Security teams should insert an authorization check after retrieval and before generation, so the model only receives content the user is allowed to see. That means semantic search can still find candidate documents, but a separate policy layer must verify ownership, team membership, or share relationships before any text reaches the prompt.
Why This Matters for Security Teams
RAG pipelines are not just search systems. They are data-access paths that can surface restricted documents into a prompt and then into generated output. If retrieval is allowed to run without a separate authorization gate, semantic similarity can bypass the same ownership, team, and sharing rules that normally protect document stores. That makes the risk less about model quality and more about exposure control.
This is why current guidance treats retrieval-time access control as a mandatory security layer, not an optional refinement. The NIST Cybersecurity Framework 2.0 emphasises governed access and monitored data flows, while NHIMG research on secrets exposure shows how quickly hidden content becomes broad blast-radius material when controls are weak. In practice, many security teams encounter the leak only after a user asks an innocent question that returns a document they were never meant to see.
NHIMG’s Ultimate Guide to NHIs also notes that only 5.7% of organisations have full visibility into their service accounts, which is a useful reminder that access-path opacity is a recurring problem across identity systems, not just RAG.
How It Works in Practice
The safest pattern is to treat retrieval and generation as separate trust boundaries. Semantic search can rank candidate chunks, but before any text is assembled into the prompt, the pipeline must evaluate whether the requesting user is allowed to see each chunk. That decision should use the same business rules that govern the source repository, such as document ownership, group membership, case assignment, project scope, or explicit share links.
Practically, teams implement this with a policy layer between the retriever and the LLM. The policy engine checks the user context, document labels, and source metadata, then filters out unauthorised chunks before the prompt is built. In many environments this is easiest to maintain when the retrieval service emits metadata such as source system, sensitivity tag, ACL references, and expiry status. Policy-as-code tools and standard controls from NIST Cybersecurity Framework 2.0 help teams keep these checks auditable rather than ad hoc.
- Index documents with security metadata, not just embeddings.
- Evaluate authorisation per retrieved chunk, not per query alone.
- Strip or mask restricted passages before prompt construction.
- Log retrieval decisions so security can prove why content was included or denied.
- Apply the same policy to cached results, reranked snippets, and citations.
NHIMG’s Guide to the Secret Sprawl Challenge is relevant here because prompt injection and accidental disclosure often intersect with broader secret-management failures, especially when RAG sources include code, tickets, or internal docs. These controls tend to break down when source repositories do not carry reliable ACL metadata, because the retriever cannot enforce authorisation it cannot see.
Common Variations and Edge Cases
Tighter retrieval filtering often increases engineering overhead, requiring organisations to balance low-latency answers against precise document-level enforcement. That tradeoff is real, especially when teams want cross-index search across multiple business units or external knowledge bases.
There is no universal standard for RAG authorisation yet, so implementations differ. Some teams enforce hard filtering before reranking, others allow retrieval but remove restricted passages before generation, and a few use two-stage approval for highly sensitive content. Best practice is evolving, but the safest default is to deny by default and only expand access when the policy engine can justify it. For higher-risk workflows, the same principle appears in the Anthropic report on AI-orchestrated cyber espionage, where tool access and data access became the real attack surface.
Edge cases include shared knowledge bases, federated search across subsidiaries, and documents with partial redaction. In those environments, security teams should define whether citations alone can leak restricted context, whether snippets count as disclosure, and whether cached embeddings inherit source ACLs. NHIMG’s 52 NHI Breaches Analysis shows that weak identity and access boundaries often surface only after a downstream system amplifies them.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | RAG retrieval is an identity-powered access path that can expose restricted data. |
| OWASP Agentic AI Top 10 | A-04 | Agentic prompt assembly can leak data if retrieval and generation are not separated. |
| NIST AI RMF | AI RMF is relevant for governing data flows, misuse, and accountability in RAG systems. |
Insert runtime policy checks between retrieval and generation before content reaches the model.
Related resources from NHI Mgmt Group
- How should security teams decide whether JIT access is safe for non-human identities?
- How should security teams protect PII in AI pipelines without breaking user workflows?
- How do security teams know whether IP hardening is actually working for NHIs?
- What do security teams get wrong about n8n and similar automation platforms?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 6, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org