RAG Security and Privacy: Formalizing the Threat Model and Attack Surface

Researchers propose the first formal threat model for Retrieval-Augmented Generation (RAG) systems, which combine LLMs with external document retrieval. The framework identifies new security vulnerabilities including document membership inference and data poisoning attacks that emerge from RAG's reliance on external knowledge bases, addressing a critical gap in AI safety research.

RAG systems represent a significant architectural shift in how large language models operate, moving beyond pure parametric knowledge to dynamic information retrieval. This hybrid approach has gained traction because it demonstrably reduces hallucinations and improves factual grounding—critical requirements for enterprise deployments. However, this paper identifies a concerning gap: while LLM security has received substantial academic attention, RAG systems operate in a largely unexamined threat landscape.

The introduction of external document retrieval creates attack surfaces absent in traditional LLMs. Adversaries can now target the retrieval mechanism itself through document injection, manipulate what content gets retrieved, or infer sensitive information about which documents exist in a system's knowledge base. These vulnerabilities are particularly acute in deployed systems where RAG components interface with proprietary or confidential information sources.

For organizations building RAG-powered applications—especially in healthcare, finance, and legal sectors—this research carries immediate implications. The formal threat taxonomy enables security teams to conduct proper risk assessments rather than relying on intuition or LLM-specific threat models that don't translate. Developers must now consider adversaries with different access profiles: those targeting the retrieval index, those crafting adversarial queries, and those potentially poisoning source documents before ingestion.

Looking ahead, this formal framework should catalyze defensive research. Practitioners should expect emerging mitigation strategies, potential standardized security testing procedures, and possibly new architectural patterns designed specifically for RAG resilience. Organizations deploying RAG in sensitive contexts should actively monitor follow-up research applying this threat model to develop concrete attack demonstrations and countermeasures.

• →First formal threat model for RAG systems establishes structured taxonomy of adversary types and access levels.
• →External document retrieval in RAG creates new attack surfaces including membership inference and data poisoning not present in traditional LLMs.
• →Document-level privacy risks emerge when adversaries can infer presence or content of retrieved information sources.
• →Framework provides foundation for principled security assessment in enterprise RAG deployments handling sensitive data.
• →Research gap closure should accelerate defensive security measures and architectural best practices for RAG systems.