What is RAG Security?

RAG security addresses threats to Retrieval-Augmented Generation systems where LLMs are connected to knowledge bases, including data poisoning, access control bypass, and prompt injection via retrieved content.

What is RAG security?

RAG (Retrieval-Augmented Generation) security addresses threats specific to AI systems that retrieve external knowledge to augment LLM responses. RAG systems connect LLMs to document stores, databases, and knowledge bases, creating unique attack surfaces around data retrieval, access control enforcement, and indirect prompt injection through retrieved content.

What are the main RAG security risks?

Key risks include indirect prompt injection through poisoned documents in the knowledge base, access control bypass where users retrieve documents they should not see, data leakage across permission boundaries, knowledge base poisoning to manipulate AI outputs, excessive data retrieval exposing sensitive information, and retrieval manipulation through crafted queries.

How does access control work in RAG systems?

RAG access control must enforce document-level permissions during retrieval, ensuring users only retrieve content matching their authorization level. This requires integrating the RAG retrieval pipeline with existing identity and access management systems, filtering search results by user permissions, and preventing permission escalation through query manipulation.

What is indirect prompt injection in RAG?

Indirect prompt injection in RAG occurs when malicious instructions are embedded in documents stored in the knowledge base. When the RAG system retrieves these documents as context for the LLM, the embedded instructions can manipulate the model's behavior, override system prompts, exfiltrate data, or generate harmful outputs.

How do you prevent knowledge base poisoning?

Prevention requires validating and sanitizing all content before ingestion, implementing document provenance tracking, scanning for embedded instructions and malicious content, maintaining integrity checksums for knowledge base documents, implementing approval workflows for new content, and conducting regular audits of knowledge base contents.

How should RAG systems handle sensitive data?

RAG systems should classify documents by sensitivity level, enforce retrieval-time access controls matching user permissions, redact sensitive fields from retrieved context before LLM processing, implement data loss prevention on generated outputs, log all document access for audit compliance, and separate knowledge bases by classification level.

What is chunking security in RAG?

Chunking security addresses risks from how documents are split into retrieval units. Poor chunking can expose sensitive context from adjacent sections, break access control boundaries when chunks span permission levels, or create injection opportunities by placing malicious content at chunk boundaries where it may not be detected by content filters.

How do you test RAG system security?

Testing includes attempting to retrieve documents outside authorized access, injecting adversarial content into the knowledge base, testing indirect prompt injection through retrieved documents, evaluating data leakage across user sessions, testing query manipulation to bypass retrieval filters, and validating that output guardrails catch sensitive data from retrieved context.