The reviewed record of science sign in
Pith

arxiv: 2606.25533 · v1 · pith:SCWYTAMU · submitted 2026-06-24 · cs.CR · cs.CL

Security and Privacy in Retrieval-Augmented Generation: Architectures, Threats, Defenses, and Future Directions for Building Trustworthy Systems

Reviewed by Pith2026-06-25 20:54 UTCgrok-4.3pith:SCWYTAMUopen to challenge →

classification cs.CR cs.CL
keywords retrieval-augmented generationsecurityprivacyadversarial attacksfederated systemslarge language modelsknowledge basesdefenses
0
0 comments X

The pith

Retrieval-augmented generation systems introduce security and privacy risks through their retrieval mechanisms that go beyond those of standard language models.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

This survey examines how coupling external retrieval with generative models creates new exposure points for sensitive data and allows manipulation of outputs. It organizes risks across centralized, on-device, federated, and hybrid RAG deployments by mapping threats that arise during retrieval, context construction, and generation. The work catalogs attack types such as membership inference, index inference, poisoning, gradient leakage, and collusion, then reviews corresponding architectural, algorithmic, and cryptographic defenses while noting their utility trade-offs. It closes by identifying open challenges for making RAG systems trustworthy in practice.

Core claim

Integrating retrieval pipelines in RAG systems exposes sensitive information through retrieval indices, query logs, context construction, or federated updates, while adversarial manipulation of knowledge bases can undermine trust in generated outputs, requiring a unified taxonomy of threat surfaces across retrieval, context construction, and generation stages together with analysis of attacks and defenses in centralized, on-device, federated, and hybrid paradigms.

What carries the argument

A unified taxonomy of threat surfaces spanning the retrieval, context construction, and generation stages.

If this is right

  • Defenses must address retrieval-specific surfaces such as index poisoning and query log leakage in addition to generation-stage threats.
  • Architectural choices for RAG deployments carry measurable privacy-utility trade-offs that vary by paradigm.
  • Attacks including membership inference and collusion can compromise both data confidentiality and output integrity.
  • Hybrid and federated RAG setups require additional protections against gradient leakage and inter-party collusion.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Standard LLM safety layers will need explicit extensions to cover the retrieval stage if the taxonomy holds.
  • Empirical measurement of real-world RAG data exposure events could test whether the listed attack classes are exhaustive.
  • Cryptographic techniques applied at the index level might reduce leakage without full redesign of retrieval pipelines.
  • The taxonomy could guide standardized auditing protocols for RAG systems in regulated domains.

Load-bearing premise

The presented unified taxonomy of threat surfaces and listed attack classes adequately covers the primary risks across all RAG paradigms.

What would settle it

Identification of a major privacy or security vulnerability in an operational RAG system whose attack surface falls outside the taxonomy categories of retrieval, context construction, and generation.

Figures

Figures reproduced from arXiv: 2606.25533 by Balamurugan Palanisamy, G S S Chalapathi, Rajkumar Buyya, Vikas Hassija.

Figure 1
Figure 1. Figure 1: Structural organization of the survey paper. [PITH_FULL_IMAGE:figures/full_fig_p003_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: RAG Pipeline: RAG system architecture showing offline indexing and online inference phases. During [PITH_FULL_IMAGE:figures/full_fig_p005_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Structural Taxonomy of RAG Systems: Categorizing Centralized, Micro-RAG, Federated, and Hybrid [PITH_FULL_IMAGE:figures/full_fig_p006_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: RAG paradigm selection flowchart. Guides practitioners from deployment constraints (data locality, connec [PITH_FULL_IMAGE:figures/full_fig_p008_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: Taxonomy of security threats and attack surfaces in RAG systems. Attacks are organized by deployment layer [PITH_FULL_IMAGE:figures/full_fig_p009_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: Privacy-preserving techniques for RAG systems, organized across three mechanism classes: (a) architectural [PITH_FULL_IMAGE:figures/full_fig_p013_6.png] view at source ↗
Figure 7
Figure 7. Figure 7: Defense-in-depth framework for RAG systems. Privacy and security protections should be layered across [PITH_FULL_IMAGE:figures/full_fig_p013_7.png] view at source ↗
Figure 8
Figure 8. Figure 8: Conceptual privacy–utility trade-off landscape for privacy-preserving RAG techniques. Architectural isolation [PITH_FULL_IMAGE:figures/full_fig_p016_8.png] view at source ↗
Figure 9
Figure 9. Figure 9: Cross-mapping of open challenges in secure and privacy-preserving RAG to RAG taxonomies, with relevance [PITH_FULL_IMAGE:figures/full_fig_p019_9.png] view at source ↗
read the original abstract

Retrieval-Augmented Generation (RAG) has emerged as a dominant paradigm for enhancing large language models with external knowledge. By coupling retrieval mechanisms with generative models, RAG systems improve factual grounding and adaptability across domains. However, integrating retrieval pipelines introduces new security and privacy risks that extend beyond conventional language modeling threats. Sensitive information may be exposed through retrieval indices, query logs, context construction, or federated updates, while adversarial manipulation of knowledge bases can undermine trust in generated outputs. This survey provides a comprehensive examination of privacy and security challenges across RAG systems deployed in centralized, on-device (Micro-RAG), federated, and hybrid paradigms. We present a unified taxonomy of threat surfaces spanning the retrieval, context construction, and generation stages and systematically analyze attack classes, including membership inference, index inference, poisoning, gradient leakage, and collusion. We further review architectural, algorithmic, and cryptographic defenses, highlighting privacy-utility trade-offs and deployment considerations. Finally, we outline open research challenges toward building trustworthy, secure, and resilient RAG systems for real-world applications.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

