Security and Privacy in Retrieval-Augmented Generation: Architectures, Threats, Defenses, and Future Directions for Building Trustworthy Systems

📅 2026-06-24
📈 Citations: 0
Influential: 0
📄 PDF
🤖 AI Summary
This work addresses the security and privacy risks inherent in Retrieval-Augmented Generation (RAG) systems—such as sensitive data leakage and knowledge base tampering—by proposing the first unified threat taxonomy that spans the entire RAG pipeline, including retrieval, context construction, and generation. It systematically analyzes attack surfaces across centralized, on-device (Micro-RAG), federated, and hybrid deployment paradigms, and integrates corresponding defense mechanisms leveraging techniques like differential privacy, secure aggregation, and encrypted retrieval. The study provides a comprehensive survey of existing research, clarifies the trade-offs between privacy and utility, highlights practical deployment challenges, and identifies critical open problems, thereby establishing a theoretical foundation and charting future directions for developing trustworthy, secure, and robust RAG systems.
📝 Abstract
Retrieval-Augmented Generation (RAG) has emerged as a dominant paradigm for enhancing large language models with external knowledge. By coupling retrieval mechanisms with generative models, RAG systems improve factual grounding and adaptability across domains. However, integrating retrieval pipelines introduces new security and privacy risks that extend beyond conventional language modeling threats. Sensitive information may be exposed through retrieval indices, query logs, context construction, or federated updates, while adversarial manipulation of knowledge bases can undermine trust in generated outputs. This survey provides a comprehensive examination of privacy and security challenges across RAG systems deployed in centralized, on-device (Micro-RAG), federated, and hybrid paradigms. We present a unified taxonomy of threat surfaces spanning the retrieval, context construction, and generation stages and systematically analyze attack classes, including membership inference, index inference, poisoning, gradient leakage, and collusion. We further review architectural, algorithmic, and cryptographic defenses, highlighting privacy-utility trade-offs and deployment considerations. Finally, we outline open research challenges toward building trustworthy, secure, and resilient RAG systems for real-world applications.
Problem

Research questions and friction points this paper is trying to address.

Retrieval-Augmented Generation
Security
Privacy
Threats
Trustworthy Systems
Innovation

Methods, ideas, or system contributions that make the work stand out.

Retrieval-Augmented Generation
Security and Privacy
Threat Taxonomy
Federated RAG
Privacy-Preserving Defenses
B
Balamurugan Palanisamy
Department of Electrical and Electronics Engineering, Birla Institute of Technology and Science, Pilani, Pilani Campus, Vidya Vihar, Pilani, Rajasthan 333031, India
G
G S S Chalapathi
Department of Electrical and Electronics Engineering, Birla Institute of Technology and Science, Pilani, Pilani Campus, Vidya Vihar, Pilani, Rajasthan 333031, India
V
Vikas Hassija
Department of Computer Engineering, KIIT University, Bhubaneshwar, Odisha 751024, India
Rajkumar Buyya
Rajkumar Buyya
School of Computing and Information Systems, The Uni of Melbourne; Fellow of IEEE & Academia Europea
Cloud ComputingData CentersEdge ComputingInternet of ThingsQuantum Computing