not know the features existed.

The rule

If a regulator can ask you who saw this row and when, the answer cannot live in application code. The application is the layer that forgot to add the tenant filter.

— Charlie

Tenant isolationSecurityArchitecture

Straterai Field Notes

Plain-English writing on building AI-native systems — how agents actually work, where they fail, and what we learn shipping them for real companies.

No spam. A couple of emails a month. Unsubscribe anytime.