0 major / 3 minor

Summary. The manuscript is a survey on security and privacy in Retrieval-Augmented Generation (RAG) systems. It examines risks across centralized, on-device (Micro-RAG), federated, and hybrid deployment paradigms; introduces a unified taxonomy of threat surfaces spanning retrieval, context construction, and generation stages; catalogs attack classes including membership inference, index inference, poisoning, gradient leakage, and collusion; reviews architectural, algorithmic, and cryptographic defenses with attention to privacy-utility trade-offs; and identifies open research challenges for trustworthy RAG systems.

Significance. If the coverage and taxonomy hold, the survey provides a useful organizing framework for an emerging area where RAG adoption introduces privacy and security risks beyond standard LLM threats. Systematizing attacks and defenses across multiple paradigms, along with explicit discussion of deployment considerations, can help researchers identify gaps and practitioners evaluate trade-offs. The work is a literature survey with no original theorems, experiments, or machine-checked proofs.

minor comments (3)
  1. Abstract: the claim of a 'unified taxonomy' would be strengthened by a brief statement of the criteria used to unify prior taxonomies or by a forward reference to the section where the unification is demonstrated.
  2. The manuscript would benefit from an explicit table or figure that maps each attack class to the deployment paradigms (centralized, on-device, federated, hybrid) in which it has been studied or is applicable.
  3. Section headings and subsection numbering should be checked for consistency with the taxonomy stages (retrieval, context construction, generation) to improve navigation.

Simulated Author's Rebuttal

0 responses · 0 unresolved

We thank the referee for the positive summary and assessment of our survey, as well as the recommendation for minor revision. No specific major comments were provided in the report, so we have no individual points to address. We remain available to incorporate any minor editorial suggestions if requested.

Circularity Check

0 steps flagged

No significant circularity

full rationale

This is a literature survey paper with no original derivations, equations, predictions, or formal claims that could reduce to their own inputs. The unified taxonomy and attack/defense catalog are syntheses of external literature across RAG paradigms; the coverage statement is definitional to the survey genre rather than a testable proposition derived from fitted parameters or self-citations. No load-bearing steps match any enumerated circularity pattern.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

As a survey paper, the central claim rests on the completeness and accuracy of the reviewed literature rather than new derivations. No free parameters, axioms, or invented entities are introduced.

pith-pipeline@v0.9.1-grok · 5737 in / 1036 out tokens · 21982 ms · 2026-06-25T20:54:40.446400+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

132 extracted references · 13 canonical work pages · 3 internal anchors

  1. [1]

    A Comprehensive Overview of Large Language Models.ACM Transactions on Intelligent Systems and Technology, 16(5):1–72, 2025

    Humza Naveed, Asad Ullah Khan, Shi Qiu, Muhammad Saqib, Saeed Anwar, Muhammad Usman, Naveed Akhtar, Nick Barnes, and Ajmal Mian. A Comprehensive Overview of Large Language Models.ACM Transactions on Intelligent Systems and Technology, 16(5):1–72, 2025

  2. [2]

    Large language models: a survey of their development, capabilities, and applications.Knowledge and Information Systems, 67(3):2967–3022, 2025

    Yadagiri Annepaka and Partha Pakray. Large language models: a survey of their development, capabilities, and applications.Knowledge and Information Systems, 67(3):2967–3022, 2025

  3. [3]

    A review of prominent paradigms for LLM-based agents: Tool use, planning (including RAG), and feedback learning

    Xinzhe Li. A review of prominent paradigms for LLM-based agents: Tool use, planning (including RAG), and feedback learning. In Owen Rambow, Leo Wanner, Marianna Apidianaki, Hend Al-Khalifa, Barbara Di Eugenio, and Steven Schockaert, editors,Proceedings of the 31st International Conference on Computational Linguistics, pages 9760–9779, Abu Dhabi, UAE, Janu...

  4. [4]

    Know your RAG: Dataset taxonomy and generation strategies for evaluating RAG systems

    Rafael Teixeira de Lima, Shubham Gupta, Cesar Berrospi Ramis, Lokesh Mishra, Michele Dolfi, Peter Staar, and Panagiotis Vagenas. Know your RAG: Dataset taxonomy and generation strategies for evaluating RAG systems. In Owen Rambow, Leo Wanner, Marianna Apidianaki, Hend Al-Khalifa, Barbara Di Eugenio, Steven Schockaert, Kareem Darwish, and Apoorv Agarwal, e...

