Retrieval poisoning is the insertion of malicious or misleading content into a data source that an AI system later retrieves. For agents, it creates delayed execution risk because the payload can sit quietly until a user query causes the model to act on it.
Expanded Definition
Retrieval poisoning is a data integrity attack against retrieval-augmented systems, knowledge bases, and agent toolchains. It differs from prompt injection because the malicious content is not necessarily visible at the moment of prompting. Instead, it is planted earlier in a source the system trusts, then activated later when the model retrieves that material to answer a query or choose an action. In NHI and agentic AI environments, that means poisoned documentation, tickets, wiki pages, code comments, or shared object stores can shape downstream decisions without direct access to the model itself.
Definitions vary across vendors on whether a poisoned source must be externally supplied, internally modified, or merely mislabelled, but the security concern is the same: retrieval is only as trustworthy as the corpus behind it. The control objective is to ensure provenance, review, and change detection for any content an agent can consume. For broader governance context, NHI Management Group treats this as a data-plane trust problem that sits alongside identity, secrets, and execution controls, not as a narrow model safety issue. The most common misapplication is assuming a content repository is safe because it is read-only to the agent, when the real condition is that a compromised upstream writer or sync job has already seeded the payload.
Examples and Use Cases
Implementing retrieval defenses rigorously often introduces review overhead and tighter content controls, requiring organisations to weigh faster knowledge access against the cost of verifying every source an agent may retrieve.
- A support-agent RAG system pulls from internal runbooks, but a poisoned runbook page instructs the agent to escalate credentials or call an unsafe tool.
- A procurement agent retrieves vendor notes from a shared workspace, and a malicious entry changes approved payment instructions or domain names.
- An engineering copilot indexes ticket comments and incident summaries, then repeats a planted remediation step that disables logging or widens access.
- A policy assistant consults a wiki where a compromised sync process inserted outdated compliance language, causing the agent to generate incorrect guidance.
These risks become more concrete when paired with NHI exposure patterns described in the Ultimate Guide to NHIs, especially where service accounts and automation identities can write to shared repositories. Retrieval pipelines should be governed with the same care applied to enterprise access paths in the NIST Cybersecurity Framework 2.0.
Why It Matters in NHI Security
Retrieval poisoning matters because agentic systems often act on retrieved content with execution authority. If a poisoned document is treated as trusted context, the agent can create, modify, approve, or disclose data based on attacker-authored instructions. That turns a content integrity issue into an identity and workflow compromise. NHI Management Group data shows that 79% of organisations have experienced secrets leaks, and 77% of those incidents resulted in tangible damage, which is a strong reminder that indirect exposure paths can be costly when automation is involved.
The operational impact is especially severe when the retrieved content references API keys, service accounts, token scopes, or tool usage patterns. A poisoned source can quietly steer an agent toward unsafe retrieval, overbroad access, or fraudulent escalation before anyone notices. The Ultimate Guide to NHIs is especially relevant here because it links poor visibility and excessive privilege to broad attack surface, while the NIST Cybersecurity Framework 2.0 reinforces the need for governed, verifiable data flows. Organisations typically encounter the consequence only after an agent has already retrieved and acted on the poisoned source, at which point retrieval poisoning becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | Covers unsafe tool use and malicious context that can steer agent behavior. | |
| OWASP Non-Human Identity Top 10 | NHI-04 | Retrieval poisoning often targets shared content accessed through overprivileged NHIs. |
| NIST CSF 2.0 | PR.DS | Data integrity and protection controls apply to retrieval corpora and indexed knowledge. |
Treat retrieved content as untrusted input and gate agent actions behind validation and policy checks.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 25, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
