Classification Ceiling

the highest level of data sensitivity your AI system is allowed to process, which only matters if someone actually enforces it at the retrieval layer instead of hoping the model will self-censor.

"our internal chatbot retrieved the CEO's M&A strategy doc because it was semantically relevant to my question about 'company direction.' the chatbot doesn't know what a clearance level is. neither did the team that built it."
"engineering pasted semiconductor source code into ChatGPT three times in three weeks after samsung lifted the ban. there was no classification ceiling. there was no classification anything. the exit door was open and labelled 'productivity tool.'"
"asked IT what data classification our RAG pipeline enforces. they said 'what do you mean by classification?' that's the answer. that's the whole finding."
Share this one
Canonical Definition

The maximum data sensitivity level an AI system is permitted to process. Enforced at pipeline ingestion. An agent with a Confidential ceiling cannot process Highly Confidential data, regardless of what its tools can technically access. Classification ceilings translate information classification policy — a governance concept — into a technical enforcement mechanism at the boundary of every AI pipeline. Without them, data sensitivity is a label. With them, it is a control.

Why It Matters

Most organisations have information classification policies. Documents are labelled Public, Internal, Confidential, or Highly Confidential (or equivalent tiers). Access controls enforce these classifications for human users: you need specific permissions to open a Highly Confidential file. The same controls rarely exist for AI systems.

A RAG pipeline does not check document classification before retrieval. It retrieves the most semantically relevant documents from the vector store. If the vector store contains board minutes, M&A strategy documents, HR disciplinary records, and public marketing materials, the pipeline will retrieve whichever documents best match the query — regardless of sensitivity. A junior employee asking a routine question can receive a response grounded in the CEO’s acquisition strategy.

The classification ceiling closes this gap. It imposes a hard limit: this AI system can process data up to classification level X. Data above that level is filtered at ingestion, excluded from the vector store, or blocked at retrieval time. The ceiling is not a prompt instruction (“do not retrieve confidential documents”). It is an architectural constraint enforced before the data reaches the model.

The Stress Test

Your organisation deploys an internal knowledge assistant powered by a RAG pipeline over your document corpus. A board member asks the assistant about a competitor analysis. The assistant retrieves and synthesises information from a Highly Confidential document: the internal assessment of a potential acquisition target. The response is correct, well-sourced, and catastrophically inappropriate — because the assistant has no classification ceiling. It treats all documents as equally retrievable.

A week later, a summer intern asks the same assistant about “company strategy.” The assistant retrieves fragments from the same acquisition assessment. The intern mentions the potential acquisition at a university networking event. The information is now public. You cannot trace how it left the building because your AI system does not log which classification levels were accessed in each retrieval.

In the Wild

RAG Pipeline — Enterprise Knowledge Assistants, 2024–2025
The Vector Store That Knows Everything

As enterprises rapidly deployed RAG-based knowledge assistants in 2024–2025, a recurring pattern emerged: document corpora were ingested into vector stores without classification filtering. The ingestion pipeline processed everything it could access — SharePoint libraries, Confluence spaces, shared drives, email archives — and embedded it all into a single vector store. The assistant then retrieved from this store without any sensitivity-based filtering.

The result: internal chatbots surfacing executive compensation data in response to HR queries, legal hold documents appearing in compliance research, and customer PII being included in analytical responses. Each retrieval was semantically correct. Each was a classification violation.

The RAG pipeline does not understand classification levels. It understands semantic similarity. If the most relevant document is the most sensitive document, that is what it retrieves.

Data Leak — Samsung Semiconductor, 2023
When There Is No Ceiling, Everything Goes Through

Samsung’s experience illustrates the inverse of a classification ceiling. When employees pasted semiconductor source code, proprietary test sequences, and restricted meeting notes into ChatGPT, there was no classification enforcement at the boundary. No system checked whether the data being submitted exceeded the classification level that ChatGPT — an external, third-party service — was authorised to process. The classification ceiling for an external AI service should have been “Public” or at most “Internal.” Without that ceiling, Highly Confidential data left the organisation.

Samsung had an information classification policy. What they did not have was enforcement at the AI boundary. The policy existed on paper. The data existed on OpenAI’s servers.

Access Control — The Military Clearance Analogy
Your AI Has No Security Clearance

Military and government organisations have operated classification ceilings for decades. A system with a “Secret” clearance cannot process “Top Secret” material. This is enforced at the infrastructure level: the system physically cannot access data above its clearance. Enterprise AI systems have no equivalent. The model can technically access anything its service account can reach. The classification ceiling must be built, not assumed.