  5. [5]

    MeMemo: On-device Retrieval Augmentation for Private and Personalized Text Generation

    Zijie J Wang and Duen Horng Chau. MeMemo: On-device Retrieval Augmentation for Private and Personalized Text Generation. InProceedings of the 47th International ACM SIGIR Conference on Research and Development in Information Retrieval, pages 2765–2770, 2024

  6. [6]

    Fedrag: A framework for fine-tuning retrieval-augmented generation systems.arXiv preprint arXiv:2506.09200, 2025

    Val Andrei Fajardo, David B Emerson, Amandeep Singh, Veronica Chatrath, Marcelo Lotif, Ravi Theja, Alex Cheung, and Izuki Matsuba. Fedrag: A framework for fine-tuning retrieval-augmented generation systems.arXiv preprint arXiv:2506.09200, 2025

  7. [7]

    A Survey on RAG Meeting LLMs: Towards Retrieval-Augmented Large Language Models

    Wenqi Fan, Yujuan Ding, Liangbo Ning, Shijie Wang, Hengyun Li, Dawei Yin, Tat-Seng Chua, and Qing Li. A Survey on RAG Meeting LLMs: Towards Retrieval-Augmented Large Language Models. InProceedings of the 30th ACM SIGKDD conference on knowledge discovery and data mining, pages 6491–6501, 2024

  8. [8]

    Pratik Sharma and Saishab Bhattarai. A Review on Retrieval-Augmented Generation: Architectures, Research Challenges, and Emerging Frontiers.Journal of Future Artificial Intelligence and Technologies, 2(4):616–628, 2026

  9. [9]

    Yangning Li, Weizhi Zhang, Yuyao Yang, Wei-Chieh Huang, Yaozu Wu, Junyu Luo, Yuanchen Bei, Henry Peng Zou, Xiao Luo, Yusheng Zhao, Chunkit Chan, Yankai Chen, Zhongfen Deng, Yinghui Li, Hai-Tao Zheng, Dongyuan Li, Renhe Jiang, Ming Zhang, Yangqiu Song, and Philip S. Yu. A survey of RAG-reasoning systems in large language models. In Christos Christodoulopou...

  10. [10]

    CRAG - Comprehensive RAG Benchmark

    Xiao Yang, Kai Sun, Hao Xin, Yushi Sun, Nikita Bhalla, Xiangsen Chen, Sajal Choudhary, Rongze Daniel Gui, Ziran Will Jiang, Ziyu Jiang, Lingkun Kong, Brian Moran, Jiaqi Wang, Yifan Ethan Xu, An Yan, Chenyu Yang, Eting Yuan, Hanwen Zha, Nan Tang, Lei Chen, Nicolas Scheffer, Yue Liu, Nirav Shah, Rakesh Wanga, Anuj Kumar, Wen-tau Yih, and Xin Luna Dong. CRAG...

  11. [11]

    Communication- Efficient Learning of Deep Networks from Decentralized Data

    Brendan McMahan, Eider Moore, Daniel Ramage, Seth Hampson, and Blaise Aguera y Arcas. Communication- Efficient Learning of Deep Networks from Decentralized Data. In Aarti Singh and Jerry Zhu, editors,Proceedings of the 20th International Conference on Artificial Intelligence and Statistics, volume 54 ofProceedings of Machine Learning Research, pages 1273–...

  12. [12]

    Federated Learning: Challenges, Methods, and Future Directions.IEEE Signal Processing Magazine, 37(3):50–60, 2020

    Tian Li, Anit Kumar Sahu, Ameet Talwalkar, and Virginia Smith. Federated Learning: Challenges, Methods, and Future Directions.IEEE Signal Processing Magazine, 37(3):50–60, 2020

  13. [13]

    Nguyen, Ming Ding, Pubudu N

    Dinh C. Nguyen, Ming Ding, Pubudu N. Pathirana, Aruna Seneviratne, Jun Li, and H. Vincent Poor. Federated Learning for Internet of Things: A Comprehensive Survey.IEEE Communications Surveys & Tutorials, 23(3):1622–1658, 2021

  14. [14]

    Sybil-aware adaptive defence framework for robust federated learning.Pervasive and Mobile Computing, page 102157, 2025

    Dnyanesh Khedekar, Tanmaya Mahapatra, and Amitesh Singh Rajput. Sybil-aware adaptive defence framework for robust federated learning.Pervasive and Mobile Computing, page 102157, 2025

  15. [15]

    Efficient Federated Search for Retrieval-Augmented Generation

    Rachid Guerraoui, Anne-Marie Kermarrec, Diana Petrescu, Rafael Pires, Mathis Randl, and Martijn de V os. Efficient Federated Search for Retrieval-Augmented Generation. InProceedings of the 5th Workshop on Machine Learning and Systems, pages 74–81, 2025. 22 APREPRINT- JUNE25, 2026

  16. [16]

    Adversarial Attacks on Large Language Models: A Survey

    Meera Al Kuwaiti and Heba Ismail. Adversarial Attacks on Large Language Models: A Survey. InProceedings of Eighth International Conference on Information System Design and Intelligent Applications, pages 529–547. Springer, 2025

  17. [17]

    SoK: Taxonomy and Evaluation of Prompt Security in Large Language Models.arXiv preprint arXiv:2510.15476, 2025

    Hanbin Hong, Shuya Feng, Nima Naderloui, Shenao Yan, Jingyu Zhang, Biying Liu, Ali Arastehfard, Heqing Huang, and Yuan Hong. SoK: Taxonomy and Evaluation of Prompt Security in Large Language Models.arXiv preprint arXiv:2510.15476, 2025

  18. [18]

    The good and the bad: Exploring privacy issues in retrieval-augmented generation (RAG)

    Shenglai Zeng, Jiankun Zhang, Pengfei He, Yiding Liu, Yue Xing, Han Xu, Jie Ren, Yi Chang, Shuaiqiang Wang, Dawei Yin, and Jiliang Tang. The good and the bad: Exploring privacy issues in retrieval-augmented generation (RAG). In Lun-Wei Ku, Andre Martins, and Vivek Srikumar, editors,Findings of the Association for Computational Linguistics: ACL 2024, pages...

