This study addresses the emergent security risks introduced by Retrieval-Augmented Generation (RAG), which differ from the inherent vulnerabilities of large language models (LLMs) and demand systematic governance. The work abstracts the RAG workflow into six stages and delineates three trust boundaries and four security facets, thereby clearly distinguishing threats unique to or amplified by RAG from native LLM deficiencies. Proposing a novel security paradigm centered on the knowledge access pipeline, the paper conducts a systematic literature review, threat modeling, and taxonomy development, covering dimensions such as pre-retrieval tampering, retrieval manipulation, context exploitation, and knowledge leakage. It reveals critical gaps in current defenses—including their reactive, fragmented nature and the lack of comprehensive evaluation benchmarks—and advocates for a layered, boundary-aware protection framework spanning the entire RAG lifecycle.

Retrieval-augmented generation (RAG) significantly enhances large language models (LLMs) but introduces novel security risks through external knowledge access. While existing studies cover various RAG vulnerabilities, they often conflate inherent LLM risks with those specifically introduced by RAG. In this paper, we propose that secure RAG is fundamentally about the security of the external knowledge-access pipeline. We establish an operational boundary to separate inherent LLM flaws from RAG-introduced or RAG-amplified threats. Guided by this perspective, we abstract the RAG workflow into six stages and organize the literature around three trust boundaries and four primary security surfaces, including pre-retrieval knowledge corruption, retrieval-time access manipulation, downstream context exploitation, and knowledge exfiltration. By systematically reviewing the corresponding attacks, defenses, remediation mechanisms, and evaluation benchmarks, we reveal that current defenses remain largely reactive and fragmented. Finally, we discuss these gaps and highlight future directions toward layered, boundary-aware protection across the entire knowledge-access lifecycle.