Quick Recap : In past week, we learnt about governance in financial domain being supported by Prometheus + Loki + Grafana Monitoring Stack while we also understood why RAG is preferred over fine-tuned models. In today’s edition, we will learn importance of langChain and Postgres DB for implementing RAG system.

When "Good Enough" Isn't Good Enough

It's Monday morning. Your team just finished building a RAG system for automating KYC document review. You used LangChain with a popular cloud vector database. The demo looked great.

Then you present it to Information Security.

"Where exactly is our customer data stored?"

You explain it's in a managed vector database service in the cloud.

"And can you guarantee that customer PII never leaves our VPC?"

Well... no.

"Can you run semantic searches while filtering out documents the current user isn't authorized to see?"

You didn't build that in.

"And when regulators ask to see the exact documents retrieved for a specific KYC decision made six months ago, can you produce them?"

That's... trickier than you thought.

The meeting ends with: "Rebuild this using our existing Postgres infrastructure."

This is why, according to recent surveys, over 70% of financial institutions running RAG systems in production use PostgreSQL as their vector store, not specialized vector databases. It's not that Postgres is technically superior—it's that it fits into existing compliance infrastructure.

Here's what I've learned: In regulated environments, your vector store choice isn't about performance—it's about compliance, access control, and audit trails. Postgres with pgvector checks all those boxes.

The Compliance Advantage

Purpose-built vector databases like Pinecone and Weaviate are faster at pure vector similarity search. But in banking, speed isn't everything.

What actually matters:

  • Data residency (customer data stays within controlled infrastructure)

  • Access controls (role-based permissions at database level)

  • Audit logging (complete records of who accessed what)

  • Integration (works with existing backup, monitoring, disaster recovery)

  • Regulatory familiarity (auditors understand Postgres)

PostgreSQL with pgvector gives you:

1. It's Already There
Most banks run Postgres for transactions. Adding vector capabilities means one less system to manage, secure, and audit.

2. Enterprise Access Controls Built-In
Postgres has mature row-level security and role-based access. Restrict which documents a user can retrieve based on database permissions.

3. Hybrid Queries
Combine vector similarity with SQL filters: "Find similar KYC documents from the last 90 days where status='pending' AND assigned_to='current_user'." Can't do that in pure vector databases.

4. Regulatory Comfort
When auditors see "Postgres with pgvector," they understand it. "Pinecone cloud vector DB" requires explaining why customer data leaving your infrastructure is okay (it's often not).

The Performance Reality

Honest talk: For datasets under 1-5 million vectors, Postgres performs well enough. Response times of 50-200ms are typical.

Most banks segment their vector stores anyway:

  • KYC documents for current reviews: 100K-500K vectors

  • Claims processing for active cases: 50K-200K vectors

  • Policy document library: 10K-50K vectors

These scales? Postgres handles them fine.

Real example: Mid-sized bank processes 2,000 KYC reviews monthly. Their Postgres vector store contains 300K document embeddings. P95 retrieval latency: 85ms. Compliance team: "This is plenty fast."

The Architecture: LangChain + Postgres for KYC

Core Components

LangChain Document Loaders: Handle PDFs (identity documents), images (scanned IDs with OCR), CSVs (system exports)

Text Splitters: Chunk documents into semantic sections

  • Sweet spot: 500-1000 characters per chunk

  • Overlap: 100-200 characters (preserves context)

Embedding Models: Two options

  • Cloud (OpenAI, Google): High quality, data leaves environment

  • Local (sentence-transformers): Data stays internal, requires GPU

Postgres with pgvector: Storage + vector operations + access controls

LangChain Retriever: Query → embedding → search → filtered results

LLM Generation: Retrieved docs + query → answer with citations

Implementation: The Compliance-Critical Parts

Step 1: Database Setup with Row-Level Security

# database_setup.py
import psycopg2

conn = psycopg2.connect(
    host="postgres-host",
    database="kyc_documents"
)

with conn.cursor() as cur:
    # Enable pgvector
    cur.execute("CREATE EXTENSION IF NOT EXISTS vector;")
    
