Table of Contents
Fetching ...

SoK: Privacy Risks and Mitigations in Retrieval-Augmented Generation Systems

Andreea-Elena Bodea, Stephen Meisenbacher, Alexandra Klymenko, Florian Matthes

TL;DR

This SoK systematically surveys privacy risks in Retrieval-Augmented Generation (RAG) systems and unifies them into a Taxonomy of privacy risks and a Dynamic RAG Privacy Process Diagram. It distinguishes leakage and adversarial manipulation, detailing five leakage types (Dataset, Vector database, Retrieved chunk, Answer, Prompt) and proposing mappings to mitigations and evaluation strategies. The study analyzes 72 papers to assess mitigation maturity and practical feasibility, revealing gaps such as embedding-level protections, real-world testing, and comprehensive privacy benchmarks. The work provides actionable artifacts and a roadmap for future research toward practical, scalable privacy safeguards in RAG deployments.

Abstract

The continued promise of Large Language Models (LLMs), particularly in their natural language understanding and generation capabilities, has driven a rapidly increasing interest in identifying and developing LLM use cases. In an effort to complement the ingrained "knowledge" of LLMs, Retrieval-Augmented Generation (RAG) techniques have become widely popular. At its core, RAG involves the coupling of LLMs with domain-specific knowledge bases, whereby the generation of a response to a user question is augmented with contextual and up-to-date information. The proliferation of RAG has sparked concerns about data privacy, particularly with the inherent risks that arise when leveraging databases with potentially sensitive information. Numerous recent works have explored various aspects of privacy risks in RAG systems, from adversarial attacks to proposed mitigations. With the goal of surveying and unifying these works, we ask one simple question: What are the privacy risks in RAG, and how can they be measured and mitigated? To answer this question, we conduct a systematic literature review of RAG works addressing privacy, and we systematize our findings into a comprehensive set of privacy risks, mitigation techniques, and evaluation strategies. We supplement these findings with two primary artifacts: a Taxonomy of RAG Privacy Risks and a RAG Privacy Process Diagram. Our work contributes to the study of privacy in RAG not only by conducting the first systematization of risks and mitigations, but also by uncovering important considerations when mitigating privacy risks in RAG systems and assessing the current maturity of proposed mitigations.

SoK: Privacy Risks and Mitigations in Retrieval-Augmented Generation Systems

TL;DR

This SoK systematically surveys privacy risks in Retrieval-Augmented Generation (RAG) systems and unifies them into a Taxonomy of privacy risks and a Dynamic RAG Privacy Process Diagram. It distinguishes leakage and adversarial manipulation, detailing five leakage types (Dataset, Vector database, Retrieved chunk, Answer, Prompt) and proposing mappings to mitigations and evaluation strategies. The study analyzes 72 papers to assess mitigation maturity and practical feasibility, revealing gaps such as embedding-level protections, real-world testing, and comprehensive privacy benchmarks. The work provides actionable artifacts and a roadmap for future research toward practical, scalable privacy safeguards in RAG deployments.

Abstract

The continued promise of Large Language Models (LLMs), particularly in their natural language understanding and generation capabilities, has driven a rapidly increasing interest in identifying and developing LLM use cases. In an effort to complement the ingrained "knowledge" of LLMs, Retrieval-Augmented Generation (RAG) techniques have become widely popular. At its core, RAG involves the coupling of LLMs with domain-specific knowledge bases, whereby the generation of a response to a user question is augmented with contextual and up-to-date information. The proliferation of RAG has sparked concerns about data privacy, particularly with the inherent risks that arise when leveraging databases with potentially sensitive information. Numerous recent works have explored various aspects of privacy risks in RAG systems, from adversarial attacks to proposed mitigations. With the goal of surveying and unifying these works, we ask one simple question: What are the privacy risks in RAG, and how can they be measured and mitigated? To answer this question, we conduct a systematic literature review of RAG works addressing privacy, and we systematize our findings into a comprehensive set of privacy risks, mitigation techniques, and evaluation strategies. We supplement these findings with two primary artifacts: a Taxonomy of RAG Privacy Risks and a RAG Privacy Process Diagram. Our work contributes to the study of privacy in RAG not only by conducting the first systematization of risks and mitigations, but also by uncovering important considerations when mitigating privacy risks in RAG systems and assessing the current maturity of proposed mitigations.
Paper Structure (17 sections, 2 equations, 3 figures, 5 tables)

This paper contains 17 sections, 2 equations, 3 figures, 5 tables.

Figures (3)

  • Figure 1: A typical Retrieval-Augmented Generation system.
  • Figure 2: The Taxonomy of RAG Privacy Risks. While we highlight the two-sided nature of privacy risks in RAG, leakage and adversarial manipulation, we focus specifically on data leakage and its mitigation. Adversarial manipulation, or attacks, primarily serve as a means to realize threats posed by leakage.
  • Figure 3: The RAG Privacy Process Diagram.