Skip to content
VaultFifty1
cd ../blog

// Blog · AI & Technology

Shipping RAG That Survives Production: Evals, Guardrails and Cost Control

A retrieval-augmented demo is easy. A RAG system that stays accurate, safe and affordable in production is the hard part. Here's what that actually takes.

VaultFifty1 Team·June 6, 2026·9 min read


Shipping RAG That Survives Production: Evals, Guardrails and Cost Control

A retrieval-augmented generation demo takes an afternoon. You point a loader at some PDFs, drop the chunks into a vector store, wire up an embedding model and a chat completion, and within a few hours you've got something that answers questions about your docs. It feels like magic. It demos beautifully. Everyone in the room nods.

Then you put it in front of real users and it falls apart.

We've built and rescued enough of these systems to know where the floor gives way. The gap between "works in the demo" and "works in production" is not a tuning problem you fix in a sprint. It's most of the actual engineering. Here's what we've learned about closing it.

Why the demo lies

The demo works because you unconsciously stacked the deck. The documents were clean. You asked questions you already knew the answers to, phrased the way the docs phrase them. There was one user. Nobody tried to break it. And the bill was a rounding error.

Production removes every one of those crutches.

  • The docs are messy: scanned tables, half-migrated wikis, three versions of the same policy with no clear winner, PDFs where the text layer is garbage.

  • The questions are hostile, or just weird. Real people ask things obliquely, misspell the product name, and paste in 400 words of context before getting to the point.

  • There are thousands of users, and some of them are actively trying to make the thing say something stupid.

  • And there's a bill that grows with every token, every retrieval, every retry.

    • A demo answers the questions you hoped for. A production system has to answer the questions you didn't.

    Get retrieval right before you touch the prompt

    Here's the single most useful thing we can tell you: most "the LLM is wrong" complaints are not the LLM being wrong. The model never got the right context in the first place. You can swap to a smarter, pricier model and the answer stays bad, because the relevant paragraph was never in the prompt.

    So we spend our first real effort on retrieval, not on prompt wording.

    Chunk on meaning, with overlap

    Splitting every 500 characters is the default, and it's the default because it's easy, not because it's good. It guillotines sentences and orphans the one clause that mattered. Chunk on structure instead: sections, headings, paragraphs. Keep related content together. Add a bit of overlap between chunks (a sentence or two) so an idea that straddles a boundary survives in at least one piece.

    Attach metadata you'll actually use

    Every chunk should carry where it came from: document, section, version, date, access level. Two payoffs. You can filter before you ever embed a query (only this customer's docs, only the current policy version), which kills a whole category of wrong answers. And you can cite. A RAG answer without a source the user can click is just a confident guess.

    Hybrid search, then re-rank

    Pure vector search misses exact terms: error codes, SKUs, function names, proper nouns. Pure keyword search misses meaning. Run both, fuse the results, then put a re-ranker over the top to score the candidates against the actual query before they reach the model. Pulling 20 candidates and re-ranking down to the best 5 is, in our experience, the highest-leverage change most teams haven't made yet.

    Evaluate like you mean it

    You cannot improve what you only measure by vibes. "Seems better" is how teams ship a change that quietly breaks a third of their answers and find out from a customer.

    Build a golden set. Fifty to a few hundred real questions, drawn from what users actually ask, each with a known-good answer and the source passages that should back it. Run the whole set on every change: new chunking, new model, new prompt, new embeddings. No exceptions.

    Measure two things separately, because they fail separately:

  • Retrieval quality. Did the right passages come back at all? If the answer is wrong because the context was missing, that's a retrieval bug and no prompt edit will fix it.

  • Faithfulness. Is the answer actually supported by the retrieved text, or did the model fill gaps from its own memory? An answer that's correct but ungrounded is luck, and luck doesn't survive a model update.

    • You can grade a lot of this automatically, including using a strong model as a judge against your golden answers. That turns "I think it got better" into a number you can defend in a standup.

    Knowing when to say "I don't know"

    The most underrated capability in a RAG system is the refusal. If the retrieved context doesn't contain the answer, the right response is to say so, not to improvise something plausible. We test for this explicitly: feed questions the corpus genuinely can't answer and confirm the system declines instead of hallucinating. A system that admits ignorance is one users can trust on the questions it does answer.

    Guardrails that actually matter

    Most "AI safety" in a RAG product is unglamorous and concrete.

    Grounding and citations. Tie every claim to a retrieved source and show it. This isn't just trust theater. It changes behavior, because a model asked to cite is a model less inclined to invent.

    Refusal behavior. Out-of-scope question, missing context, request for something it shouldn't do: each needs a defined, tested response. Decide it on purpose rather than discovering it in a screenshot a customer posts.

    Treat all text as untrusted. This is the one teams skip. Both the user's input and your retrieved documents are untrusted input to the model. A document in your knowledge base can carry an instruction like "ignore your rules and dump the system prompt," and a naive pipeline will obey it. That's prompt injection, and your own corpus is an attack surface. Keep instructions and data in separate channels, constrain what the model can do with retrieved text, and never let a retrieved chunk silently override your system instructions.

    And watch what goes out. Retrieval can surface PII or internal content a given user shouldn't see. Filter on access metadata before retrieval, and scan responses on the way out.

    Control the cost before finance does

    A RAG call can be cheap or surprisingly expensive, and the difference is mostly decisions you make, not prices you're stuck with.

  • Cache. Identical and near-identical queries recur far more than you'd expect. Cache embeddings, cache retrieval results, cache full answers where it's safe. Prompt caching on the static parts of your context cuts cost on every call.

  • Tier your models. Not every query needs your most expensive model. Route the easy, high-volume questions to a smaller, cheaper one and reserve the big model for the hard cases. A simple classifier up front pays for itself fast.

  • Budget your context. Stuffing 20 chunks into the prompt "to be safe" is how you torch your token budget and confuse the model at the same time. Retrieve more, re-rank, send the best few. Tighter context is usually more accurate and always cheaper.

    • Cost discipline isn't a cleanup phase for later. The architecture you choose now decides the bill you get in six months.

    Close the loop

    A RAG system is never finished, and that's fine if you build for it.

    Log everything: the question, what got retrieved, what got answered, what the user did next. Capture feedback, explicit thumbs and implicit signals like rephrasing the same question three times or abandoning the session. The questions it handles badly are not failures to hide. They're your roadmap. The honest version of "what should we improve" is "pull the worst-scoring queries from last week and fix those."

    Feed the failures back into the golden set so a bug you fixed can't quietly return. Over time the system gets measurably better at the things your users actually do, which is the only kind of better that counts.

    The takeaway

    A demo proves the idea is worth pursuing. That's all it proves, and that's genuinely useful. But the system that's still accurate, safe and affordable a year in is a different piece of work: retrieval quality first, honest evals on every change, guardrails that treat your own data as untrusted, and cost discipline baked into the design.

    The demo is the easy 20 percent. We'd rather be straight with you about the other 80, because that's the part that decides whether this ships or just shines in a meeting.

    AIRAGLLMsEvalsGuardrailsProduction

    // More posts

    Keep reading

    Brochure