    # Create table
    cur.execute("""
        CREATE TABLE document_embeddings (
            id SERIAL PRIMARY KEY,
            customer_id VARCHAR(255) NOT NULL,
            document_type VARCHAR(50),
            chunk_text TEXT,
            embedding vector(1536),
            metadata JSONB,
            uploaded_by VARCHAR(255),
            uploaded_at TIMESTAMP DEFAULT NOW(),
            access_level VARCHAR(50) DEFAULT 'restricted'
        );
    """)
    
    # Vector index for fast search
    cur.execute("""
        CREATE INDEX embedding_idx ON document_embeddings 
        USING ivfflat (embedding vector_cosine_ops);
    """)
    
    # CRITICAL: Enable row-level security
    cur.execute("""
        ALTER TABLE document_embeddings 
        ENABLE ROW LEVEL SECURITY;
    """)
    
    # Policy: Users only see authorized documents
    cur.execute("""
        CREATE POLICY user_document_access ON document_embeddings
        FOR SELECT USING (
            uploaded_by = current_user OR
            EXISTS (
                SELECT 1 FROM user_permissions 
                WHERE user_id = current_user 
                AND customer_id = document_embeddings.customer_id
            )
        );
    """)

conn.commit()

What this does:

  • Enables pgvector extension

  • Creates table with vector column + metadata

  • Adds vector index (IVFFlat algorithm)

  • Enables row-level security (users only retrieve documents they're authorized for)

  • Creates access policy based on permissions

Step 2: Secure Ingestion

# document_ingestion.py
from langchain.document_loaders import PyPDFLoader
from langchain.text_splitter import RecursiveCharacterTextSplitter
from langchain_openai import OpenAIEmbeddings
from langchain_postgres import PGVector

embeddings = OpenAIEmbeddings(model="text-embedding-3-small")

vectorstore = PGVector(
    collection_name="kyc_documents",
    connection_string="postgresql://...",
    embedding_function=embeddings
)

def ingest_kyc_document(file_path, customer_id, document_type, user):
    # Load and chunk
    loader = PyPDFLoader(file_path)
    documents = loader.load()
    
    splitter = RecursiveCharacterTextSplitter(
        chunk_size=800,
        chunk_overlap=150
    )
    chunks = splitter.split_documents(documents)
    
    # Add metadata (CRITICAL for filtering)
    for chunk in chunks:
        chunk.metadata.update({
            'customer_id': customer_id,
            'document_type': document_type,
            'uploaded_by': user,
            'access_level': 'restricted'
        })
    
    # Store with embeddings
    vectorstore.add_documents(chunks)
    return len(chunks)

Step 3: Compliant Retrieval with Audit Logging

# retrieval.py
from langchain.chains import RetrievalQA
from langchain_openai import ChatOpenAI
from datetime import datetime

llm = ChatOpenAI(model="gpt-4", temperature=0)

def kyc_query_with_compliance(query, customer_id, current_user):
    # Metadata filter (+ row-level security enforced by DB)
    filter_dict = {'customer_id': customer_id}
    
    retriever = vectorstore.as_retriever(
        search_kwargs={
            'k': 5,
            'filter': filter_dict
        }
    )
    
    qa_chain = RetrievalQA.from_chain_type(
        llm=llm,
        retriever=retriever,
        return_source_documents=True  # For audit trail
    )
    
    result = qa_chain({"query": query})
    
    # Audit log (REQUIRED)
    audit_log = {
        'timestamp': datetime.now().isoformat(),
        'user': current_user,
        'customer_id': customer_id,
        'query': query,
        'documents_retrieved': [
            doc.metadata['source_file'] 
            for doc in result['source_documents']
        ],
        'answer': result['result'][:200]
    }
    
    store_audit_log(audit_log)  # Save to audit table
    
    return {
        'answer': result['result'],
        'sources': result['source_documents']
    }

