RAG Security
Table of Contents
Quick Answer
RAG security protects retrieval-augmented generation systems where an LLM uses external documents or a vector database. Key risks include indirect prompt injection, sensitive data exposure, weak retrieval access control, untrusted documents, data poisoning, and unsafe output handling.
What is RAG Security?
RAG security focuses on AI applications that retrieve documents, chunks, search results, or knowledge-base entries before generating an answer. The retrieved text can improve quality, but it can also bring untrusted instructions, stale information, sensitive content, or poisoned data into the model context.
How RAG Applications Work
A common RAG workflow embeds documents, stores them in a vector database, retrieves relevant chunks for a user query, adds them to the prompt, and asks the model to answer. Security controls should exist at ingestion, storage, retrieval, prompt construction, output handling, and logging.
Main RAG Security Risks
- Indirect prompt injection hidden inside retrieved documents.
- Unauthorized retrieval of private or restricted documents.
- Sensitive data stored in embeddings, chunks, prompts, or logs.
- Poisoned or low-quality documents influencing answers.
- Model output that is trusted without validation or source review.
Untrusted Documents and Indirect Prompt Injection
Retrieved content should be treated as data, not authority. A secure RAG app should make the model aware that retrieved text is untrusted context and should enforce permissions, tool actions, and policy outside the model.
Sensitive Data and Access Control
Vector databases and search indexes need the same seriousness as other data stores. Apply document-level permissions, tenant isolation, retention rules, encryption where appropriate, and careful logging. Retrieval should only return content the current user is allowed to see.
Data Poisoning and Source Quality
Review what enters the knowledge base. Use trusted sources where possible, track ingestion time and origin, remove stale or low-quality data, and monitor sudden changes in answer behavior. Avoid treating every retrieved chunk as equally reliable.
Output Validation
RAG output should show sources, avoid unsupported claims, and be validated before it is used for decisions, code, commands, or user-facing automation. For sensitive workflows, require human review.
RAG Security Checklist
- Can retrieval enforce user and tenant permissions?
- Are untrusted documents labeled as data?
- Are sensitive documents excluded from prompts and logs where possible?
- Is ingestion source and date tracked?
- Are model answers grounded in visible sources?
- Are tool calls and sensitive actions validated outside the model?
Explore AI Security Topics
FAQs
Sources and further reading
- OWASP Top 10 for Large Language Model Applications — Prompt injection, sensitive information disclosure, and data risk categories
- OWASP LLM Prompt Injection Prevention Cheat Sheet — Defensive handling of untrusted prompts and retrieved content
- NIST AI Risk Management Framework — AI risk management reference
- MITRE ATLAS — AI system threat and mitigation knowledge base