Back office ops · Production

Slack enterprise search: secure and private RAG-powered search across external apps

The problem

Slack needed to extend its AI-powered search beyond internal Slack messages to include content from external applications like Google Drive and GitHub, while maintaining the same enterprise-grade security and privacy guarantees already established for Slack AI.

Workflow diagram · grounded in source
1
User submits search query
trigger
“Users can now surface up-to-date, relevant content that is permissioned to them directly in Slack's search”
2
OAuth authorization for external source
validation
“The OAuth protocol allows a user to securely authorize Slack to take agreed-upon actions on their behalf, like reading files the user can access in the external system”
3
Federated real-time external API query
integration
“we use public search APIs from our partners to return the most up-to-date, permissioned results for a given user”
4
RAG with LLM in escrow VPC
ai_action
“We use Retrieval Augmented Generation (RAG) instead of training LLMs. Using RAG, we supply an LLM with only the content needed to complete the task. This content is permissioned to the user and only available to the LLM at runtime, meani…”
5
Search Answer shown and discarded
output
“we don't even store Search Answer summaries—we just show them to the requesting user and immediately discard them”
Reported outcome

Slack built enterprise search using a federated, real-time approach with OAuth authorization and RAG to surface permissioned external content without storing it, upholding enterprise security and privacy principles.

Reported metrics
Insight qualitytime-saving insights
Reported stack
Slack AIRAGAWSOAuthACLGoogle DriveGitHub
Source
https://slack.engineering/how-we-built-enterprise-search-to-be-secure-and-private/
Read source ↗

Frequently asked questions

What did this team achieve with this AI workflow?

Slack built enterprise search using a federated, real-time approach with OAuth authorization and RAG to surface permissioned external content without storing it, upholding enterprise security and privacy principles.

What tools did this team use?

Slack AI, RAG, AWS, OAuth, ACL, Google Drive, GitHub.

What results were reported?

Insight quality: time-saving insights (source-reported, not independently verified).

How is this back office ops AI workflow structured?

User submits search query → OAuth authorization for external source → Federated real-time external API query → RAG with LLM in escrow VPC → Search Answer shown and discarded.