  19. [19]

    Surveying the RAG Attack Surface and Defenses: Protecting Sensitive Company Data

    Lynn V onderhaar, Daniel Machado, and Omar Ochoa. Surveying the RAG Attack Surface and Defenses: Protecting Sensitive Company Data. In2025 IEEE International Conference on Artificial Intelligence Testing (AITest), pages 69–76, 2025

  20. [20]

    SafeRAG: Benchmarking security in retrieval-augmented generation of large language model

    Xun Liang, Simin Niu, Zhiyu Li, Sensen Zhang, Hanyu Wang, Feiyu Xiong, Zhaoxin Fan, Bo Tang, Jihao Zhao, Jiawei Yang, Shichao Song, and Mengwei Wang. SafeRAG: Benchmarking security in retrieval-augmented generation of large language model. In Wanxiang Che, Joyce Nabende, Ekaterina Shutova, and Mohammad Taher Pilehvar, editors,Proceedings of the 63rd Annua...

  21. [21]

    Retrieval-Augmented Generation: A Survey of Security Challenges and Countermeasures

    Chao Wang, Haonan Li, Weijian Song, and Yiyang Lin. Retrieval-Augmented Generation: A Survey of Security Challenges and Countermeasures. In2025 11th IEEE International Conference on Privacy Computing and Data Security (PCDS), pages 210–217, 2025

  22. [22]

    {PoisonedRAG}: Knowledge corruption attacks to {Retrieval-Augmented} generation of large language models

    Wei Zou, Runpeng Geng, Binghui Wang, and Jinyuan Jia. {PoisonedRAG}: Knowledge corruption attacks to {Retrieval-Augmented} generation of large language models. In34th USENIX Security Symposium (USENIX Security 25), pages 3827–3844, 2025

  23. [23]

    Traceback of Poisoning Attacks to Retrieval-Augmented Generation

    Baolei Zhang, Haoran Xin, Minghong Fang, Zhuqing Liu, Biao Yi, Tong Li, and Zheli Liu. Traceback of Poisoning Attacks to Retrieval-Augmented Generation. InProceedings of the ACM on Web Conference 2025, pages 2085–2097, 2025

  24. [24]

    BadRAG: Identifying Vulnerabilities in Retrieval Augmented Generation of Large Language Models.arXiv preprint arXiv:2406.00083, 2024

    Jiaqi Xue, Mengxin Zheng, Yebowen Hu, Fei Liu, Xun Chen, and Qian Lou. BadRAG: Identifying Vulnerabilities in Retrieval Augmented Generation of Large Language Models.arXiv preprint arXiv:2406.00083, 2024

  25. [25]

    Luan, Siran Wang, and Yuntao Wang

    Yuan Chang, Tom H. Luan, Siran Wang, and Yuntao Wang. SafeRAG: Secure Cloud-Based Retrieval-Augmented Generation for LLM-Empowered V oice Assistants.IEEE Transactions on Network Science and Engineering, 13:6211–6224, 2026

  26. [26]

    Privacy-Aware RAG-Enabled LLMs for Collaborative AI in Organizations

    Georgios Fragkos, Bradley Marx, Sasha Safonov, Robert Manley, Winnie Patta, and Shelby Hiens. Privacy-Aware RAG-Enabled LLMs for Collaborative AI in Organizations. In2025 Cyber Awareness and Research Symposium (CARS), pages 1–8, 2025

  27. [27]

    Trusted Execution Environments: Properties, Applications, and Challenges.IEEE Security & Privacy, 18(2):56–60, 2020

    Patrick Jauernig, Ahmad-Reza Sadeghi, and Emmanuel Stapf. Trusted Execution Environments: Properties, Applications, and Challenges.IEEE Security & Privacy, 18(2):56–60, 2020

  28. [28]

    Ai on the edge: a comprehensive review

    Weixing Su, Linfeng Li, Fang Liu, Maowei He, and Xiaodan Liang. Ai on the edge: a comprehensive review. Artificial Intelligence Review, 55(8):6125–6183, 2022

  29. [29]

    A Survey of AI Inference Technologies for On-Device Systems.IEEE Internet of Things Journal, 12(24):51927–51950, 2025

    Wenzhu Wang, Ke Li, Bin Ji, Xiaodong Liu, Jie Yu, and Qingbo Wu. A Survey of AI Inference Technologies for On-Device Systems.IEEE Internet of Things Journal, 12(24):51927–51950, 2025

  30. [30]

    Towards On-device Personalization: Cloud-device Collaborative Data Augmentation for Efficient On-device Language Model.ACM Transactions on Intelligent Systems and Technology, 2025

