RAG Pipeline Security

What it is

Retrieval-Augmented Generation pipelines combine an LLM with a vector store containing chunked organizational documents. User queries embed into vectors; relevant chunks retrieve from the store; chunks plus query feed the LLM as context for generation. RAG is the dominant pattern for grounded enterprise LLM applications.

Central risk

Vector store access controls. The vector store contains organizational knowledge in embedded form. If it lacks access controls aligned to source-document permissions, retrieval bypasses authorization. Plus: corpus integrity (poisoning), embedding inversion (recovering source text), and prompt injection through retrieved chunks.

Specific risks

• Vector-store retrieval bypassing source-document permissions
• Corpus poisoning through indirect indexing of unsanitized content
• Embedding inversion attacks recovering training text from embeddings
• Indirect prompt injection through retrieved chunks (LLM01)
• Sensitive data leakage through retrieval (LLM02)

Recommended controls

• Access control on vector retrieval aligned to source-document ACLs
• Embedding-store encryption at rest
• Corpus content review and provenance tracking
• Retrieval audit logging
• Prompt-injection testing against retrieved-content scenarios

Posture Check checkpoint

OWASP LLM08 (Vector and Embedding Weaknesses) maps directly. Posture Check Data (Q6–Q10) and Model (Q16–Q20) most relevant.