Main / Blog / Capability

Enterprise RAG: knowledge that completes the action

  • Capability
  • Knowledge

7 min read

Enterprise RAG diagram: documents, databases and APIs feed retrieval, which grounds a proposal that turns into an executed action.DocsDatabasesAPIsRetrievalwith citationsGroundedproposalActionGrounded, then done

{ / Retrieval stopped being the hard part / ]

Three years ago, wiring an embedding model to a vector index and getting a grounded, cited answer out of a pile of PDFs was a project. Today it is close to a commodity: the components are mature, the tutorials are good, and a competent engineer can stand up a passable retrieval augmented generation platform over a documentation set in a week.

That is genuine progress, and it is also why so many RAG platform pitches now sound identical. Everyone can find the passage. Everyone can cite the source. Everyone can render a tidy answer with a link back to the paragraph it came from. If that is the whole product, the differentiator is a UI and a price.

The interesting question is what happens after the right paragraph has been found. In most companies, the person who asked did not want to read the refund policy. They wanted the refund issued. The retrieval was never the goal; it was the evidence.

Retrieval finds the paragraph. Execution finishes the job.

{ / What enterprise RAG actually has to get right / ]

Before we talk about actions, it is worth being honest about the enterprise-grade table stakes — the properties that separate AI knowledge base software that a company can rely on from a weekend prototype that happens to work on a clean corpus:

  • Ownership and freshness. Every source needs an owner and a refresh path. A policy document that changed in March and was indexed in January is not a stale answer — it is a confidently wrong one.
  • Access rights that survive retrieval. An employee must not see through an assistant what they cannot see in the underlying system. Permissions have to be enforced at retrieval time, per user, per tenant — not bolted on as a filter over results that were already assembled.
  • Traceability to the source. Not a plausible citation — the actual passage, the actual version, so a human can check it.
  • Isolation. One tenant’s knowledge never becomes another tenant’s context. This is an architectural property, not a configuration flag.
  • Scope discipline. A knowledge layer that answers everything answers nothing reliably. Narrow, owned, current beats broad, orphaned, drifting.

These are the parts we have shipped: knowledge import and indexing, structured company data used to verify state, and roles with tenant-scoped permissions. They are unglamorous and they are the floor. They are also not, by themselves, a reason to buy anything.

{ / Correct is not the same as done / ]

Consider an internal AI assistant that a support agent asks about a duplicate charge. It retrieves the correct clause of the refund policy, quotes it accurately, cites the document, and stops. The answer is correct. The customer is still charged twice.

What happened is that the assistant handed the work back. A person now has to read the clause, decide it applies, open the billing system, find the invoice, check the amount, and issue the refund — which is the work that was expensive in the first place. The AI removed the cheapest step, reading, and left the costly ones intact.

This is the structural limit of a knowledge-only product. It can be measured on answer quality, and it can score extremely well on answer quality while changing nothing about how the business runs. The metric that matters is not whether the passage was right; it is whether the operation completed. We took that argument apart in detail on the support side, in resolve, not deflect.

Being precise about what we are not: this is not about exploring data, building dashboards, or querying warehouses in natural language. ai.NEST is not an analytics surface. Knowledge and data exist here for one purpose — to justify and verify an action that is about to be taken.

{ / From retrieved passage to grounded proposal / ]

The connection between retrieval and execution is what we call a grounded proposal. The agent does not merely quote the refund policy; it proposes the specific refund that the policy permits — say, €48.00 against invoice INV-2231 — and it carries the evidence for that proposal with it. (Illustrative numbers: this is a mechanism, not a customer.)

For that to be safe, retrieval has to be joined to a bounded catalogue of actions. The agent cannot invent an operation because a document mentioned one. It can only propose from a finite, explicitly configured set — refund, plan change, access grant — and each proposal must be filled in from two sources: the knowledge that says an action is permitted, and the live data that says the preconditions are actually true. Policy says duplicate charges are refundable. Data says this customer really was charged twice. Neither alone is enough.

Then the proposal leaves the model’s hands entirely. The Policy Engine checks it against your rules — the requester’s role, whether that action is in the catalogue at all, whether the amount sits under the auto-approve threshold. Above the threshold, it waits for a human, who sees the proposal, the evidence it was grounded in, and the rule that routed it to them. Only then does the Executor call your API. Every step is written down: what was proposed, what it was grounded in, which rule decided, who approved, what ran.