    Zhaofeng Zhong, Wei Yuan, Liang Qu, Tong Chen, Hao Wang, Xiangyu Zhao, and Hongzhi Yin. Towards On-device Personalization: Cloud-device Collaborative Data Augmentation for Efficient On-device Language Model.ACM Transactions on Intelligent Systems and Technology, 2025

  31. [31]

    Towards Trustworthy Retrieval Augmented Generation for Large Language Models: A Survey.arXiv preprint arXiv:2502.06872, 2025

    Bo Ni, Zheyuan Liu, Leyao Wang, Yongjia Lei, Yuying Zhao, Xueqi Cheng, Qingkai Zeng, Luna Dong, Yinglong Xia, Krishnaram Kenthapadi, et al. Towards Trustworthy Retrieval Augmented Generation for Large Language Models: A Survey.arXiv preprint arXiv:2502.06872, 2025

  32. [32]

    Federated retrieval-augmented generation: A systematic mapping study

    Abhijit Chakraborty, Chahana Dahal, and Vivek Gupta. Federated retrieval-augmented generation: A systematic mapping study. In Christos Christodoulopoulos, Tanmoy Chakraborty, Carolyn Rose, and Violet Peng, editors, Findings of the Association for Computational Linguistics: EMNLP 2025, pages 7362–7374, Suzhou, China, November 2025. Association for Computat...

  33. [33]

    Chien Van Nguyen, Xuan Shen, Ryan Aponte, Yu Xia, Samyadeep Basu, Zhengmian Hu, Jian Chen, Mihir Parmar, Sasidhar Kunapuli, Joe Barrow3, Junda Wu, Ashish Singh, Yu Wang, Jiuxiang Gu, Nesreen K. Ahmed, Nedim Lipka, Ruiyi Zhang, Xiang Chen, Tong Yu, Sungchul Kim, Hanieh Deilamsalehy, Namyong Park, Michael Rimer, Zhehao Zhang, Huanrui Yang, Puneet Mathur, Ga...

  34. [34]

    The Language Model Revolution: LLM and SLM Analysis

    Zeynep Örpek, Bü¸ sra Tural, and Zeynep Destan. The Language Model Revolution: LLM and SLM Analysis. In 2024 8th International Artificial Intelligence and Data Processing Symposium (IDAP), pages 1–4, 2024

  35. [35]

    Edge ai: A comprehensive survey of technologies, applications, and challenges

    Vasuki Shankar. Edge ai: A comprehensive survey of technologies, applications, and challenges. In2024 1st International Conference on Advanced Computing and Emerging Technologies (ACET), pages 1–6, 2024

  36. [36]

    Federated Learning and RAG Integration: A Scalable Approach for Medical Large Language Models

    Jincheol Jung, Hongju Jeong, and Eui-Nam Huh. Federated Learning and RAG Integration: A Scalable Approach for Medical Large Language Models. In2025 International Conference on Artificial Intelligence in Information and Communication (ICAIIC), pages 0968–0973, 2025

  37. [37]

    A Survey of Retrieval-Augmented Generation (RAG) for Large Language Models

    Yusong Ma, Hongxuan Nie, Chao Chen, Jiujie Zhang, Jiali Jiang, Bisheng Wang, and Yuqin Xia. A Survey of Retrieval-Augmented Generation (RAG) for Large Language Models. In2025 International Conference on Trustworthy Big Data and Artificial Intelligence (ICTBAI), pages 7–13, 2025

  38. [38]

    Graph-Based Approaches and Functionalities in Retrieval-Augmented Generation: A Comprehensive Survey.ACM Computing Surveys, 2025

    Zulun Zhu, Tiancheng Huang, Kai Wang, Junda Ye, Xinghe Chen, and Siqiang Luo. Graph-Based Approaches and Functionalities in Retrieval-Augmented Generation: A Comprehensive Survey.ACM Computing Surveys, 2025

  39. [39]

    A systematic literature review of retrieval-augmented generation: Techniques, metrics, and challenges.arXiv preprint arXiv:2508.06401, 2025

    Andrew Brown, Muhammad Roman, and Barry Devereux. A systematic literature review of retrieval-augmented generation: Techniques, metrics, and challenges.arXiv preprint arXiv:2508.06401, 2025

  40. [40]

    Backdoored Retrievers for Prompt Injection Attacks on Retrieval Augmented Generation of Large Language Models.arXiv preprint arXiv:2410.14479, 2024

    Cody Clop and Yannick Teglia. Backdoored Retrievers for Prompt Injection Attacks on Retrieval Augmented Generation of Large Language Models.arXiv preprint arXiv:2410.14479, 2024

  41. [41]

    Saidakhror Gulyamov, Said Gulyamov, Andrey Rodionov, Rustam Khursanov, Kambariddin Mekhmonov, Djakhongir Babaev, and Akmaljon Rakhimjonov. Prompt injection attacks in large language models and ai agent systems: A comprehensive review of vulnerabilities, attack vectors, and defense mechanisms.Information, 17(1):54, 2026

  42. [42]

    The Hidden Threat in Plain Text: Attacking RAG Data Loaders

    Alberto Castagnaro, Umberto Salviati, Mauro Conti, Luca Pajola, and Simeone Pizzi. The Hidden Threat in Plain Text: Attacking RAG Data Loaders. InProceedings of the 18th ACM Workshop on Artificial Intelligence and Security, pages 170–181, 2025

  43. [43]

    RAG LLMs are not safer: A safety analysis of retrieval-augmented generation for large language models

    Bang An, Shiyue Zhang, and Mark Dredze. RAG LLMs are not safer: A safety analysis of retrieval-augmented generation for large language models. In Luis Chiruzzo, Alan Ritter, and Lu Wang, editors,Proceedings of the 2025 Conference of the Nations of the Americas Chapter of the Association for Computational Linguistics: Human Language Technologies (Volume 1:...

