Multi-tenant LLM analytics with row-level security: How we built a secure agent on AWS

2026-06-29 · Source: Artificial Intelligence · Field: Technology & Digital — Artificial Intelligence & Machine Learning, Cybersecurity & Data Privacy, Cloud Computing & IT Infrastructure · Depth: Advanced, long

Summary

PAR Technology Corporation developed a production-ready multi-tenant LLM analytics system for the restaurant industry, supporting over 300 businesses. This system enables business users to ask natural language questions and receive data-backed answers, addressing the complex challenge of row-level security at scale. Their solution, built on AWS, employs a three-layer architecture: cryptographic request signing with AWS SigV4, semantic validation on Amazon Bedrock, and programmatic data isolation via Split-Plane SQL. This design ensures deterministic data boundaries, preventing cross-tenant data exposure even if the LLM (using Anthropic's Claude Sonnet 4, model ID "anthropic.claude-sonnet-4-20250514-v1:0") is compromised. The architecture has successfully processed over 50,000 queries without incidents, demonstrating robust security for sensitive business data.

Key takeaway

For AI Architects or MLOps Engineers building multi-tenant LLM applications, you must design security controls into the infrastructure, not just rely on model instructions. Implement deterministic, layered security like cryptographic request signing, semantic input validation, and programmatic data isolation using pre-filtered CTEs. This approach ensures robust row-level security, preventing data exposure even if the LLM is manipulated, and is critical for compliance and trust in enterprise environments.

Key insights

Multi-tenant LLM analytics requires deterministic, architectural security layers to enforce row-level data isolation, not relying on LLM behavior.

Principles

• LLMs are non-deterministic; do not rely on them for security enforcement.
• Enforce data boundaries deterministically at the architecture level.
• Independent security layers reduce risk of cross-tenant data exposure.

Method

Implement a three-layer security architecture: AWS SigV4 for integrity-protected requests, Amazon Bedrock for semantic input validation, and Split-Plane SQL for programmatic data isolation via pre-filtered CTEs.

In practice

• Use AWS SigV4 to cryptographically bind request payloads to user credentials.
• Employ a reasoning engine for semantic validation before SQL generation.
• Generate SQL CTEs to pre-filter data, creating a secure data sandbox for the LLM.

Topics

• Multi-tenant Systems
• LLM Security
• Row-Level Security
• AWS SigV4
• Amazon Bedrock
• Split-Plane SQL
• Text-to-SQL

Best for: AI Security Engineer, AI Architect, MLOps Engineer

Related on AIssential

• LLM Serving Fairness: No more noisy neighbours - Cohere — Cohere's multi-layered scheduling system ensures fair LLM inference capacity distribution across tenants, preventing "noisy neighbor" issues.
• Building agentic AI applications with a modern data mesh strategy on AWS — Agentic AI requires multi-layered, deterministic governance across all data interaction steps, unlike single-checkpoint RAG.
• Building Enterprise-Grade Security Boundaries for LLM Calls — OAuth 2.0 + APIM + Entra ID — Securing LLM endpoints requires an authorization boundary using OAuth 2.0, API Management, and an identity provider.
• Not Every Node in Your Agent Needs an LLM — Agent pipelines should use LLMs only for reasoning tasks, not for deterministic checks.
• Article: Building a Secure MCP Server on AWS for a Million-Company B2B Platform — Treating MCP servers as first-class interfaces with narrow tool contracts enhances security and maintainability for LLM integrations.
• Trustworthy Self-Composable Big-Data-as-a-Service: An LLM-Orchestrated Multi-Agent Framework for Automated Data Engineering, AutoML, MLOps Deployment, and Drift-Aware Lifecycle Optimization — LLM-orchestrated multi-agent systems enable trustworthy, adaptive, and production-oriented Big-Data-as-a-Service lifecycle automation.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by Artificial Intelligence.