Securing Retrieval-Augmented Generation: A Taxonomy of Attacks, Defenses, and Future Directions

Researchers present SLOT, a comprehensive taxonomy for understanding security vulnerabilities in retrieval-augmented generation (RAG) systems that extend LLMs with external knowledge. The framework categorizes attacks and defenses across four dimensions—attack surface, defense layer, security objective, and target scope—while identifying structural gaps in current evaluation methods and proposing future research directions for securing RAG pipelines.

This academic work addresses a critical gap in AI security research by formally categorizing vulnerabilities specific to RAG systems rather than treating them as generic LLM flaws. RAG systems, which augment language models with external knowledge retrieval, create new attack vectors at the knowledge-access boundary that traditional LLM security research overlooks. The SLOT taxonomy provides researchers and practitioners with a structured framework to reason about where attacks occur, which defensive measures apply, what security properties are compromised, and the scope of targets under threat.

The research surfaces two important structural mismatches between how attacks target RAG systems and how current defenses are evaluated. This disconnect means existing security measures may provide false confidence while leaving systems vulnerable to real-world threats. The authors identify that evaluation methodologies often focus on narrow, isolated attack scenarios rather than distributed manipulation across query distributions, limiting their relevance to production environments.

For the AI industry, this taxonomy enables more rigorous security engineering of RAG-based systems—increasingly critical as enterprises deploy retrieval-augmented models for high-stakes applications. The framework accelerates knowledge transfer between security researchers and ML engineers by establishing common terminology and threat models. The identified gaps in multimodal and agentic RAG security highlight emerging vulnerabilities as these systems become more complex.

Future work must address stronger confidentiality protections, comprehensive defenses without blind spots, and adaptive evaluation methods that reflect realistic threat landscapes. Organizations deploying RAG systems should audit their knowledge-access pipelines using this taxonomy to identify and remediate previously unrecognized vulnerabilities.

• →SLOT taxonomy organizes RAG security research across surface, layer, objective, and target dimensions, clarifying previously conflated vulnerability types
• →Current RAG defenses exhibit structural mismatches with actual attack patterns, creating false confidence in systems with unaddressed vulnerabilities
• →Knowledge-access pipelines require security evaluation across six stages rather than isolated threat scenarios to achieve realistic threat modeling
• →Multimodal and agentic RAG systems present emerging security gaps not yet adequately addressed by existing research or defenses
• →Confidentiality protections in RAG systems remain comparatively underdeveloped versus integrity and availability security measures