Skip to main content
Back to blog
7 min read

One Neo4j, Many Tenants: Property-Based Isolation for AI Agent Knowledge Graphs

G
GenBrain AI
/
neo4jmulti-tenancytenant-isolationknowledge-grapharchitecturedeep-dive

Here is the architecture decision that nobody wants to make: do you give every customer their own database, or do you make them share one?

The textbook answer is "it depends." The production answer is: your aspirational design will collapse under the weight of operational reality, and you will end up sharing a database anyway. The only question is whether you planned for it or got dragged there by two bugs at 2 AM.

GenBrain AI runs a fleet of AI agents. Each customer organization gets its own agents deployed in a separate Kubernetes namespace (org-customerName). These agents use a knowledge graph -- Neo4j -- for wiki and KB tools: ingesting documents, querying knowledge, building organizational memory. The multi-tenancy question lands squarely on Neo4j.

This post covers the architecture decision we made, the bugs that forced it, and why property-based tenant isolation is the right call for most teams running Neo4j Community Edition in a multi-tenant environment.

The Original Design: One Neo4j Per Customer

The initial architecture followed the "database per tenant" model. Every customer org would get its own isolated Neo4j instance:

  • URI: bolt://neo4j-{org_id}.org-{org_id}.svc.cluster.local:7687
  • Credentials: A dedicated neo4j-{org_id}-credentials secret per namespace
  • Infrastructure: One StatefulSet per org

Maximum isolation. Clean boundaries. Each tenant's data lives in its own process, its own PersistentVolume, its own failure domain. If Org A's Neo4j crashes, Org B doesn't notice. If Org A's data gets corrupted, Org B sleeps soundly.

On paper, this is the gold standard.

In practice, Neo4j Community Edition is single-database. You cannot run multiple logical databases on one instance -- that is an Enterprise Edition feature. So the "database per tenant" model actually means "entire StatefulSet per tenant." Each customer gets their own Neo4j process, their own 500MB+ of baseline memory, their own backup strategy, their own monitoring.

For three customers, that is manageable. For thirty, you are running a Neo4j hosting company. For three hundred, you have made a career decision.

What Actually Broke

Two bugs surfaced the gap between design and reality:

Bug 1: GenBrain's own agents had no NEO4J_AUTH env var. The kb/wiki tools couldn't connect to Neo4j at all. The agents that were supposed to demonstrate the knowledge graph to customers couldn't even use it themselves.

Bug 2: Customer org agents pointed to StatefulSets that didn't exist. The provisioning code generated URIs like bolt://neo4j-{org_id}.org-{org_id}.svc.cluster.local:7687, referencing per-org Neo4j instances. But nobody had actually provisioned those instances. The code to deploy a per-org StatefulSet was never written. The URIs resolved to nothing.

The per-org model was aspirational. In production, there was exactly one Neo4j instance: neo4j-genbrain.agents.svc.cluster.local:7687. Everything else was a reference to infrastructure that did not exist.

The Fix: Shared Neo4j with Property-Based Tenant Isolation

Instead of building out the per-org provisioning pipeline, we accepted reality. All orgs share the single GenBrain Neo4j Community instance. Tenant isolation is enforced at the query level via org_id property filtering.

Here is what changed:

1. org_agent.py -- Hardcoded Shared URI

Every customer org's agents now point to the shared instance:

NEO4J_URI: bolt://neo4j-genbrain.agents.svc.cluster.local:7687
NEO4J_AUTH: (pulled from shared neo4j-genbrain-credentials secret)
NEO4J_DATABASE: neo4j

No per-org URI generation. No per-org credential secrets. One connection string for all tenants.

2. deployment.py -- Secret Mirroring

A new ensure_neo4j_credentials_secret() function mirrors the neo4j-genbrain-credentials secret from the agents namespace into each customer org namespace. It uses the standard create-or-skip pattern: try create, catch 409 (already exists), move on.

This is the entire provisioning step for Neo4j access. Mirror one secret. Done.

Compare this to the original design: deploy a StatefulSet, wait for it to become ready, create a PersistentVolumeClaim, set up credentials, configure backups, add monitoring. The operational surface area reduction is massive.

3. provision_tenant.py -- Removed Per-Org URI Function

The _neo4j_uri_for_org() function was deleted entirely. All orgs default to _NEO4J_URI -- the shared GenBrain URI. For migration flexibility, per-org env var overrides are still supported: NEO4J_URI_{ORG_ID_UPPER} can override the default. But the expected path is the shared instance.

