This study addresses the significant privacy risks inherent in retrieval-augmented generation (RAG) systems when handling knowledge bases containing sensitive information. Through a systematic literature review, it presents the first comprehensive taxonomy of privacy threats and mitigation strategies specific to RAG, introducing a unified classification framework for privacy risks alongside a structured privacy-preserving workflow. The work synthesizes and critically analyzes existing attack vectors, defense mechanisms, and evaluation methodologies, thereby establishing an integrated framework that encompasses risk typologies, protection techniques, and assessment protocols. This framework provides both theoretical grounding and practical guidance for enhancing privacy preservation in RAG systems.

The continued promise of Large Language Models (LLMs), particularly in their natural language understanding and generation capabilities, has driven a rapidly increasing interest in identifying and developing LLM use cases. In an effort to complement the ingrained"knowledge"of LLMs, Retrieval-Augmented Generation (RAG) techniques have become widely popular. At its core, RAG involves the coupling of LLMs with domain-specific knowledge bases, whereby the generation of a response to a user question is augmented with contextual and up-to-date information. The proliferation of RAG has sparked concerns about data privacy, particularly with the inherent risks that arise when leveraging databases with potentially sensitive information. Numerous recent works have explored various aspects of privacy risks in RAG systems, from adversarial attacks to proposed mitigations. With the goal of surveying and unifying these works, we ask one simple question: What are the privacy risks in RAG, and how can they be measured and mitigated? To answer this question, we conduct a systematic literature review of RAG works addressing privacy, and we systematize our findings into a comprehensive set of privacy risks, mitigation techniques, and evaluation strategies. We supplement these findings with two primary artifacts: a Taxonomy of RAG Privacy Risks and a RAG Privacy Process Diagram. Our work contributes to the study of privacy in RAG not only by conducting the first systematization of risks and mitigations, but also by uncovering important considerations when mitigating privacy risks in RAG systems and assessing the current maturity of proposed mitigations.