Retrieval justifies the action. The Policy Engine authorises it.

Note the division of labour. Retrieval is never trusted to authorise anything — it supplies evidence. Authorisation lives in explicit rules that a human wrote and can read. That separation is what makes it acceptable for a probabilistic component to sit upstream of a real, irreversible-looking operation.

{ / Where enterprise RAG quietly breaks / ]

The failure modes below are mild when knowledge only produces text. They become serious the moment knowledge produces actions — which is precisely why they belong in the design from day one, not in a hardening sprint later.

  • Stale knowledge becomes a confidently wrong proposal. A superseded refund policy in the index does not just yield an outdated answer; it yields a refund that should never have been offered — issued fluently, with a citation. Freshness is a safety property, not a hygiene one.
  • Permissions bypassed through the retriever. The classic enterprise leak: the assistant has broad read access and cheerfully summarises a document the asking employee was never allowed to open. If access is not enforced per user at retrieval time, the assistant becomes a permission-laundering machine.
  • No record of the grounds. Many systems log the answer and discard the evidence. When an action was taken on the basis of a retrieved passage, the passage is the justification — and a decision you cannot reconstruct is a decision you cannot defend, tighten, or safely repeat.
  • Chunking that severs the condition from the rule. “Refunds are permitted” and “…within 30 days, excluding annual plans” landing in different chunks is a text-quality annoyance and an execution-grade bug.
  • Unbounded scope. If the agent can act on anything it can read, the blast radius of a bad document is the whole system. A finite action catalogue keeps a retrieval error an inconvenience instead of an incident.

{ / Where ai.NEST is today — and where it is going / ]

Being straight about status matters more than sounding finished. Shipped: the knowledge layer (import and indexing with tenant isolation), the data layer used to verify state before anything is proposed, and roles — Owner, Editor, Viewer — with tenant-scoped permissions. In private beta: chat end to end, and the Actions and Policy Engine that turn a grounded proposal into a governed, logged execution. The trust chain is how the product is designed and built; the action half of it is not yet generally available, and we will not pretend otherwise.

One more constraint worth stating plainly, because it decides who we are a fit for: ai.NEST is delivered as a managed, dedicated, EU-hosted instance. We do not ship a self-hosted distribution. The reasoning — and the honest trade-offs — are in the managed alternative to self-hosted AI. If you want the shorter version of the whole thesis, it is on our about page.

The bet underneath all of this is simple. Retrieval quality will keep improving and keep commoditising. What will not commoditise is the governed path from a piece of knowledge to a completed operation, with a record that holds up when someone asks why it happened — a record that also makes evidence for regimes like DORA or the AI Act far cheaper to produce.

{ / Conclusion / ]

Enterprise RAG is worth building well, but it is a foundation, not a destination. The point of finding the right paragraph is to be able to act on it correctly — and the distance between those two things is where a knowledge base becomes a system your operations actually depend on.

The knowledge layer is live; the Actions and Policy Engine land with early-access customers first. If your team already has a working internal assistant and is tired of it stopping one step short of the outcome, that is the exact conversation we want. Join the early-access waitlist and tell us which action your knowledge should be completing.

Want it built and run for you? SMB Studio implements execution-first AI inside existing operations.

Join the early-access waitlistWant it built and run for you?

{ / keep reading / ]

An AI agent for customer service that resolves, instead of deflecting

Support teams are still judged on deflection — how many tickets never reached a human. Customers do not want an answer; they want the refund issued, the plan changed, the access granted.

A walk-through of one duplicate-charge ticket, resolved end to end on a trust chain: the agent proposes the action, a policy engine checks it, a human approves it, an executor runs it through your billing API, and every step lands in an audit log.

Read more
  • Support
  • Execution
8 min read

A managed alternative to self-hosted AI — and an honest look at what you give up

If you are searching for a self-hosted AI agent or an on-prem LLM, you are almost certainly not shopping for a server. You are shopping for control: your data staying yours, your systems staying yours, and no vendor holding you hostage.

We do not offer self-hosting — and we would rather explain that clearly than sell around it. Here is what the requirement underneath usually is, and who we are honestly not for.

Read more
  • Deployment
  • Data residency
7 min read

← All posts