Table of Contents
Fetching ...

Securing RAG: A Risk Assessment and Mitigation Framework

Lukas Ammann, Sara Ott, Christoph R. Landolt, Marco P. Lehmann

TL;DR

Retrieval-Augmented Generation (RAG) enables up-to-date, data-driven responses but expands the attack surface for security and privacy risks. The paper conducts a structured literature review and develops a RAG-specific security framework that combines a risk–mitigation matrix with established ML/LLM security guidance and governance practices. Key contributions include a taxonomy of RAG vulnerabilities (R0–R10), a comprehensive set of mitigations (M0–M12), and an implementation framework aligned with standards such as NIST RMF, GDPR, and the EU AI Act. The work provides practitioners with actionable guidance to deploy secure, compliant, and trustworthy RAG systems in dynamic threat landscapes.

Abstract

Retrieval Augmented Generation (RAG) has emerged as the de facto industry standard for user-facing NLP applications, offering the ability to integrate data without re-training or fine-tuning Large Language Models (LLMs). This capability enhances the quality and accuracy of responses but also introduces novel security and privacy challenges, particularly when sensitive data is integrated. With the rapid adoption of RAG, securing data and services has become a critical priority. This paper first reviews the vulnerabilities of RAG pipelines, and outlines the attack surface from data pre-processing and data storage management to integration with LLMs. The identified risks are then paired with corresponding mitigations in a structured overview. In a second step, the paper develops a framework that combines RAG-specific security considerations, with existing general security guidelines, industry standards, and best practices. The proposed framework aims to guide the implementation of robust, compliant, secure, and trustworthy RAG systems.

Securing RAG: A Risk Assessment and Mitigation Framework

TL;DR

Retrieval-Augmented Generation (RAG) enables up-to-date, data-driven responses but expands the attack surface for security and privacy risks. The paper conducts a structured literature review and develops a RAG-specific security framework that combines a risk–mitigation matrix with established ML/LLM security guidance and governance practices. Key contributions include a taxonomy of RAG vulnerabilities (R0–R10), a comprehensive set of mitigations (M0–M12), and an implementation framework aligned with standards such as NIST RMF, GDPR, and the EU AI Act. The work provides practitioners with actionable guidance to deploy secure, compliant, and trustworthy RAG systems in dynamic threat landscapes.

Abstract

Retrieval Augmented Generation (RAG) has emerged as the de facto industry standard for user-facing NLP applications, offering the ability to integrate data without re-training or fine-tuning Large Language Models (LLMs). This capability enhances the quality and accuracy of responses but also introduces novel security and privacy challenges, particularly when sensitive data is integrated. With the rapid adoption of RAG, securing data and services has become a critical priority. This paper first reviews the vulnerabilities of RAG pipelines, and outlines the attack surface from data pre-processing and data storage management to integration with LLMs. The identified risks are then paired with corresponding mitigations in a structured overview. In a second step, the paper develops a framework that combines RAG-specific security considerations, with existing general security guidelines, industry standards, and best practices. The proposed framework aims to guide the implementation of robust, compliant, secure, and trustworthy RAG systems.
Paper Structure (9 sections, 2 figures, 1 table)

This paper contains 9 sections, 2 figures, 1 table.

Figures (2)

  • Figure 1: General RAG Pipeline (1): A general architecture with the main components Data Ingestion (2), Retriever (3), and Generator LLM (4). R0 to R10 indicate the risks associated with each component.
  • Figure 2: Securing a RAG requires a holistic approach. Three overarching activities are ML-Ops, Data Governance, and Project- and Risk Management. Risks and Mitigations are addressed at layers IT Baseline Protection, AI and LLM Protection, and RAG Protection.