Securing RAG Pipelines: Embedding Poisoning, Document Tampering, and Auth Layers
AI Security
RAG systems inherit the trust of every document they index. We walk through three attack classes that quietly compromise retrieval, embedding poisoning, document tampering, and missing per query authorization, and the controls that hold them off in production.
By Arjun Raghavan, Security & Systems Lead, BIPI · July 5, 2023 · 10 min read
Retrieval augmented generation is the default architecture for enterprise LLM apps, and it is also where most of the quiet breaches happen. The model behaves, the index betrays.
The three failure classes
- Embedding poisoning, where attacker controlled text steers retrieval toward malicious chunks
- Document tampering, where indexed content is modified after ingestion
- Missing per query authorization, where the retriever returns documents the caller is not allowed to see
Embedding poisoning in practice
An attacker who can write to any indexed source can craft text whose embedding sits near common user queries. The chunk then appears in top k results and injects instructions into the prompt. The classic vector is a comment field, a wiki page, or a shared drive folder that everyone forgot was world writable.
Document tampering
Once a document is in the index, who watches it. Sign every chunk at ingest time with a content hash and a source identity. At retrieval, verify the hash before the chunk enters the prompt. If the document changed, re embed and re sign, do not silently use stale vectors.
Per query authorization
The retriever must apply the caller's permissions, not the ingestion service's permissions. We see teams index everything as an admin and then filter results in post processing, which is fragile. Push the access control into the vector query itself with metadata filters tied to the caller's identity.
Provenance metadata that matters
- Source URI and source system identity
- Ingest timestamp and ingest pipeline version
- Content hash of the original document
- Embedding model name and version
- Sensitivity label and allowed roles
Detecting poisoned chunks
Run periodic similarity scans against known attack templates, look for chunks whose embeddings cluster suspiciously close to common system prompts, and alert on documents whose retrieval frequency jumps without a corresponding query volume change.
Re ranking as a defense layer
A cross encoder re ranker that scores query and chunk together is harder to fool than pure vector similarity. Pair it with a content policy classifier that drops chunks containing instruction style text before they reach the prompt.
The model is rarely the weakest link in a RAG system. The index, the ingest pipeline, and the auth layer are.
Tooling notes
LlamaIndex node post processors and LangChain document compressors are good places to drop in hash verification and authorization checks. NeMo Guardrails can enforce a final policy pass on the assembled context before generation.
An ingest pipeline that survives audit
- Authenticated source connectors with scoped credentials
- Content hashing and signing before chunking
- Embedding with a pinned model version and recorded provenance
- Per chunk access metadata derived from the source system
- Continuous reconciliation between source and index
Closing
If your RAG system cannot answer who wrote this chunk, when, and who is allowed to read it, treat every retrieval as untrusted until those three questions have answers.
Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.