What makes this compliant:

  • Metadata filtering restricts search to specific customer

  • Row-level security ensures user can only see authorized documents

  • Complete audit logging (query + retrieved docs + answer)

  • Source attribution shows which documents were used

BFSI-Specific Patterns

Combine semantic search with traditional SQL:

sql

-- Find similar documents + time filter + metadata filter
SELECT * FROM document_embeddings
WHERE 
    embedding <-> query_embedding < 0.3  -- Vector similarity
    AND uploaded_at > NOW() - INTERVAL '90 days'  -- Time
    AND (metadata->>'risk_level') = 'high'  -- JSON filter
ORDER BY embedding <-> query_embedding
LIMIT 10;

Pattern 2: Multi-Tenant Isolation

Row-level security ensures customer A's analyst can never retrieve customer B's documents, even with malicious queries. The database enforces this.

Pattern 3: Document Versioning

Track KYC document updates for audit:

sql

ALTER TABLE document_embeddings 
ADD COLUMN version INT DEFAULT 1,
ADD COLUMN superseded_by INT REFERENCES document_embeddings(id);

Common Mistakes (And Fixes)

Mistake 1: No Original Text Storage
Only storing vectors. Can't verify what was retrieved.
Fix: Always store original chunk text alongside embedding.

Mistake 2: Missing Metadata Filters
Retrieving across ALL customers. Privacy violation.
Fix: Always filter by customer_id before vector search.

Mistake 3: Ignoring Index Maintenance
Pgvector indexes need occasional rebuilding.
Fix: Schedule monthly REINDEX during low-traffic windows.

Mistake 4: Not Testing Row-Level Security
Assuming it works without verification.
Fix: Write tests that verify users can't access unauthorized documents.

Mistake 5: Embedding Entire Documents
50-page bank statement in one embedding loses semantic richness.
Fix: Chunk into 500-1000 character sections.

Performance Tuning

Indexing Strategy

IVFFlat: Faster to build, good for <1M vectors, 95-98% recall

HNSW: Slower to build, better for >1M vectors, 98-99% recall

For most BFSI: Start with IVFFlat, migrate to HNSW if you exceed 1M vectors.

Query Optimization

# Bad: Retrieve many, filter in application
results = vectorstore.similarity_search(query, k=100)
filtered = [r for r in results if r.metadata['status'] == 'approved']

# Good: Filter in database
results = vectorstore.similarity_search(
    query, k=10, filter={'status': 'approved'}
)

Connection Pooling

python

from sqlalchemy.pool import QueuePool

engine = create_engine(
    CONNECTION_STRING,
    poolclass=QueuePool,
    pool_size=20,
    max_overflow=10
)

Looking Ahead: 2026-2030

2026-2027: Google's ScaNN algorithm coming to Postgres (2-3x faster searches)

2027-2028: Native multi-modal support (image + audio + text embeddings in one database)

2028-2030: Automated compliance reporting ("Show all KYC decisions where retrieved docs influenced outcome")

The trend: Postgres absorbs more AI capabilities while maintaining enterprise security.

HIVE Summary

Key takeaways:

  • Postgres + pgvector wins through compliance fit, not speed—existing infrastructure, enterprise access controls, audit logging, regulatory familiarity

  • Row-level security is non-negotiable—database-level controls ensure users can't bypass application logic

  • Audit logging must be comprehensive—record every query, retrieved documents, generated answer

  • LangChain provides the glue but real value is in proper metadata filtering and access control integration

Start here:

  • New project: Set up Postgres with pgvector, enable row-level security day one, design metadata schema before ingesting docs

  • Existing vector DB: Evaluate if compliance requires Postgres migration. If customer data leaves your infrastructure, you may not have a choice

  • Building platform: Create reusable LangChain + Postgres templates with security baked in

Looking ahead (2026-2030):

  • Postgres will absorb more vector capabilities (ScaNN, multi-modal) while maintaining SQL compatibility

  • LangChain will add better Postgres-native features

  • Compliance will require more detailed audit trails—systems built with logging from start will adapt easily

Open questions:

  • How to handle embedding model updates without re-embedding millions of documents?

