The Enterprise AI Knowledge Assistant

Your company's knowledge,
answering for itself, securely.

A private AI assistant that answers your employees' questions straight from your own internal knowledge: grounded, cited, and permission-aware. It only ever sees what the person asking is already cleared to see, it shows its sources, and it runs on infrastructure you control. Built for you, secured with you, owned by you.

Permission-awareCited & audit-loggedRuns in your cloud

The answer exists. Finding it is the tax.

Enterprises don't have a knowledge creation problem. They have a knowledge retrieval problem. The policy, the spec, the precedent almost always exists somewhere. But it's scattered across SharePoint, Confluence, Slack, ticketing, and a dozen shared drives, so your people hunt, interrupt each other, and reconstruct context that was already written down. You already paid to create that knowledge. You're paying again, every day, in the time it takes to find it.

  • Knowledge workers commonly lose 1.5–2.5 hours a day searching for information that already exists.
  • New hires take 3–6 months to ramp, much of it spent on “where do I find X / who owns Y.”
  • Senior staff and SMEs are interrupted constantly with questions already documented somewhere.
  • A stalled “let's build our own GPT” effort that hit the security and permissions wall.

Quantify your retrieval tax →

Permission-aware RAG. Grounded, not guessing.

A Retrieval-Augmented Generation system wired into your knowledge, where retrieval is filtered by the asking employee's identity before anything reaches the model.

1 · Connect & sync

Authenticated, least-privilege connectors ingest your sources incrementally, capturing not just content but each document's access controls (who can see what) as filter tags.

2 · Retrieve within permissions

On every question, your SSO identity resolves to your group memberships. Only content you're already cleared to see is eligible, then hybrid semantic + keyword search re-ranks the best evidence.

3 · Answer with citations

The model answers only from retrieved passages, with inline citations you can click to verify, and refuses when evidence is thin instead of inventing.

Grounded or silent. Every claim traces to a source document in your knowledge base. No source, no claim, so a wrong answer points to a wrong document you can fix, not tribal knowledge you can't. We validate accuracy against a “gold set” of your real questions before launch and report the number.

Ask in plain English. Get a cited answer.

An employee asks a question. The assistant answers only from documents that person is already cleared to open, and shows every source behind the answer.

Security is the product, not a feature.

Written to be handed straight to your InfoSec or CISO team. This is what they'll ask about first.

Permission-aware retrieval

The assistant never returns content an employee couldn't already open in the source system. ACLs are enforced as a hard pre-filter before generation, so the model never receives restricted chunks, even under adversarial prompting.

Enforced, not cosmetic · proven with permission-boundary tests

SSO, SAML & SCIM

SSO via SAML 2.0 / OIDC against Okta, Microsoft Entra ID, Google Workspace, or Ping. SCIM provisioning follows your joiner-mover-leaver process. MFA and role-based admin enforced by your IdP.

No separate password store

Data isolation

Single-tenant by default: each client's index, vector store, credentials, and logs run in dedicated, isolated infrastructure. Private networking, TLS 1.2+ in transit, AES-256 at rest, and customer-managed keys where required.

No shared index · no co-mingled knowledge

Audit logging & monitoring

Every query, the identity behind it, what was retrieved (and what ACL filtered out), and what was returned: all logged, timestamped, and exportable to your SIEM (Splunk, Sentinel). Configurable retention per your compliance policy.

Tamper-evident · SIEM-ready

No training on your data

Contractual and technical guarantee. Your content is used only to retrieve and ground answers, never to train or fine-tune any third-party model. Enterprise model configs with no-training / zero-retention terms, pinned to your chosen region.

Your data stays yours

PII & sensitivity handling

Configurable PII/PHI/secret detection at ingestion: redact, restrict, or exclude. Source sensitivity labels (e.g., Microsoft Purview) are honored so gated content stays gated even inside otherwise-permitted results.

