What Is RAG Security? Securing Retrieval-Augmented Generation
RAG security is the practice of securing retrieval-augmented generation, the pattern where an AI application pulls documents from a knowledge base or vector database and feeds them to a model as context. RAG improves accuracy, but it also turns retrieved content into an untrusted input path. The main risks are indirect prompt injection, data poisoning, and leakage through the retrieval layer.

What is RAG security?
Retrieval-augmented generation (RAG) is the common pattern where an AI application retrieves relevant documents from a knowledge base, usually a vector database, and adds them to the model's context so answers are grounded in current, specific information. RAG security is the practice of protecting that pipeline. The moment an application feeds retrieved content to a model, whatever is in that content can influence the model, which makes retrieval a security boundary, not just a quality feature.
Why retrieval is an untrusted input path
RAG blurs the line between data and instructions. A model cannot reliably tell the difference between a document it is meant to summarize and a document that contains instructions telling it what to do. If any content in the knowledge base is attacker-influenced, retrieval becomes a delivery mechanism for those instructions. This is indirect prompt injection, and RAG is one of its most common routes, because knowledge bases often ingest content from many sources.
The main RAG security risks
- Indirect prompt injection. Malicious instructions hidden in retrieved documents redirect the model's behavior.
- Data and knowledge-base poisoning. An attacker who can write to the source data plants content that will later be retrieved and trusted.
- Sensitive data leakage. Over-broad retrieval surfaces documents a given user should not see, especially when access controls are not enforced at the retrieval layer.
- Vector and embedding weaknesses. Flaws in how embeddings are generated, stored, or queried enable injection or exfiltration. This maps to the vector-and-embedding category of the OWASP Top 10 for LLM Applications.
For the security issues specific to the vector databases behind RAG, see Pinecone, Weaviate, and Milvus security.
How to secure a RAG pipeline
Treat retrieved content as untrusted input, always. Enforce access control at the retrieval layer so a user only retrieves what they are entitled to, rather than filtering after the fact. Validate and attribute the sources that populate the knowledge base, and treat ingestion as a trust boundary. Constrain what the model is allowed to do with retrieved content, especially when RAG feeds an agent that can then take actions.
And because the risk only becomes real when retrieved content changes what the system does, watch behavior at runtime. Runtime intelligence observes what the application actually does after retrieval, so an injected instruction that turns into a harmful action or an unexpected data flow is caught when it executes. This is the same runtime containment behind agentic AI security and Kodem's approach to securing the AI application stack. See the full picture in AI application security.
Frequently Asked Questions
RAG security is the practice of securing retrieval-augmented generation, where an application retrieves documents from a knowledge base and feeds them to a model as context. It protects against the risks that come from treating retrieved content as trusted, such as injection, poisoning, and leakage.
A model cannot reliably distinguish a document it should summarize from one containing instructions. If any retrieved content is attacker-influenced, retrieval becomes a delivery path for indirect prompt injection.
Data poisoning is when an attacker who can write to the knowledge base or its sources plants malicious content that will later be retrieved and trusted by the model, influencing its behavior or answers.
Enforce access control at the retrieval layer so each user only retrieves documents they are entitled to, rather than retrieving broadly and filtering afterward, and constrain what the model can do with retrieved content.
RAG risks map to several OWASP LLM categories, especially prompt injection, sensitive information disclosure, and vector and embedding weaknesses.
Related blogs

What is an LLM Jailbreak?
An LLM jailbreak bypasses a model's safety guardrails to produce restricted output. How jailbreaks work, how they differ from prompt injection, and defenses.
4
Stop the waste.
Protect your environment with Kodem.
A Primer on Runtime Intelligence
See how Kodem's cutting-edge sensor technology revolutionizes application monitoring at the kernel level.
Platform Overview Video
Watch our short platform overview video to see how Kodem discovers real security risks in your code at runtime.
The State of the Application Security Workflow
This report aims to equip readers with actionable insights that can help future-proof their security programs. Kodem, the publisher of this report, purpose built a platform that bridges these gaps by unifying shift-left strategies with runtime monitoring and protection.
.avif)
Get real-time insights across the full stack…code, containers, OS, and memory
Watch how Kodem’s runtime security platform detects and blocks attacks before they cause damage. No guesswork. Just precise, automated protection.



