4.3.2. Grounding Agents with Extracted and Retrieved Data
💡 First Principle: The payoff of this whole domain is a grounded agent with citations — extraction produces clean content, the index makes it retrievable, and the agent's knowledge source ties it back so answers are traceable to sources. Citations aren't decoration; they're how grounding becomes auditable and trustworthy.
This closes the loop to Phase 2: an agent's knowledge source (file search or a connected AI Search index) is exactly this pipeline's output. The agent retrieves relevant chunks, grounds its response on them, and returns citations pointing to the source passages. For production, document-level security filters ensure a user only retrieves chunks they're authorized to see — grounding must respect access control, not bypass it.
⚠️ Exam Trap: Grounding does not automatically enforce data access. If different users may see different documents, the retrieval layer needs document-level security filters (e.g., filtering by the user's identity/permissions) — otherwise the agent can ground on, and leak, content a user shouldn't see. A scenario about multi-tenant or role-restricted data that omits security trimming is describing a leak.
Reflection Question: Two users ask the same question but should see answers grounded only in their own permitted documents. What must the retrieval layer add, and why can't the agent's instructions alone enforce this?