Securing Retrieval-Augmented Generation: A Taxonomy of Attacks, Defenses, and Future Directions

TL;DR

This paper provides a comprehensive taxonomy of security threats, defenses, and future research directions for retrieval-augmented generation (RAG), emphasizing the importance of securing the external knowledge-access pipeline.

Contribution

It introduces a new perspective on RAG security by defining operational boundaries and organizing vulnerabilities and defenses across the RAG workflow stages.

Findings

Current defenses are largely reactive and fragmented.

The paper categorizes threats into four primary security surfaces.

It proposes future directions for layered, boundary-aware protection.

Abstract

Retrieval-augmented generation (RAG) significantly enhances large language models (LLMs) but introduces novel security risks through external knowledge access. While existing studies cover various RAG vulnerabilities, they often conflate inherent LLM risks with those specifically introduced by RAG. In this paper, we propose that secure RAG is fundamentally about the security of the external knowledge-access pipeline. We establish an operational boundary to separate inherent LLM flaws from RAG-introduced or RAG-amplified threats. Guided by this perspective, we abstract the RAG workflow into six stages and organize the literature around three trust boundaries and four primary security surfaces, including pre-retrieval knowledge corruption, retrieval-time access manipulation, downstream context exploitation, and knowledge exfiltration. By systematically reviewing the corresponding attacks, defenses, remediation mechanisms, and evaluation benchmarks, we reveal that current defenses remain largely reactive and fragmented. Finally, we discuss these gaps and highlight future directions toward layered, boundary-aware protection across the entire knowledge-access lifecycle.