Policy-driven at ingest

Honest about compliance. Key's Touch is a specialized boutique, not a SOC 2-audited SaaS platform, and we say so plainly. We build on infrastructure and model providers that hold SOC 2 / ISO 27001 / HIPAA-eligible certifications, and we typically deploy inside your certified environment, so the system inherits your controls and audit scope. We execute a BAA where PHI is in scope and support your vendor-risk questionnaire with full architecture and control documentation. We never claim certifications we don't hold.

Hosting options: your cloud / VPC (default) · dedicated managed (US region) · air-gapped / self-hosted. You choose.

Wired into the tools your knowledge already lives in.

Connectors are the difference between a demo and a system. Every connector is ACL-aware and scoped as a defined line item, so scope stays honest.

Knowledge sources

SharePoint & OneDrive, Confluence & Jira, Google Workspace (Drive, Docs, Sheets), Slack, Microsoft Teams, Notion, Zendesk (extensible to ServiceNow), and file stores (S3, Azure Blob, GCS, SMB shares).

Identity & SSO

Okta, Microsoft Entra ID (Azure AD), Google Workspace, and Ping, over SAML 2.0 / OIDC plus SCIM. Nested groups and dynamic membership respected so permissions resolve correctly.

Where employees use it

A branded, SSO-gated web app, plus a Slack app and Microsoft Teams bot so people ask in the tools they already live in. Optional embedded widget and API for your intranet.

Custom line-of-business systems connect via authenticated REST APIs, quoted per source, with ACL extraction verified.

A build, a proof, and an owned asset.

A phased engagement that starts with security design and ends with a system you own, not a subscription you rent.

Phase 0 · Discovery & security design

Knowledge-source inventory, InfoSec/CISO alignment and hosting decision, ROI baseline, and an architecture & data-flow document naming every component that touches your data.

A real architecture doc regardless of what you decide next

Phase 1 · Build & secure

Deployed via infrastructure-as-code, ACL-aware connectors, hybrid retrieval + RAG engine with citations and grounded-refusal, SSO/SCIM, audit logging to your SIEM, and an admin console.

Running in your environment, not a slide

Phase 2 · Validate & launch

An evaluation report on grounding accuracy and permission-boundary tests (proof a restricted user cannot retrieve restricted content), a security-review package, training, and a phased pilot rollout.

Proof before you scale

Ongoing · Managed service

Connector maintenance, model and guardrail tuning, security patching, periodic access audits, content-gap reporting (unanswered questions → what to document next), and a quarterly business review.

It gets better as your docs improve

Owned, not rented: under the client-cloud option you own the code, configuration, and infrastructure at handover. We build, secure, and optionally operate it, but it's your asset.

Value-anchored, not hourly.

Priced against the value of recovered time and faster onboarding. A conservative fraction of the search-time savings typically dwarfs the build plus first-year retainer, and you see the ROI model before you decide.

Build (one-time)

Fixed and phased quote after discovery. Scope drivers: connector count and complexity, permission-model complexity, hosting option, custom integrations, and compliance requirements (e.g., HIPAA/BAA). Typically 40% at kickoff, 30% at pilot, 30% at launch.

Managed service

Scoped after discovery, scaled to environment size, connectors, SLA, and hosting model. Covers monitoring, connector and model tuning, security patching, content-gap reporting, access audits, and a quarterly business review. 12-month term recommended.

Pilot (lower barrier)

4–6 weeks, scoped to 1–2 sources and a single department, with full permission-aware retrieval and agreed success criteria. The pilot fee credits toward the full build, and it's the recommended entry for security-conscious enterprises.

De-risked either way. Discovery (Phase 0) can be sold as a paid standalone that credits toward the build and produces a real architecture and data-flow document regardless of whether you proceed. US-based clients / US data residency by default; other residency scoped separately.

Built by the person who'll be in the security review.

Key's Touch is led by Key Scales, not an account manager who hands you off to a junior team. When you book your discovery call, you're talking to the principal architect who maps your knowledge sources, designs the data flow, and stands in front of your InfoSec team. The conviction is simple: you shouldn't have to choose between adopting AI and doing it safely. So we do both, grounded, permission-aware, and audit-logged, in the same engagement.

