What Is RAG Security? Securing Retrieval-Augmented Generation

RAG security is the practice of securing retrieval-augmented generation, the pattern where an AI application pulls documents from a knowledge base or vector database and feeds them to a model as context. RAG improves accuracy, but it also turns retrieved content into an untrusted input path. The main risks are indirect prompt injection, data poisoning, and leakage through the retrieval layer.

July 15, 2026
July 15, 2026

0 min read

AI Security
Application Security
LLM
What is RAG Security?

What is RAG security?

Retrieval-augmented generation (RAG) is the common pattern where an AI application retrieves relevant documents from a knowledge base, usually a vector database, and adds them to the model's context so answers are grounded in current, specific information. RAG security is the practice of protecting that pipeline. The moment an application feeds retrieved content to a model, whatever is in that content can influence the model, which makes retrieval a security boundary, not just a quality feature.

Why retrieval is an untrusted input path

RAG blurs the line between data and instructions. A model cannot reliably tell the difference between a document it is meant to summarize and a document that contains instructions telling it what to do. If any content in the knowledge base is attacker-influenced, retrieval becomes a delivery mechanism for those instructions. This is indirect prompt injection, and RAG is one of its most common routes, because knowledge bases often ingest content from many sources.

The main RAG security risks

  • Indirect prompt injection. Malicious instructions hidden in retrieved documents redirect the model's behavior.
  • Data and knowledge-base poisoning. An attacker who can write to the source data plants content that will later be retrieved and trusted.
  • Sensitive data leakage. Over-broad retrieval surfaces documents a given user should not see, especially when access controls are not enforced at the retrieval layer.
  • Vector and embedding weaknesses. Flaws in how embeddings are generated, stored, or queried enable injection or exfiltration. This maps to the vector-and-embedding category of the OWASP Top 10 for LLM Applications.

For the security issues specific to the vector databases behind RAG, see Pinecone, Weaviate, and Milvus security.

How to secure a RAG pipeline

Treat retrieved content as untrusted input, always. Enforce access control at the retrieval layer so a user only retrieves what they are entitled to, rather than filtering after the fact. Validate and attribute the sources that populate the knowledge base, and treat ingestion as a trust boundary. Constrain what the model is allowed to do with retrieved content, especially when RAG feeds an agent that can then take actions.

And because the risk only becomes real when retrieved content changes what the system does, watch behavior at runtime. Runtime intelligence observes what the application actually does after retrieval, so an injected instruction that turns into a harmful action or an unexpected data flow is caught when it executes. This is the same runtime containment behind agentic AI security and Kodem's approach to securing the AI application stack. See the full picture in AI application security.

Frequently Asked Questions

What is RAG security?

RAG security is the practice of securing retrieval-augmented generation, where an application retrieves documents from a knowledge base and feeds them to a model as context. It protects against the risks that come from treating retrieved content as trusted, such as injection, poisoning, and leakage.

Why is retrieval a security risk?

A model cannot reliably distinguish a document it should summarize from one containing instructions. If any retrieved content is attacker-influenced, retrieval becomes a delivery path for indirect prompt injection.

What is RAG data poisoning?

Data poisoning is when an attacker who can write to the knowledge base or its sources plants malicious content that will later be retrieved and trusted by the model, influencing its behavior or answers.

How do you prevent data leakage in RAG?

Enforce access control at the retrieval layer so each user only retrieves documents they are entitled to, rather than retrieving broadly and filtering afterward, and constrain what the model can do with retrieved content.

How does RAG security relate to the OWASP Top 10 for LLM?

RAG risks map to several OWASP LLM categories, especially prompt injection, sensitive information disclosure, and vector and embedding weaknesses.

Table of contents

Related blogs

What is an LLM Jailbreak?

What is an LLM Jailbreak?

An LLM jailbreak bypasses a model's safety guardrails to produce restricted output. How jailbreaks work, how they differ from prompt injection, and defenses.

July 15, 2026

4

What is MCP Security?

What is MCP Security?

MCP security covers the risks of the Model Context Protocol connecting AI agents to tools and data. The main threats, and how to contain them at runtime.

July 15, 2026

4

What Is an SBOM? (Software Bill of Materials)

What Is an SBOM? (Software Bill of Materials)

A software bill of materials (SBOM) inventories every component in your software. What an SBOM includes, why it matters, and how runtime makes it actionable.

July 15, 2026

5

Stop the waste.
Protect your environment with Kodem.

A Primer on Runtime Intelligence

See how Kodem's cutting-edge sensor technology revolutionizes application monitoring at the kernel level.

5.1k
Applications covered
1.1m
False positives eliminated
4.8k
Triage hours reduced

Platform Overview Video

Watch our short platform overview video to see how Kodem discovers real security risks in your code at runtime.

5.1k
Applications covered
1.1m
False positives eliminated
4.8k
Triage hours reduced

The State of the Application Security Workflow

This report aims to equip readers with actionable insights that can help future-proof their security programs. Kodem, the publisher of this report, purpose built a platform that bridges these gaps by unifying shift-left strategies with runtime monitoring and protection.

3D book mockup of Kodem's State of the Application Security Workflow 2025 report

Get real-time insights across the full stack…code, containers, OS, and memory

Watch how Kodem’s runtime security platform detects and blocks attacks before they cause damage. No guesswork. Just precise, automated protection.

Kodem issues list with a magnified view of insight icons: runtime, ingress, and exploitability
Combined author
Aviv Mussinger
Publish date

0 min read

AI Security

Application Security

LLM