RAG Security
What is RAG Security?
RAG SecurityThe discipline of securing retrieval-augmented generation pipelines so that the documents, vector stores, and retrieval steps that feed an LLM cannot be poisoned, abused, or used to exfiltrate data.
Retrieval-augmented generation (RAG) lets an LLM ground its answers in an external corpus — files, databases, intranet pages, customer documents. Each retrieval is also a potential attack surface. Threats include indirect prompt injection from malicious documents, vector-store poisoning that biases retrieval, embedding-space attacks that exfiltrate sensitive snippets, over-broad authorisation that returns documents the user should not see, and data leakage through prompt logs. The OWASP LLM Top 10 covers many of these as LLM01, LLM02, LLM06 and LLM08. Controls include strict access-control over indexes, content sanitization before chunking, signed and provenance-tracked sources, retrieval audit logs, output filtering, and applying the same DLP and identity policies used for the underlying data stores.
● Examples
- 01
An attacker uploading a Confluence page whose hidden text instructs every RAG response to include a malicious URL.
- 02
A poisoned vector store that consistently returns an attacker-chosen passage when employees ask about competitor pricing.
● Frequently asked questions
What is RAG Security?
The discipline of securing retrieval-augmented generation pipelines so that the documents, vector stores, and retrieval steps that feed an LLM cannot be poisoned, abused, or used to exfiltrate data. It belongs to the AI & ML Security category of cybersecurity.
What does RAG Security mean?
The discipline of securing retrieval-augmented generation pipelines so that the documents, vector stores, and retrieval steps that feed an LLM cannot be poisoned, abused, or used to exfiltrate data.
How does RAG Security work?
Retrieval-augmented generation (RAG) lets an LLM ground its answers in an external corpus — files, databases, intranet pages, customer documents. Each retrieval is also a potential attack surface. Threats include indirect prompt injection from malicious documents, vector-store poisoning that biases retrieval, embedding-space attacks that exfiltrate sensitive snippets, over-broad authorisation that returns documents the user should not see, and data leakage through prompt logs. The OWASP LLM Top 10 covers many of these as LLM01, LLM02, LLM06 and LLM08. Controls include strict access-control over indexes, content sanitization before chunking, signed and provenance-tracked sources, retrieval audit logs, output filtering, and applying the same DLP and identity policies used for the underlying data stores.
How do you defend against RAG Security?
Defences for RAG Security typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for RAG Security?
Common alternative names include: Secure RAG, RAG hardening.
● Related terms
- ai-security№ 528
Indirect Prompt Injection
A prompt-injection variant where malicious instructions are hidden inside third-party content (web pages, documents, emails) that an LLM later ingests through retrieval, browsing, or tool use.
- ai-security№ 866
Prompt Injection
An attack that overrides an LLM's original instructions by smuggling adversarial text into the prompt, causing the model to ignore safeguards or execute attacker-chosen actions.
- ai-security№ 777
OWASP LLM Top 10
An OWASP-maintained list of the ten most critical security risks affecting applications that build on large language models.
- ai-security№ 281
Data Poisoning
An attack on a machine-learning system in which adversaries inject, alter, or relabel training data so the resulting model behaves incorrectly or contains hidden backdoors.
- ai-security№ 618
LLM Guardrails
Mechanisms that constrain what an LLM-based application can input or output, enforcing safety, security, and business rules around the underlying model.
- ai-security№ 034
AI Supply Chain Risk
The set of threats arising from the third-party datasets, base models, libraries, plug-ins, and infrastructure that organisations combine to build and deploy AI systems.
● See also
- № 028AI Hallucination
- № 617LLM Firewall