Regulated advisory workloads depend on answers that are both accurate and confined to the information a given user is entitled to see. When organisations connect generative models to internal knowledge, the appeal is obvious, because staff can query dense policy libraries, case files, and product documentation in natural language. The risk is equally clear, because a model that retrieves indiscriminately can surface content that a user should never have been shown, and it can present that content with the confident tone that makes large language models persuasive. Grounding models on private data with managed retrieval is the disciplined way to gain the benefit while keeping confidentiality intact.
Azure AI Foundry provides the environment in which enterprise and financial services teams build, evaluate, and operate these grounded applications. It brings model selection, prompt orchestration, evaluation tooling, and connections to retrieval services into a single managed surface. This article explains how retrieval-augmented generation works within Foundry, why security trimming must be treated as a first-class design concern, and what practical controls keep advisory workloads defensible under scrutiny.
Retrieval-augmented generation, commonly shortened to RAG, addresses a core limitation of language models, which is that they only know what was present in their training data. Instead of relying on the model's parametric memory, a grounded application retrieves relevant passages from an authoritative source at query time and passes them to the model as context. The model then composes its response from that supplied evidence, which improves factual accuracy and allows every answer to carry citations back to the underlying documents. For regulated advice, this traceability matters as much as the answer itself, because a reviewer can confirm where a statement originated.
Within the Microsoft ecosystem, Azure AI Search is the managed retrieval service that most Foundry grounding patterns rely upon. It maintains a searchable index of your content, supports vector, keyword, and hybrid retrieval, and can rank results so that the most relevant passages reach the model first. Because the service is managed, teams avoid operating their own vector database and can instead concentrate on data quality, chunking strategy, and index freshness. The retrieval layer becomes the point at which accuracy, relevance, and access control are enforced together, rather than being bolted on after the model has already responded.
Security trimming is the practice of filtering retrieved results so that a user only ever sees content their identity permits. In an enterprise setting, documents typically carry access control metadata that maps to Microsoft Entra ID groups or individual principals, and the retrieval query must include a filter that matches the requesting user's group membership. If that filter is absent or incorrectly constructed, the index will return passages the user cannot legitimately access, and the model will faithfully repeat their contents. This is the most common way that a grounded application leaks data, and it happens quietly because the model gives no indication that a boundary was crossed.
The defensible pattern is to capture each user's identity and group claims from Entra ID at request time, then apply those claims as a filter on every retrieval call before the model is invoked. Access control values should be indexed as fields on each document so the search service can trim results server side, rather than relying on the application to discard sensitive passages afterwards. It is important that trimming occurs during retrieval and not during response generation, because any content that reaches the model prompt has already left its trust boundary. Teams should also test with representative low-privilege accounts, since an application that behaves correctly for an administrator can still expose data to ordinary users.
Grounding accuracy and confidentiality are not separate problems, because a model that retrieves the wrong document is as damaging as one that retrieves a forbidden one. Financial services and government advisory teams should evaluate their applications systematically, using representative question sets that reflect real enquiries and measuring whether responses are supported by the cited sources. Foundry includes evaluation tooling that helps quantify groundedness and relevance, which allows teams to detect regressions when models, prompts, or indexes change. Regular evaluation turns a demonstration into a system that can be trusted with regulated decisions.
Governance extends beyond the model to the data itself and the region in which it is processed. Organisations subject to Australian regulatory expectations should deploy the retrieval index and model endpoints in Azure regions that meet their data residency obligations, and they should keep clear records of which sources feed the index and how often they refresh. Logging of prompts, retrieved documents, and responses supports both incident investigation and audit, provided those logs are themselves protected to the sensitivity of the underlying content. Aligning these controls with the guidance of the Australian Cyber Security Centre helps ensure the deployment can withstand independent assessment.
A durable grounding solution treats identity, retrieval, and generation as a single pipeline with consistent controls at each stage. Content should be ingested with accurate access metadata from its source system, indexed with that metadata intact, and queried only with the requesting user's verified claims applied as filters. Prompt templates should instruct the model to answer solely from supplied context and to state clearly when the evidence is insufficient, which reduces confident fabrication. These measures work together, and weakening any one of them undermines the others.
Finally, this is an operational commitment rather than a one-off build, because indexes drift, permissions change, and models are updated over time. Teams should schedule reindexing to reflect document and permission changes, monitor evaluation metrics for drift, and review access filters whenever source systems are reorganised. Treating the grounded application as a governed service, with owners, change control, and periodic assurance, is what allows enterprise and financial services organisations to extend generative capabilities to sensitive knowledge without eroding the confidentiality their clients and regulators expect.

Level 7, 12 St Georges Tce
Perth WA 6000
[email protected]
Ph 1300 NOVATA

In the spirit of reconciliation Novata Solutions acknowledges the Traditional Custodians of country throughout Australia and their connections to land, sea and community. We pay our respect to their Elders past and present and extend that respect to all Aboriginal and Torres Strait Islander peoples today. This land always was, and always will be Aboriginal Land.

Novata Solutions is committed to embracing diversity and eliminating all forms of discrimination through education. We welcomes all people and is respectful of individual identities.