  44. [45]

    Alignment faking in large language models

    Ryan Greenblatt, Carson Denison, Benjamin Wright, Fabien Roger, Monte MacDiarmid, Sam Marks, Johannes Treutlein, Tim Belonax, Jack Chen, David Duvenaud, et al. ALIGNMENT FAKING IN LARGE LANGUAGE MODELS.arXiv preprint arXiv:2412.14093, 2024

  45. [46]

    Visual contextual attack: Jailbreaking MLLMs with image-driven context injection

    Miao Ziqi, Yi Ding, Lijun Li, and Jing Shao. Visual contextual attack: Jailbreaking MLLMs with image-driven context injection. In Christos Christodoulopoulos, Tanmoy Chakraborty, Carolyn Rose, and Violet Peng, editors, Proceedings of the 2025 Conference on Empirical Methods in Natural Language Processing, pages 9627–9644, Suzhou, China, November 2025. Ass...

  46. [47]

    Shaping the safety boundaries: Understanding and defending against jailbreaks in large language models

    Lang Gao, Jiahui Geng, Xiangliang Zhang, Preslav Nakov, and Xiuying Chen. Shaping the safety boundaries: Understanding and defending against jailbreaks in large language models. In Wanxiang Che, Joyce Nabende, Ekaterina Shutova, and Mohammad Taher Pilehvar, editors,Proceedings of the 63rd Annual Meeting of the Association for Computational Linguistics (Vo...

  47. [48]

    Association for Computational Linguistics

  48. [49]

    Retrieval Poisoning Attacks Based on Prompt Injections into Retrieval-Augmented Generation Systems that Store Generated Responses

    Yegor Anichkov, Victor Popov, and Sergey Bolovtsov. Retrieval Poisoning Attacks Based on Prompt Injections into Retrieval-Augmented Generation Systems that Store Generated Responses. InInternational Conference on Distributed Computer and Communication Networks, pages 417–429. Springer, 2024

  49. [50]

    Retrieval-augmented defense: Adaptive and controllable jailbreak prevention for large language models.arXiv preprint arXiv:2508.16406, 2025

    Guangyu Yang, Jinghong Chen, Jingbiao Mei, Weizhe Lin, and Bill Byrne. Retrieval-augmented defense: Adaptive and controllable jailbreak prevention for large language models.arXiv preprint arXiv:2508.16406, 2025. 24 APREPRINT- JUNE25, 2026

  50. [51]

    LatentPoison - Adversarial Attacks On The Latent Space

    Antonia Creswell, Anil A Bharath, and Biswa Sengupta. LatentPoison - Adversarial Attacks On The Latent Space.arXiv preprint arXiv:1711.02879, 2017

  51. [52]

    Black-box Adversarial Attacks against Dense Retrieval Models: A Multi-view Contrastive Learning Method

    Yu-An Liu, Ruqing Zhang, Jiafeng Guo, Maarten de Rijke, Wei Chen, Yixing Fan, and Xueqi Cheng. Black-box Adversarial Attacks against Dense Retrieval Models: A Multi-view Contrastive Learning Method. InProceedings of the 32nd ACM International Conference on Information and Knowledge Management, pages 1647–1656, 2023

  52. [53]

    Mask-based Membership Inference Attacks for Retrieval- Augmented Generation

    Mingrui Liu, Sixiao Zhang, and Cheng Long. Mask-based Membership Inference Attacks for Retrieval- Augmented Generation. InProceedings of the ACM on Web Conference 2025, pages 2894–2907, 2025

  53. [54]

    Flippedrag: Black-box opinion manipulation adversarial attacks to retrieval-augmented generation models

    Zhuo Chen, Yuyang Gong, Jiawei Liu, Miaokun Chen, Haotan Liu, Qikai Cheng, Fan Zhang, Wei Lu, and Xi- aozhong Liu. Flippedrag: Black-box opinion manipulation adversarial attacks to retrieval-augmented generation models. InProceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security, pages 4109–4123, 2025

  54. [55]

    Membership Inference Attacks Against Machine Learning Models

    Reza Shokri, Marco Stronati, Congzheng Song, and Vitaly Shmatikov. Membership Inference Attacks Against Machine Learning Models. In2017 IEEE Symposium on Security and Privacy (SP), pages 3–18, 2017

  55. [56]

    Practical Poisoning Attacks against Retrieval-Augmented Generation.arXiv preprint arXiv:2504.03957, 2025

    Baolei Zhang, Yuxi Chen, Zhuqing Liu, Lihai Nie, Tong Li, Zheli Liu, and Minghong Fang. Practical Poisoning Attacks against Retrieval-Augmented Generation.arXiv preprint arXiv:2504.03957, 2025

  56. [57]

