laiyertech logo

Tag: AI security

  • RAG: How to use proprietary documents safe and secure with AI?

    Can you trust AI in your organization?

    We regularly discuss the application of AI with management of professional organizations. Often, we learn they are cautious and have limited trust in applying AI. This cautiousness arises from a combination of personal experience and limited knowledge of the technical features and capabilities of the AI technology currently available.

    In this RAG blog part 1, we aim to identify potential risks and provide solutions utilizing current AI technologies such as RAG. For those who know RAG, we present part 2, covering key data governance issues including data residency, access control, data lineage and audit trails, data retention, and our recommended solutions.

    The rapid rise of Large Language Models (LLMs) has revolutionized how we interact with data, however conventional Chatbot use presents significant challenges for enterprises. Current LLM’s are primarily trained using data collected from a wide range of internet sources, including websites, forums, blogs, and social media posts. Although the knowledge base the LLM derives from its training data to work with is extensive and broadly applicable, it also remains constrained by the static and diverse nature of that respective information. This involves several key problems:

    • Factual Inaccuracy (Hallucinations): LLMs may confidently produce false or irrelevant information due to their lack of real-time and domain-specific data.
    • Lack of Context: An off-the-shelf LLM has no knowledge of your company’s proprietary documents, internal policies, or specific customer data, making it useless for many business applications.
    • Stale Information: LLM training is a time-consuming and expensive process. They cannot keep up with dynamic information that changes rapidly, such as market data, legal updates, or internal documents.
    • Lack of Transparency: You cannot request an LLM to disclose its sources, which is a serious compliance and trust issue in regulated industries.

    Employees who use a private ChatBot account with one of the major LLM providers may encounter the issues described above. If these issues occur during the use of an AI application provided by an organization, they could affect users’ trust in that AI systems, potentially influencing the adoption and implementation of AI technologies. Trustworthy AI should use proprietary documents and data when available.

    To address these limitations, various technologies have been developed to combine enterprise-specific knowledge with the use of large language models. Retrieval-Augmented Generation ( RAG ) is recognized as both a widely utilized and highly effective approach. RAG (works by) enables an LLM to retrieve information from a trusted external knowledge base (your documents or data) and vectors the information before generating a response. We have experienced that RAG can increase the quality of the LLM response tremendously. It prevents hallucination and ensures that responses are verifiable and based on reliable documents and data.

    However, RAG is not the only option. A simpler approach and widely used technique includes a few relevant documents or excerpts directly in the prompt. Unlike RAG this approach depends exclusively on user-supplied input. While straightforward in its approach, this method is generally less efficient with larger documents or document collections, it may result in lower quality responses and can increase cost and latency due to longer prompts. By contrasting RAG with this alternative, it’s clear why RAG has become the preferred choice for many enterprise applications that require up-to-date, factual, and auditable responses. It strikes a balance between cost, accuracy, and ease of use, making it a powerful tool for IT managers looking to deploy secure and reliable AI.

    Additional RAG benefits

    In regulated and professional settings, identifying the origin of information is essential for ensuring compliance and maintaining accountability. RAG is particular effective in delivering this level of transparency.

    Furthermore, Retrieval-Augmented Generation (RAG) has the capacity to provide direct citations for the sources utilized in generating responses. The output from the LLM can be supplemented with references or links to the original documents, paragraphs, webpages, or databases.

    The entire RAG pipeline – from the user’s query to the retrieved documents and the final response – can be logged. This provides a clear, traceable audit trail, which is essential for compliance, troubleshooting, and building user trust. When users experience that an AI’s answer is grounded in verifiable, company-specific information, they are far more likely to trust and adopt the AI-application.

    How to include RAG in an AI application?

    RAG can be integrated into an AI application through multiple methods, which differ based on the organization’s needs and available resources.

    The main options are:

    1. Utilizing an LLM provider’s managed RAG service
    2. Developing an in-house RAG pipeline, or
    3. Obtaining RAG pipeline technology for self-deployment

    Ad 1. Using Managed Service RAG from the LLM Provider

    This is the fastest and most direct way to get a RAG system up and running, especially if you already use a major LLM provider that also offers a RAG service. These services hide most of the complexity. For example, OpenAI provides this service through its Enterprise licenses and Custom GPT functionality.

    How it works: You upload your documents (e.g., PDFs, Word files) to the cloud provider’s storage. The service then automatically handles the entire RAG pipeline: chunking the documents, creating vector embeddings, storing them in a vector database, and integrating with an LLM to answer queries based on your data.

    Although this solution is straightforward and simple to implement, it also has certain disadvantages for organizations:

    • Vendor Lock-in: You become dependent on the LLM provider’s ecosystem and may face challenges if you decide to migrate or use another LLM later.
    • Limited Customization: You have less control over the specific chunking strategies, embedding models, and retrieval algorithms used.
    • Data Governance: Although leveraging the LLM providers is convenient, it is essential to carefully verify that their data residency and security protocols are fully aligned with your organization’s governance and compliance requirements.

    Ad 2. Developing an in-house RAG pipeline

    This approach involves serious software development, either from scratch or using a RAG framework. It provides more control than managed services. By using available libraries and components, a significant decrease of development time can be achieved. Leading frameworks, such as LangChain, LlamaIndex, and Haystack, are commonly used for these purposes. By selecting an appropriate library for a RAG pipeline and overseeing data and infrastructure internally, the framework efficiently manages the coordination of its various components. This increased flexibility and control over the RAG process is obtained.

    However, the technology involved is relatively complex and involves a significant learning curve. The implementation can be time-consuming. Additionally, infrastructure management is still required; this involves provisioning and maintaining the vector database and its related components.

    Ad 3. Acquiring complete RAG Solutions with Cloud or On-Premises Deployment

    Several software companies offer robust RAG pipeline solutions that operate independently of specific LLM providers. These options are available via cloud services or can be deployed on an organization’s infrastructure. These solutions abstract complexity, support infrastructure management, and enable RAG to operate independently of any specific LLM provider. Vendor Lock-in can be reduced by selecting vendors who offer open-source products. The level of customization of the RAG solution varies per vendor. It’s also important to ensure that data residency and security protocols match your organization’s requirements.

    Laiyertech has developed an AI software platform that includes RAG functionality, offers deployment on both cloud and on-premises environments, and is provided with a shared source license.

    Caution: RAG alone does not solve (the whole) all problems

    IT managers may need to consider that, although her/his organization has a strong approach to security, employing third-party RAG solutions means reliance on external software providers. This introduces new security considerations, with the main concern being the appropriate level of data governance necessary for the organization’s vectorized LLM content. Part 2 of our RAG blog will cover data governance topics including data residency , access control , data lineage and audit trails , and data retention in greater detail.

    If you are interested in learning more about our experience with RAG and the implementation of RAG in collaboration with in-house software development and infrastructure teams, we will be pleased to discuss this further with you and your experts.