Enterprise Systems Background PMP Certified AI & Data Governance Full-Stack Engineer

Book a security-first discovery call →

The questions InfoSec actually asks.

Is this just ChatGPT with our documents pasted in?

No. It's a private, permission-aware retrieval system. Answers are grounded in your documents and cited, it enforces your existing access controls before the AI sees anything, it's fully audit-logged, and it runs on infrastructure you control. A public chatbot has none of those properties.

Can an employee use it to see things they're not allowed to see?

No. Access permissions are extracted from each source at ingestion and applied as a hard filter at retrieval time, keyed to the asking employee's identity and group memberships from your SSO. Restricted content is never retrieved for an unauthorized user, so the model physically cannot include it, even under adversarial prompting. We prove this before launch with permission-boundary tests.

What happens to our data? Is it used to train AI models?

No. Your content is used only to retrieve and ground answers, never to train or fine-tune any third-party model. We use enterprise model configurations with contractual no-training and zero-retention terms, and inference runs in your chosen region (default US). We provide a data-flow diagram naming every component that touches your data and where it lives.

Where does it run? Can it stay in our own cloud?

Yes. That's the default for security-first clients. Option A deploys everything inside your AWS, Azure, or GCP account or VPC. Option B is a dedicated, single-tenant environment we host and operate for you in a US region. Option C supports air-gapped or self-hosted models for the most restrictive environments. Your data never co-mingles with another client's.

Do you have SOC 2? Are you compliant?

We're honest here: Key's Touch is a specialized boutique, not a SOC 2-audited SaaS platform. We build on infrastructure and model providers that hold SOC 2 / ISO 27001 / HIPAA-eligible certifications, and we typically deploy inside your certified environment, so the system inherits your controls and audit scope. We execute a BAA where PHI is in scope and support your vendor-risk questionnaire with full architecture and control documentation. We never claim certifications we don't hold.

How do you prevent it from hallucinating?

Three mechanisms: every answer is generated only from retrieved passages of your content, answers carry inline citations you can click to verify, and a grounding check makes it refuse when it lacks sufficient evidence instead of guessing. Before launch we validate accuracy against a set of your real questions with known answers and report the results.

Who owns the finished system?

You do. Under the client-cloud option, you own the code, configuration, and infrastructure at handover. We build, secure, and optionally operate it, but it's your asset, not a subscription you lose if you leave. We retain rights only to our generalized, non-client-specific frameworks and tooling.

How long does it take to stand up?

A focused pilot on one or two sources and a single department typically runs 4–6 weeks including discovery. A full enterprise build ranges from roughly 8–16 weeks depending on connector count, permission complexity, and compliance requirements. Discovery always comes first and produces a real architecture and data-flow document.

What does it cost?

Builds are quoted fixed and phased after discovery, driven by connector count, permission-model complexity, hosting, and compliance requirements. A scoped 4–6 week pilot is the recommended entry, and its fee credits toward the full build.

Let's scope this against your knowledge and your security posture.

A few quick questions so your discovery call is sharp from minute one. Takes about 90 seconds.

Pick a time. That's it.

Choose a 15-minute slot. No pitch, no obligation, and you keep the architecture thinking either way.

15 minZoomYou'll talk to Key directly

Based on your answers, a full enterprise build may be more than you need right now. For smaller teams, our AI Operations Accelerator installs targeted AI systems into the tools you already use, a better-fit starting point.

Make your knowledge answer for itself, securely.

Thirty minutes. No pitch, no obligation. We'll map your knowledge sources, talk through your security posture, and show you what a permission-aware, cited, audit-logged assistant looks like on your content. A paid discovery or scoped pilot lets you prove it before any full commitment, and credits toward the build.

Book a security-first discovery call →

Want the security details first? Read how we secure it.

Book a discovery call →