The Consulting Firm's Dilemma: AI Across Client Engagements Without Cross-Contamination

A strategy partner at a mid-size consulting firm asks the firm's internal AI assistant a question about pricing dynamics in the industrial packaging sector. The assistant draws on internal research, past engagement deliverables, and knowledge captured from previous projects. The answer is useful. It references market sizing work, competitive positioning analysis, and customer interview summaries from several past engagements. The partner does not notice that two of the cited documents came from work done for a client that competes directly with the company she is advising today.

No access control was violated in a technical sense. Both engagement teams had the same internal access tier. The AI retrieved what was most relevant to the query. The relevance criterion was semantic similarity — both bodies of work addressed the same market, the same dynamics, the same question. From the retrieval system's perspective, these were the best documents available.

From a professional ethics perspective, this is a potential conflict of interest, a possible breach of confidentiality obligations, and exactly the scenario that NDAs, engagement letters, and professional privilege frameworks are designed to prevent. The fact that it happened through an AI retrieval system rather than a deliberate disclosure does not change the exposure.

The Core Problem: Semantic Similarity Leaks Context

Access control frameworks are designed to prevent explicit data transfer between unauthorised parties. They work well for that purpose. A user without permissions to a specific folder cannot open files in that folder. A database user without read access to a table cannot query it. These are hard boundaries enforced at the resource level.

AI retrieval operates differently. It does not transfer files — it retrieves passages that are semantically similar to a query. The boundary between client A's knowledge and client B's knowledge is not a file permission; it is a semantic one. If client A and client B operate in the same market, semantic similarity between their respective bodies of work may be high enough that a query about client B's market will routinely surface documents from client A's engagement. No access violation occurs in the technical sense. But information from one client relationship has influenced work product for another.

This is what makes the consulting AI problem structurally different from most enterprise AI security discussions. The threat is not an attacker bypassing access controls. The threat is the AI system working exactly as designed — retrieving semantically relevant content — and that correct behaviour producing a result that violates professional obligations.

The implications are not hypothetical. In sectors where consultants advise competing clients — which is most sectors — knowledge from one engagement will routinely be semantically adjacent to questions arising in another. Strategy work, market analysis, operational benchmarking, financial modelling: all of these create knowledge assets that are relevant to similar questions in similar contexts. An AI system that retrieves across the full knowledge base without engagement-level isolation will systematically surface this cross-engagement context, silently and at scale.

The Regulatory and Professional Dimension

Consulting firms operate under multiple overlapping obligations that govern information handling across client engagements.

Non-disclosure agreements are standard in engagements involving sensitive commercial information. They typically prohibit disclosure of client information to third parties, including other clients. Whether retrieval by an AI system constitutes "disclosure" under a standard NDA is a legal question that most NDA drafters did not anticipate. What is clear is that using one client's confidential information to inform work for another — even indirectly, through an AI system — is the kind of activity NDAs are designed to prevent.

Professional privilege applies in engagements that involve legal advice or regulatory strategy. Privilege attaches to specific communications between a client and their professional advisors. If privileged documents from one engagement are accessible to an AI system that serves multiple clients, those documents could theoretically influence outputs in other client contexts — potentially compromising privilege by exposing its substance to parties not covered by the original privilege.

Fiduciary duty applies in some advisory relationships, particularly in financial services consulting. A fiduciary must act in the client's best interest, which includes not using the client's information to benefit another party. An AI system that draws on one client's strategic analysis to inform advice to a competing client may create a fiduciary exposure even if no individual advisor intended to use that information.

These obligations are not obscure edge cases. They are the foundation of how consulting firms maintain the trust that makes client relationships possible. An AI deployment that creates systematic exposure to these obligations — even inadvertently — is not a minor IT risk. It is a professional liability risk with direct revenue and reputational consequences.

Why Access Control Alone Does Not Solve This

The obvious response is to implement stricter access controls: each engagement team can only see their own documents, with no cross-engagement retrieval. This is the correct direction, but it is not sufficient implemented naively.

Standard role-based access control manages who can read which files. It does not manage what an AI retrieval system surfaces in response to a query. If an AI assistant serves users across multiple engagements — which is the efficiency rationale for deploying shared AI infrastructure — then the retrieval system needs to enforce knowledge isolation at the query level, not just the file level.

The distinction matters. A file-level permission system ensures that consultant A cannot open client B's deliverable document directly. It does not ensure that when consultant A asks the AI a question, the AI will not draw on client B's documents to formulate its answer — especially if the AI's answer includes synthesised insights rather than direct quotations that would make the source obvious.

What is needed is isolated knowledge spaces: each client engagement exists in its own retrieval index, with no cross-index retrieval occurring during query execution. A query about packaging market dynamics searches only the knowledge space for the engagement in which the query is made. It does not search the full knowledge base. The semantic similarity that would surface cross-engagement documents never has the opportunity to operate across client boundaries.

This is architecturally different from access control. Access control governs who can retrieve. Isolated knowledge spaces govern what retrieval can cross. Both are necessary. The security framework for enterprise AI that covers broader deployment considerations is worth reviewing alongside engagement-specific isolation — a thorough enterprise AI security evaluation addresses the vendor-side risks that are distinct from internal isolation design.

The Private Deployment Argument

Consulting firms considering AI face a compounding challenge: not only must they prevent cross-engagement contamination, they must also ensure that client knowledge does not leave the firm's infrastructure at all. A shared cloud AI deployment creates two simultaneous risks: cross-contamination between client knowledge bases, and egress of client knowledge to a third-party AI provider.

The combination of these risks makes private deployment — on-premise or in the firm's own private cloud — the architecture that most serious consulting practices will ultimately converge on. Private deployment eliminates the egress risk entirely: client documents are indexed and queried within the firm's own infrastructure, with no external API calls during query execution. Isolated knowledge spaces within that private deployment then address the cross-engagement contamination risk.

The operational model that results is: each engagement has its own knowledge space, populated with documents specific to that engagement. Cross-engagement search is architecturally impossible, not just policy-prohibited. Outputs are citation-backed, so consultants can verify that a retrieved insight comes from within the correct engagement context. The audit trail for any AI-assisted work product shows exactly which documents were retrieved from which knowledge space. If a conflict question arises, the retrieval log demonstrates what the AI had access to when generating each output.

This is the architecture that air-gap AI deployment enables: knowledge stays within defined boundaries, retrieval operates within isolated spaces, and the full audit trail is available within the firm's own systems. The analogy to a well-run conflicts screening process is not coincidental — the same discipline that firms apply to human advisor assignments needs to be applied to AI knowledge access.

Scabera is designed for exactly this deployment pattern: isolated knowledge spaces per client or engagement, citation-backed retrieval that makes sources explicit and verifiable, and a fully on-premise architecture that keeps client knowledge within the firm's infrastructure boundary.

To see how Scabera approaches client knowledge isolation for professional services firms, book a demo.