  • Right balance between chunk size and retrieval precision for different document types?

  • Can we explain not just what was retrieved, but why those documents ranked highest?

Jargon Buster

pgvector: PostgreSQL extension adding vector data type and similarity search. Enables storing/querying embeddings in Postgres without separate vector database.

LangChain: Open-source framework simplifying LLM app building via abstractions for document loading, embeddings, vector stores, chains. The "glue" connecting AI components.

Row-Level Security (RLS): Postgres feature restricting which rows a user can see based on policies. Critical for multi-tenant systems where customer data must be isolated.

IVFFlat / HNSW: Vector index algorithms. IVFFlat faster to build, HNSW better search accuracy. Both enable approximate nearest neighbor search.

Metadata Filtering: Restricting vector search to documents matching specific criteria (customer_id, document_type, date range). Combines semantic similarity with traditional database filtering.

Chunking: Splitting long documents into smaller semantic sections before embedding. Improves retrieval precision.

Retriever: LangChain component handling query → search → results flow. Abstracts complexity of converting queries to embeddings and executing vector searches.

Hybrid Search: Combining vector similarity with traditional SQL WHERE clauses. Enables queries like "semantically similar AND from last 90 days AND high-risk."

Fun Facts

On Postgres Performance Surprise: When OpenAI analyzed their internal RAG systems (late 2024), 80% of vector searches were on datasets under 500K embeddings. At that scale, properly-tuned Postgres had median latency within 15ms of specialized vector databases, while offering SQL flexibility they couldn't get elsewhere. Most teams over-engineer for scale they'll never reach. Start with Postgres, migrate only if you hit actual limits.

On Row-Level Security Catching Bugs: A major European bank implementing RAG for loan processing discovered their application had a bug allowing loan officers to retrieve documents from any customer. Row-level security in Postgres caught this during testing—queries returned empty because the database enforced permissions even when the application didn't. The bug would have been a GDPR violation worth millions in fines. Database-level security saved them.

For Further Reading

  1. LangChain Postgres Integration Docs (LangChain, 2025)
    https://python.langchain.com/docs/integrations/vectorstores/pgvector
    Official guide with code examples for PGVector integration

  2. pgvector: Open-Source Extension (GitHub, 2025)
    https://github.com/pgvector/pgvector
    Source code, benchmarks, implementation details

  3. Google Cloud: LangChain PostgreSQL Enhancements (2025)
    https://cloud.google.com/blog/products/ai-machine-learning/open-source-enhancements-to-langchain-postgresql
    Google's contributions—async drivers, metadata columns, security

  4. Timescale Vector Performance Analysis (2024)
    https://www.timescale.com/blog/pgvector-vs-pinecone-vs-qdrant-performance-cost-benchmarks
    Independent benchmarks comparing Postgres to specialized vector databases

  5. Building AI with pgvector (AWS Database Blog, 2024)
    https://aws.amazon.com/blogs/database/leverage-pgvector-and-amazon-aurora-postgresql
    Production patterns for RAG on Aurora PostgreSQL

Next Wednesday : Qdrant / Weaviate Vector Indexing with PII Controls—when you need specialized vector databases, how to implement proper data filtering and privacy controls for semantic search while protecting regulated attributes.

This is part of our ongoing work understanding AI deployment in financial systems. If you've built RAG on Postgres, I'd love to hear what worked (or didn't) in your environment.

— The AITechHive Team

Reply

or to participate

Keep Reading

No posts found

© 2025 AITECHHIVE — Working Notes on AI in Financial Systems.

Privacy policy

Terms of use

Powered by beehiiv