The analogy is precise: you would not give an intern a Top Secret clearance because they need to read one document. You should not give an AI assistant access to your entire document corpus because it needs to answer routine questions.

Governments enforce classification ceilings with air-gapped networks. Enterprises enforce them with a metadata filter in a retrieval query. Or they do not enforce them at all.

How to Govern It

A classification ceiling is only as strong as the enforcement at the pipeline boundary.

Within the AI Enterprise Control Index, classification ceiling governance spans multiple layers and shields:

  • Data (L6) — Establish and enforce information classification standards for all data entering AI pipelines. Every document in a RAG corpus must carry classification metadata. Data lineage must track classification levels from source through retrieval to output.
  • Security (S2) — Enforce classification ceilings at the pipeline boundary. Ingestion filters that block data above the system’s ceiling. Retrieval filters that exclude documents above the user’s clearance. Output filters that detect and redact information above the permitted classification in responses.
  • AI Engineering (L5) — Build classification enforcement into the RAG architecture: separate vector stores per classification level, metadata-filtered retrieval, and tenant isolation for multi-clearance deployments.
  • GRC (S1) — Evidence Factory captures classification ceiling assignments per AI system, retrieval logs showing classification levels accessed, and test results validating that the ceiling is enforced.
  • Applications & Agents (L4) — Every AI application must have an assigned classification ceiling documented in its system card. Agents must inherit the ceiling of their deployment context, not the ceiling of their technical capabilities.

When It’s Relevant

Every AI system that processes organisational data. Every RAG pipeline. Every agent with access to document stores, databases, or APIs that contain data at multiple classification levels. Classification ceilings are especially critical in regulated industries (financial services, healthcare, government, defence) where data sensitivity is not a best practice but a legal requirement.

Classification ceilings are most critical when:

  • The AI system has access to data at multiple classification levels
  • Users at different clearance levels access the same AI system
  • The RAG corpus includes documents ranging from Public to Highly Confidential
  • The AI system sends data to external providers (where the ceiling should match the provider’s data processing agreement)
  • The organisation operates under regulatory requirements for data handling (GDPR, HIPAA, government classification standards)

See this control in the framework. Classification ceiling governance is operationalised across L6, S2, L5, and S1 in the AI Enterprise Control Index v6.0.

Open Framework →

Related Terms

References

  1. [1] ISO/IEC (2022) ISO/IEC 27001:2022 Information security, cybersecurity and privacy protection — Information security management systems — Requirements. Annex A, Control A.5.12–A.5.13: Information classification and labelling. International Organization for Standardization.
  2. [2] ISO/IEC (2022) ISO/IEC 27002:2022 Information security, cybersecurity and privacy protection — Information security controls. Section 5.12–5.14: Information classification, labelling, and transfer. International Organization for Standardization.
  3. [3] NIST (2024) Artificial Intelligence Risk Management Framework: Generative AI Profile (AI 600-1). National Institute of Standards and Technology, U.S. Department of Commerce.
  4. [4] European Parliament and Council (2024) Regulation (EU) 2024/1689 laying down harmonised rules on artificial intelligence (AI Act), Article 10: Data and data governance. Official Journal of the European Union, L 2024/1689.
  5. [5] Carlini, N., Tramer, F., Wallace, E., Jagielski, M., Herbert-Voss, A., Lee, K., Roberts, A., Brown, T., Song, D., Erlingsson, U., Oprea, A. and Raffel, C. (2021) ‘Extracting Training Data from Large Language Models’, 30th USENIX Security Symposium, pp. 2633–2650.
  6. [6] OWASP Foundation (2025) OWASP Top 10 for Large Language Model Applications v2025.1. LLM02: Sensitive Information Disclosure. Available at: owasp.org/www-project-top-10-for-large-language-model-applications.
  7. [7] Bell, D.E. and LaPadula, L.J. (1973) Secure Computer Systems: Mathematical Foundations (Technical Report MTR-2547). MITRE Corporation. [The foundational Bell–LaPadula model for mandatory access control and classification enforcement.]

AI Enterprise Control Index v6.0 · Glossary · June 2026 · i-DEPOT 158508 (BOIP) · CC BY-NC-ND 4.0

By Jeroen Janssen, Apparens