Cordon-MAS: Defending RAG against Knowledge Poisoning via Information-Flow Control

Researchers introduce Cordon-MAS, a new defense framework against poisoning attacks on retrieval-augmented generation (RAG) systems. The framework reduces attack success rates by 92.4% by enforcing information-flow control that prevents synthesis agents from directly accessing untrusted evidence, addressing a critical vulnerability in AI systems used for high-stakes applications.

RAG systems have become foundational infrastructure for AI applications requiring factual accuracy, from customer support to financial analysis. However, recent Confundo-style poisoning attacks demonstrate that adversaries can manipulate these systems by injecting carefully crafted documents into retrieval databases. The research reveals a fundamental architectural weakness: models can technically detect contradictions in evidence yet still propagate poisoned claims in their final outputs—a gap between detection capability and actual safety.

This finding reframes a critical misconception in AI security. Previous defense approaches focused on improving evidence detection, assuming that identifying poisoned documents would prevent harm. The Cordon-MAS framework instead implements architectural compartmentalization inspired by security principles from traditional systems engineering. By separating evidence extraction, cross-source validation, and answer synthesis into distinct agents with asymmetric access privileges, the system prevents any single agent from both accessing untrusted information and controlling final outputs.

The implications extend beyond academic security research. RAG systems now power production deployments in financial services, healthcare, and legal technology where hallucinations or poisoned outputs carry material consequences. A 92.4% relative reduction in attack success rates represents significant progress, though the framework's practical deployment overhead and performance costs remain unclear from the abstract.

Looking forward, this work signals a broader shift in AI safety from detection-based defenses toward structural isolation—a principle increasingly recognized as essential for trustworthy systems. Organizations deploying RAG in sensitive domains should monitor whether similar compartmentalized approaches become industry standard, particularly as regulatory frameworks for AI accountability solidify.

• →Cordon-MAS reduces RAG poisoning attacks by 92.4% through architectural separation of agents with asymmetric data access
• →Models can detect poisoned evidence but still incorporate it into outputs, revealing a critical monitoring-control gap
• →The framework treats RAG security as an information-flow control problem rather than a detection problem
• →Compartmentalized agent design prevents synthesis agents from accessing untrusted natural-language evidence directly
• →Defense approach mirrors established security principles from traditional systems engineering applied to AI architectures