Retrieval-augmented generation has moved from a research curiosity to the default pattern for grounding large language models on enterprise data. A model on its own hallucinates; a model equipped with retrieval over a curated corpus does not, or at least does so far less often. This has made RAG the operating pattern for internal search, customer support, legal research, and regulatory lookup across most sectors. For regulated industries, the pattern is more interesting and more constrained. Finance, healthcare, legal, and any organization operating under data-residency obligations cannot adopt a generic RAG pipeline without thinking carefully about where documents are indexed, where embeddings are computed, where queries are logged, and what the model sees when it produces an answer. Nearly every default in a typical RAG stack is a compliance decision in disguise. This post walks through the architectural decisions that matter when a RAG system has to be defensible to an auditor, not just useful to a user.…