    Drift Detection in Text Data with Document Embeddings

    Robert Feldhans, Adrian Wilke, Stefan Heindorf, Mohammad Hossein Shaker, Barbara Hammer, Axel-Cyrille Ngonga Ngomo, and Eyke Hüllermeier. Drift Detection in Text Data with Document Embeddings. InIn- ternational Conference on Intelligent Data Engineering and Automated Learning, pages 107–118. Springer, 2021

  57. [58]

    Enhancing adversarial resilience in semantic caching for secure retrieval augmented generation systems.Scientific Reports, 16(1):5936, 2026

    Mohanad Afiffy, Mohamed Waleed Fakhr, and Fahima A Maghraby. Enhancing adversarial resilience in semantic caching for secure retrieval augmented generation systems.Scientific Reports, 16(1):5936, 2026

  58. [59]

    Towards More Robust Retrieval- Augmented Generation: Evaluating RAG Under Adversarial Poisoning Attacks.arXiv preprint arXiv:2412.16708, 2024

    Jinyan Su, Jin Peng Zhou, Zhengxin Zhang, Preslav Nakov, and Claire Cardie. Towards More Robust Retrieval- Augmented Generation: Evaluating RAG Under Adversarial Poisoning Attacks.arXiv preprint arXiv:2412.16708, 2024

  59. [60]

    DeRAG: Black-box Adversarial Attacks on Multiple Retrieval-Augmented Generation Applications via Prompt Injection.arXiv preprint arXiv:2507.15042, 2025

    Jerry Wang and Fang Yu. DeRAG: Black-box Adversarial Attacks on Multiple Retrieval-Augmented Generation Applications via Prompt Injection.arXiv preprint arXiv:2507.15042, 2025

  60. [61]

    Liu, Kevin Lin, John Hewitt, Ashwin Paranjape, Michele Bevilacqua, Fabio Petroni, and Percy Liang

    Nelson F. Liu, Kevin Lin, John Hewitt, Ashwin Paranjape, Michele Bevilacqua, Fabio Petroni, and Percy Liang. Lost in the middle: How language models use long contexts.Transactions of the Association for Computational Linguistics, 12:157–173, 2024

  61. [62]

    Out-of-context and out-of-scope: Manip- ulating large language models through minimal instruction set modifications.PLoS One, 21(2):e0341558, 2026

    Monty-Maximilian Zühlke, Daniel Kudenko, and Wolfgang Nejdl. Out-of-context and out-of-scope: Manip- ulating large language models through minimal instruction set modifications.PLoS One, 21(2):e0341558, 2026

  62. [63]

    Chi, Nathanael Schärli, and Denny Zhou

    Freda Shi, Xinyun Chen, Kanishka Misra, Nathan Scales, David Dohan, Ed H. Chi, Nathanael Schärli, and Denny Zhou. Large Language Models Can Be Easily Distracted by Irrelevant Context. In Andreas Krause, Emma Brunskill, Kyunghyun Cho, Barbara Engelhardt, Sivan Sabato, and Jonathan Scarlett, editors,Proceedings of the 40th International Conference on Machin...

  63. [64]

    Knowledge conflicts for LLMs: A survey

    Rongwu Xu, Zehan Qi, Zhijiang Guo, Cunxiang Wang, Hongru Wang, Yue Zhang, and Wei Xu. Knowledge conflicts for LLMs: A survey. In Yaser Al-Onaizan, Mohit Bansal, and Yun-Nung Chen, editors,Proceedings of the 2024 Conference on Empirical Methods in Natural Language Processing, pages 8541–8565, Miami, Florida, USA, November 2024. Association for Computationa...

  64. [65]

    When not to trust language models: Investigating effectiveness of parametric and non-parametric memories

    Alex Mallen, Akari Asai, Victor Zhong, Rajarshi Das, Daniel Khashabi, and Hannaneh Hajishirzi. When not to trust language models: Investigating effectiveness of parametric and non-parametric memories. In Anna Rogers, Jordan Boyd-Graber, and Naoaki Okazaki, editors,Proceedings of the 61st Annual Meeting of the Association for Computational Linguistics (Vol...

  65. [66]

    Adversarial and Multilingual Threats in Retrieval-Augmented Generation: From Prompt Injection to Model Exploitation

    Basma ElSaify and Mohamed Baderelden. Adversarial and Multilingual Threats in Retrieval-Augmented Generation: From Prompt Injection to Model Exploitation. In2025 2nd International Generative AI and Computational Language Modelling Conference (GACLM), pages 155–162, 2025

  66. [67]

    Enhancing noise robustness of retrieval-augmented language models with adaptive adversarial training

    Feiteng Fang, Yuelin Bai, Shiwen Ni, Min Yang, Xiaojun Chen, and Ruifeng Xu. Enhancing noise robustness of retrieval-augmented language models with adaptive adversarial training. In Lun-Wei Ku, Andre Martins, and Vivek Srikumar, editors,Proceedings of the 62nd Annual Meeting of the Association for Computational 25 APREPRINT- JUNE25, 2026 Linguistics (Volu...

