How to Secure a RAG System: Retrieval-Augmented Generation, Defended
By Chris Rees
Retrieval-augmented generation (RAG) is how most real companies actually use LLMs: bolt a model onto your own documents so it answers from your data instead of guessing. It's powerful — and it quietly makes your knowledge base part of the model's attack surface. Here's how RAG works, exactly where it breaks, and the defenses that hold, framed the way CompTIA SecAI+ expects you to reason about it.
What RAG actually does
A base model only knows what it learned in training. RAG gets around that without retraining: when a question comes in, the system retrieves relevant snippets from your own documents and pastes them into the prompt, so the model answers from fresh, private, grounded context.
Every RAG system is the same handful of stages. Learn the pipeline once and every RAG vulnerability has an obvious home.
The core problem: retrieved data is trusted like instructions
Recall the one fact that governs all LLM security: the model cannot separate instructions from data. RAG takes that problem and industrializes it. You are now automatically pasting documents — possibly authored by other people — directly into the model's context, right next to your trusted system prompt.
If an attacker can influence what lands in the knowledge base, they can influence the model. This is indirect prompt injection, and it is the signature RAG attack.
Knowledge-base poisoning, step by step
Poisoning doesn't require breaking into your database. It just requires a path for attacker-influenced text to get indexed — a public form, a scraped web page, a shared drive, a user-uploaded file.
Where else RAG breaks
Injection is the headline, but the retrieval layer has its own failure modes — this is essentially OWASP LLM08 (Vector and Embedding Weaknesses):
| Risk | What happens | Why it bites |
|---|---|---|
| Knowledge-base poisoning | Malicious text indexed, later retrieved | Indirect prompt injection at scale |
| Broken tenant isolation | One customer retrieves another's chunks | Cross-tenant data leakage |
| Over-broad indexing | Secrets/PII embedded into the store | The model surfaces data it should never see |
| Access-control bypass | Retrieval ignores per-user permissions | Users read documents they can't open directly |
| Stale / conflicting data | Old chunks outrank correct ones | Confident, wrong, ungrounded answers |
The theme: the vector database is not a magic box. It's a data store with all the usual access-control and integrity obligations — plus the new twist that its contents get read aloud to a model.
Defenses that actually hold
You cannot make the model "just ignore" malicious retrieved text — that's asking the model to be a trust boundary, which it isn't. Defense in depth around the pipeline is what works:
- Govern what gets indexed. Treat ingestion like untrusted input: validate sources, review or sandbox user-supplied content, and track data lineage so you know where every chunk came from.
- Enforce access control at retrieval time. Filter results by the asking user's permissions — never rely on the model to withhold what it was handed. Isolate tenants at the query level.
- Separate instructions from data in the prompt. Clearly delimit retrieved content and label it untrusted; keep real rules in enforced controls, not just wording.
- Constrain the blast radius. Apply least privilege to any tools the RAG agent can call, and keep a human in the loop for high-impact actions — this is the antidote to OWASP LLM06 (Excessive Agency).
- Filter and ground the output. Scan responses for sensitive patterns, cite sources so answers are checkable, and monitor for anomalies.
Key takeaways
- RAG = retrieve-then-answer. Documents are pasted into the prompt automatically, so your knowledge base is an attack surface.
- Indirect prompt injection is the signature RAG attack — poisoned content becomes instructions.
- Knowledge-base poisoning needs only a path to get text indexed, not database access.
- Access control belongs at retrieval time — filter by the asking user, and isolate tenants.
- The model is not a trust boundary. Govern inputs, limit actions, and filter outputs instead.
RAG security sits right where SecAI+ Domains 1 and 2 meet — data security and securing AI systems. Build the base with our SecAI+ Domain 1 study guide, or get All-Access for every domain as we release it.
Ready to study?
Get the interactive SecAI+ Domain 1 guide — practice questions and a PDF.
Browse study guides