Hackers of India

RAG-NAROK: What Poorly-Built RAGs Can Do to Data Security

By Akash Mukherjee , Saurabh Shintre on 29 Apr 2025 @ Rsac
πŸ“„ Whitepaper πŸ“Ή Video πŸ”— Link
#secure-development #devsecops #data-protection #architecture
Focus Areas: πŸ”’ Data Privacy & Protection , πŸ” Application Security , βš™οΈ DevSecOps , πŸ—οΈ Security Architecture

Presentation Material

Abstract

Retrieval Augmented Generation (RAG) can cause serious data security problems as they require moving data into new locations like VectorDBs that do not support access controls. The increasing popularity of low-code, no-code tools exacerbates the situation. This session will demonstrate these issues in practice and share experiences in building secure RAGs as well as do’s and don’t of AI security.

AI Generated Summary

The talk examines security vulnerabilities in Retrieval-Augmented Generation (RAG) systems used for enterprise chatbots, focusing on the flawed reliance on file permissions for data protection. RAG has become the dominant architecture for integrating private data into large language models due to large context windows, low inference costs, and improved model reliability, supplanting fine-tuning. However, enforcing access control within RAG presents significant challenges.

Three primary methods for permission enforcement are analyzed. Pre-filtering restricts the searchable document subset per user, offering high security and quality but at prohibitive cost and operational complexity. Metadata filtering, supported by some vector databases, is limited to simple filter types and poorly represents the complex, graph-like nature of enterprise permission structures. Post-filtering, the most common approach, queries a unified knowledge base and filters results afterward; it is cost-effective and flexible but introduces security risks from configuration errors and degrades response quality when relevant chunks are discarded.

The fundamental issue is that underlying enterprise permissions are frequently incorrect due to oversharing, shared links, and access creep. Consequently, even RAG systems that correctly enforce these permissions will expose sensitive data. The talk argues that security models must shift from file-centric permissions to information-centric controls, accounting for the dynamic and distributed nature of data ownership in large organizations. Current RAG implementations, including major commercial copilots, remain vulnerable to data leakage because they replicate existing permission flaws rather than addressing their root causes.

Disclaimer: This summary was auto-generated from the video transcript using AI and may contain inaccuracies. It is intended as a quick overview β€” always refer to the original talk for authoritative content. Learn more about our AI experiments.