  67. [68]

    Information Leakage in Embedding Models

    Congzheng Song and Ananth Raghunathan. Information Leakage in Embedding Models. InProceedings of the 2020 ACM SIGSAC conference on computer and communications security, pages 377–390, 2020

  68. [69]

    Reverse engineering convolutional neural networks through side-channel information leaks

    Weizhe Hua, Zhiru Zhang, and G Edward Suh. Reverse engineering convolutional neural networks through side-channel information leaks. InProceedings of the 55th Annual Design Automation Conference, pages 1–6, 2018

  69. [70]

    Deep learning model inversion attacks and defenses: a comprehensive survey.Artificial Intelligence Review, 58(8):242, 2025

    Wencheng Yang, Song Wang, Di Wu, Taotao Cai, Yanming Zhu, Shicheng Wei, Yiying Zhang, Xu Yang, Zhaohui Tang, and Yan Li. Deep learning model inversion attacks and defenses: a comprehensive survey.Artificial Intelligence Review, 58(8):242, 2025

  70. [71]

    Federated retrieval augmented generation for multi-product question answering

    Parshin Shojaee, Sai Sree Harsha, Dan Luo, Akash Maharaj, Tong Yu, and Yunyao Li. Federated retrieval augmented generation for multi-product question answering. In Owen Rambow, Leo Wanner, Marianna Apidianaki, Hend Al-Khalifa, Barbara Di Eugenio, Steven Schockaert, Kareem Darwish, and Apoorv Agarwal, editors,Proceedings of the 31st International Conferenc...

  71. [72]

    The Limitations of Federated Learning in Sybil Settings

    Clement Fung, Chris JM Yoon, and Ivan Beschastnikh. The Limitations of Federated Learning in Sybil Settings. In23rd International symposium on research in attacks, intrusions and defenses (RAID 2020), pages 301–316, 2020

  72. [73]

    Federated Retrieval- Augmented Generation-Based LLM for Enhanced Cyber Threat Detection in the Internet-of-Energy.IEEE Network, 40(1):13–19, 2026

    Tianxing Fu, Jia Hu, Geyong Min, Sunder Ali Khowaja, Keshav Singh, and Kapal Dev. Federated Retrieval- Augmented Generation-Based LLM for Enhanced Cyber Threat Detection in the Internet-of-Energy.IEEE Network, 40(1):13–19, 2026

  73. [74]

    Sybil Attacks and Defense on Differential Privacy based Federated Learning

    Yupeng Jiang, Yong Li, Yipeng Zhou, and Xi Zheng. Sybil Attacks and Defense on Differential Privacy based Federated Learning. In2021 IEEE 20th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), pages 355–362, 2021

  74. [75]

    A Survey of Federated Learning: Advances in Architecture, Synchronization, and Security Threats.Computers, Materials & Continua, 86(3), 2026

    Faisal Mahmud, Fahim Mahmud, and Rashedur M Rahman. A Survey of Federated Learning: Advances in Architecture, Synchronization, and Security Threats.Computers, Materials & Continua, 86(3), 2026

  75. [76]

    Privacy protection in RAG: A novel method and evaluation framework.Information Processing & Management, 63(3):104505, 2026

    Yuan Zhang, Jionghan Wu, Rui Li, Tong Zhang, Yujie Song, Chuanyi Li, Shangqi Wang, Hao Shen, Jiao Yin, Jidong Ge, and Bin Luo. Privacy protection in RAG: A novel method and evaluation framework.Information Processing & Management, 63(3):104505, 2026

  76. [77]

    Efficient Byzantine-Robust and Privacy-Preserving Federated Learning on Compressive Domain.IEEE Internet of Things Journal, 11(4):7116–7127, 2024

    Guiqiang Hu, Hongwei Li, Wenshu Fan, and Yushu Zhang. Efficient Byzantine-Robust and Privacy-Preserving Federated Learning on Compressive Domain.IEEE Internet of Things Journal, 11(4):7116–7127, 2024

  77. [78]

    Fali Wang, Zhiwei Zhang, Xianren Zhang, Zongyu Wu, Tzuhao Mo, Qiuhao Lu, Wanjing Wang, Rui Li, Junjie Xu, Xianfeng Tang, et al. A Comprehensive Survey of Small Language Models in the Era of Large Language Models: Techniques, Enhancements, Applications, Collaboration with LLMs, and Trustworthiness.ACM Transactions on Intelligent Systems and Technology, 16(...

  78. [79]

    RAG-Guardrails Integration for AI Content Control

    Rakesh More. RAG-Guardrails Integration for AI Content Control. InProceedings of the 2025 18th International Conference on Computer Science and Information Technology, pages 260–268, 2025

  79. [80]

    Innovative Guardrails for Generative AI: Designing an Intelligent Filter for Safe and Responsible LLM Deployment.Applied Sciences, 15(13):7298, 2025

    Olga Shvetsova, Danila Katalshov, and Sang-Kon Lee. Innovative Guardrails for Generative AI: Designing an Intelligent Filter for Safe and Responsible LLM Deployment.Applied Sciences, 15(13):7298, 2025

  80. [81]

    Guardrails for Large Language Models: A Review of Techniques and Challenges.J Artif Intell Mach Learn & Data Sci, 3(1):2504–2512, 2025

    Syed Arham Akheel. Guardrails for Large Language Models: A Review of Techniques and Challenges.J Artif Intell Mach Learn & Data Sci, 3(1):2504–2512, 2025

Showing first 80 references.