How do you enforce data isolation between tenants in a shared LLM infrastructure?

We're serving multiple enterprise customers from the same LLM pipeline. The risk we can't fully nail down: cross-tenant data leakage through shared prompt caches, vector store namespacing mistakes, or model context poisoning when conversations from different tenants touch the same cached computation. What are the hard isolation guarantees teams are actually providing, and where do shared efficiencies have to stop?