# Cross-Agent Knowledge Leakage ## The Problem Information from one agent's conversations or private knowledge base inadvertently appears in another agent's responses, violating data boundaries. ### Symptoms * ❌ Agent B references Agent A's conversation * ❌ Private knowledge appears in wrong agent * ❌ Cross-contamination between agents * ❌ Shared memory causes leakage * ❌ Cannot guarantee isolation ### Real-World Example ``` Setup: → Sales Agent: Access to sales pipeline, deals, pricing → Support Agent: Access to help docs only User asks Support Agent: "What discounts are available?" Support Agent responds: "We recently offered AcmeCorp a 25% discount for enterprise plan (as discussed in sales pipeline)." Problem: → Support Agent accessed Sales Agent's private data → Confidential pricing leaked → Data isolation failed ``` *** ## Deep Technical Analysis ### Shared Infrastructure Risks **Single Vector DB:** ``` All agents use same vector DB: → Sales docs embedded → Support docs embedded → No isolation Query from Support Agent: → Retrieves across all data → Including Sales docs → Leakage occurs ``` **Conversation History Contamination:** ``` Agent memory stores conversation: → Sales Agent conversation with user A → Support Agent conversation with same user A If shared memory: → Support Agent sees Sales history → Context bleeds across agents ``` ### Metadata Filtering Failures **Incomplete Tagging:** ``` Some chunks missing agent_id: { vector: [...], metadata: { document: "pricing.pdf", # Missing: agent_id field } } Retrieval query: WHERE agent_id = 'support_agent' → Doesn't match untagged chunks → BUT: untagged chunks retrievable without filter → Leakage ``` **Filter Bypass:** ``` Application bug: → Forgot to add agent_id filter to query → Retrieves from all agents → Exposes cross-agent data Defense in depth needed: → Multiple isolation layers → Not just metadata filtering ``` ### Session/User Context Confusion **User Switches Agents:** ``` User conversation: → Minute 1: Talks to Sales Agent → Minute 2: Switches to Support Agent If session carries over: → Support Agent sees Sales context in history → May reference it in response → Unintended leakage ``` **Multi-Agent Workflows:** ``` Agentic workflow: 1. Sales Agent gathers requirements 2. Hands off to Engineering Agent 3. Engineering Agent designs solution Handoff must be controlled: → Only pass necessary context → Don't expose full Sales knowledge base ``` *** ## How to Solve **Use separate vector DB namespaces or indexes per agent + enforce mandatory agent\_id filtering at query time + isolate conversation history by agent + implement access control validation layer + audit cross-agent queries + clear session context when switching agents.** See [Cross-Agent Isolation](/rag-scenarios-and-solutions/privacy/tenant-leakage.md). --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://help.twig.so/rag-scenarios-and-solutions/privacy/tenant-leakage.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.