A retrieval-augmented generation pipeline combines search over internal data with model output generation. It expands the attack surface because the model can only be trusted if retrieval is authorised, filtered, and traceable all the way back to the source document.
Expanded Definition
A RAG pipeline is not just a prompt plus a search index. In NHI security, it is an execution path that selects data, applies authorization logic, assembles context, and then hands that context to a model for generation. The security boundary therefore includes retrieval permissions, ranking logic, document preprocessing, and the trust relationship between source systems and the agent or application calling the model.
Definitions vary across vendors on whether the pipeline begins at embedding, at query retrieval, or only when the model receives the final context. For governance purposes, NHI Management Group treats the full chain as in scope because a weak link anywhere in the chain can cause data exposure or prompt manipulation. That framing aligns well with the NIST Cybersecurity Framework 2.0, which emphasizes protecting data and controlling access across system boundaries.
The most common misapplication is treating RAG as a purely model-side issue, which occurs when teams secure the LLM but leave retrieval connectors, source permissions, and index content unchecked.
Examples and Use Cases
Implementing RAG rigorously often introduces latency and governance overhead, requiring organisations to weigh faster answers against tighter authorization, logging, and document hygiene.
- An internal support bot retrieves policy documents only after checking the caller’s role, then logs which source passages were used so responses can be audited later.
- A developer assistant indexes tickets and runbooks, but excludes secrets, tokens, and incident attachments to reduce leakage from the retrieval layer. This is the same kind of failure pattern explored in the Guide to the Secret Sprawl Challenge.
- A contract analysis workflow retrieves approved clause libraries from a controlled repository, not from unrestricted shared drives or email archives.
- A security copilot uses retrieval from a vetted knowledge base and preserves citations so analysts can trace every generated answer back to the original source.
- A pipeline that pulls from software supply-chain artifacts must defend against poisoned inputs, a risk illustrated by the CI/CD pipeline exploitation case study.
In practice, the same retrieval controls that protect sensitive corpus access also determine whether the model can be trusted to answer with defensible evidence. For adjacent implementation guidance, the Reviewdog GitHub Action supply chain attack is a useful reminder that toolchain trust is part of retrieval trust.
Why It Matters in NHI Security
RAG pipelines expand NHI risk because service accounts, API keys, connectors, and document stores can all become pathways to sensitive data. If retrieval authorization is loose, an AI agent may surface content that the human requester should never see, or it may blend stale, poisoned, or over-permissive sources into a confident but incorrect answer.
NHI Management Group data shows that 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools. That matters for RAG because those same locations often become indexable content, turning a secret hygiene problem into a model exposure problem. The issue is not only confidentiality; it also affects traceability, because unmanaged sources break the chain of evidence needed for incident response and compliance.
When RAG is deployed without source controls, retrieval filtering, and provenance logging, the resulting system can appear accurate while quietly amplifying secrets sprawl and privilege misuse. Organisations typically encounter the consequence only after a sensitive answer is leaked or a bad recommendation is traced back to an untrusted source, at which point RAG becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | Covers agent tool use, retrieval trust, and indirect prompt injection risks. | |
| OWASP Non-Human Identity Top 10 | NHI-03 | RAG depends on service account and secret governance for retrieval connectors. |
| NIST CSF 2.0 | PR.AC-4 | Access control and least privilege apply to retrieval paths and indexed data. |
Restrict retrieval inputs, validate sources, and log tool-mediated context before generation.
