Security and Privacy in Retrieval-Augmented Generation: Architectures, Threats, Defenses, and Future Directions for Building Trustworthy Systems

A comprehensive survey maps the expanding attack surface of retrieval-augmented generation systems across centralized, federated, and edge deployments. As RAG becomes the standard production pattern for grounding LLMs with external knowledge, the paper catalogs novel threat vectors emerging from retrieval indices, query logs, and knowledge base poisoning that fall outside traditional language model security frameworks. The work signals that production RAG deployments now require threat modeling distinct from base model risks, reshaping how teams architect trustworthy systems at scale.
Modelwire context
Analyst takeThe survey's most consequential framing is that RAG-specific threats, particularly knowledge base poisoning and query log exposure, don't map cleanly onto existing LLM red-teaming playbooks, meaning teams that have invested in base model security are not covered and face a distinct compliance and engineering gap.
The federated RAG threat surface connects directly to coverage of TL++ (from the same day), which addressed privacy leakage in distributed training through secret-shared activations. That work assumed the training pipeline as the attack surface; this survey extends the concern downstream to inference-time retrieval indices and knowledge bases, suggesting the security perimeter in federated ML deployments is wider than either paper treats in isolation. The MedGuards multi-agent safety work is also relevant here: compositional guardrails designed for output correction don't address poisoned retrieval inputs upstream, a gap this survey makes explicit.
Watch whether major cloud RAG providers (AWS Bedrock, Azure AI Search, Google Vertex) publish updated threat models or compliance documentation within the next two quarters that specifically address retrieval-layer attack vectors. Adoption of this survey's taxonomy by a major provider would confirm the field is moving from academic cataloging to enforceable production standards.
Coverage we drew on
This analysis is generated by Modelwire’s editorial layer from our archive and the summary above. It is not a substitute for the original reporting. How we write it.
MentionsRetrieval-Augmented Generation · Large Language Models · Federated Learning · Micro-RAG
Modelwire Editorial
This synthesis and analysis was prepared by the Modelwire editorial team. We use advanced language models to read, ground, and connect the day’s most significant AI developments, providing original strategic context that helps practitioners and leaders stay ahead of the frontier.
Modelwire summarizes, we don’t republish. The full content lives on arxiv.org. If you’re a publisher and want a different summarization policy for your work, see our takedown page.