RAG poisoning is the corruption of retrieval-augmented generation inputs so an AI system pulls misleading or malicious context into its response path. Because the model trusts retrieved data as part of the working context, poisoned sources can change behaviour without directly compromising the model itself.
Expanded Definition
RAG poisoning is a retrieval-layer attack against retrieval-augmented generation systems, where an attacker corrupts indexed documents, vector stores, web sources, or embedded knowledge so the model retrieves misleading context. Definitions vary across vendors, but the security concern is consistent: the model may behave as intended while the retrieved evidence has already been compromised. In practice, the attack targets the data supply chain around the model, not the model weights themselves.
That distinction matters because RAG pipelines often blend trusted internal content with external documents, tickets, knowledge bases, and agent tool outputs. When retrieval ranking, chunking, or source trust is weak, poisoned content can steer summaries, recommendations, and actions. This makes the issue relevant to NHI security, especially where Ultimate Guide to NHIs discusses service accounts, API keys, and other machine identities that feed automation. The most common misapplication is treating RAG poisoning as prompt injection alone, which occurs when teams focus only on user prompts and ignore compromised retrieval sources.
Security teams often map this risk to broader governance guidance in the NIST Cybersecurity Framework 2.0, especially source integrity, data quality, and response controls.
Examples and Use Cases
Implementing RAG safely often introduces a provenance and latency tradeoff, requiring organisations to weigh fast retrieval and broad knowledge coverage against stronger source validation, curation, and filtering.
- An internal help desk assistant ingests stale policy pages, and the RAG layer retrieves retired instructions that cause an incorrect access approval workflow.
- A customer support agent pulls poisoned FAQ content from a compromised knowledge base, leading it to recommend unsafe remediation steps.
- An AI operations assistant uses vectorized incident notes, and a malicious document planted in a shared workspace biases the retrieved context toward the attacker’s preferred narrative.
- A procurement agent connected to external research sources retrieves manipulated vendor claims, which distorts risk scoring and review decisions.
- A secrets-management chatbot indexes runbooks that include exposed tokens, and the model echoes those secrets or treats them as valid operational context.
In mature programmes, teams pair content provenance checks with identity-aware controls from the Ultimate Guide to NHIs so agents and service accounts only read from approved repositories. That approach also aligns with the retrieval integrity and validation emphasis found in the NIST Cybersecurity Framework 2.0.
Why It Matters in NHI Security
RAG poisoning matters because many AI workflows run on behalf of non-human identities that already have broad read access, write access, or tool authority. If an agent, service account, or automation token ingests poisoned context, the resulting error can propagate into approvals, incident triage, privileged actions, and downstream systems. The NHI risk becomes larger when secrets, configuration files, or shared workspaces are used as retrieval sources without governance. NHI Mgmt Group research shows that Ultimate Guide to NHIs found 96% of organisations store secrets outside secrets managers in vulnerable locations, which increases the chances that corrupted or exposed material will enter the retrieval path.
That is why practitioners should connect RAG controls to broader identity and access strategy, including least privilege, source allowlisting, reviewable data pipelines, and monitoring for abnormal retrieval patterns. Governance is not just about preventing bad answers; it is about stopping compromised context from being treated as trusted input. Organisations typically encounter the impact only after an agent makes a flawed decision, at which point RAG poisoning becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | LLM-07 | Covers retrieval and tool-use abuse where poisoned context alters agent output. |
| NIST CSF 2.0 | PR.DS-1 | Data integrity protection applies to retrieval sources and indexed knowledge. |
| NIST Zero Trust (SP 800-207) | N/A | Zero Trust requires continuous verification of data sources and access paths. |
Validate retrieved sources and constrain agent actions when context may be untrusted.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 1, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