4. Network Policy Update

A neo4j-tenant-isolation.yaml network policy previously blocked bolt:7687 from org namespaces. This needs updating to allow customer org agents to reach the shared instance in the agents namespace.

How Property-Based Isolation Works

The key insight is that kb_tools.py -- the code that every agent uses to interact with Neo4j -- already enforced tenant isolation at the query level. Every Cypher query is scoped by org_id:

Every MATCH clause includes a filter like WHERE n.org_id = $org_id. Every CREATE operation sets the org_id property on the new node. There is no query path that touches data without an org_id scope.

This means:

  • Org A's agents can only read and write nodes where org_id = "orgA"
  • Org B's agents can only read and write nodes where org_id = "orgB"
  • The isolation boundary is the application layer, not the database layer

The org_id is not optional metadata. It is a mandatory property on every node, enforced by the tool code itself. An agent cannot construct a query that skips the filter because the agent does not write raw Cypher -- it calls tool functions that inject the filter automatically.

The Trade-Off Matrix

Every multi-tenancy decision is a trade-off. Here is where property-based isolation wins and where it loses:

Where It Wins

Operational simplicity. One StatefulSet to manage, not N. One set of credentials, not N. One backup strategy, not N. One monitoring dashboard. When Neo4j needs a version upgrade, you do it once.

Provisioning speed. Adding a new customer org to the knowledge graph requires mirroring one Kubernetes secret. No StatefulSet deployment, no waiting for PVC binding, no health check loops. The ensure_neo4j_credentials_secret() call takes under a second.

Resource efficiency. Neo4j Community Edition is not lightweight. Each instance consumes 500MB+ of memory at baseline. Ten customer orgs means 5GB+ of memory just for idle Neo4j instances. A shared instance serves all tenants from one memory pool.

Where It Loses

No database-level isolation. A bug in kb_tools.py that forgets the org_id filter would leak data across tenants. The isolation is only as strong as the application code. This is a real risk -- one missing WHERE clause in a new query, and Org A sees Org B's knowledge graph.

Noisy neighbor risk. One org's heavy document ingestion can slow another org's queries. There is no resource isolation between tenants on a shared instance. If a customer ingests a 10,000-page document corpus, every other tenant feels the write amplification.

Cross-namespace networking. The shared instance lives in the agents namespace. Customer org agents live in org-{name} namespaces. Network policies must explicitly allow cross-namespace bolt traffic, which expands the network attack surface compared to namespace-local connections.

When to Upgrade

Property-based isolation on Neo4j Community is the right architecture when:

  • You have fewer than ~50 tenant orgs
  • No single tenant generates more than 100x the load of others
  • Your compliance requirements allow shared-infrastructure multi-tenancy
  • You want to keep operational costs proportional to actual usage, not tenant count

The upgrade path is clear: Neo4j Enterprise Edition supports multiple logical databases on a single instance. You get database-level isolation without the StatefulSet-per-tenant overhead. When a customer's compliance requirements demand it, or when noisy-neighbor effects become measurable, that is the migration trigger.

Until then, one Neo4j instance with disciplined org_id filtering handles the job. The infrastructure you don't run is the infrastructure that never breaks.

Key Takeaway

The "database per tenant" model is the correct theoretical answer for multi-tenant isolation. But theory meets reality at the provisioning layer. If your database engine does not support multiple logical databases (Neo4j Community), the per-tenant model means per-tenant infrastructure -- and per-tenant infrastructure means per-tenant operational burden.

Property-based isolation is not a compromise. It is a deliberate architectural choice that trades database-level isolation for operational simplicity, with a clear upgrade path when you need stronger boundaries. The application layer was already doing the filtering. The architecture change just stopped pretending the database layer was doing it too.

GenBrain AI runs a fleet of AI agents as a Cyborgenic Organization. Our agents manage knowledge graphs, deploy infrastructure, write code, and coordinate autonomously. Want to see how multi-tenant AI agents work in production? Visit agent.ceo to learn more.

Back to all posts

Related articles

·

How We Gave Every Customer Org's Agents Platform Knowledge on Day One

·

How ZRANGE 0,-1 Turned Task Management Into a Loop-Saturating Operation

·

When max_reconnect_attempts=-1 Isn't Enough: Building a NATS Connection Watchdog