AI Security - 4 min read

RAG Security Assessment Checklist

A RAG security assessment reviews document access, tenant isolation, retrieval permissions, prompt injection, connector behavior, logging, and data leakage paths before sensitive context moves through an AI workflow.

A RAG security assessment reviews whether retrieval-augmented generation systems expose the wrong documents, summaries, chunks, metadata, logs, or downstream outputs to the wrong user, tenant, agent, or workflow.

Why RAG needs a separate checklist

RAG systems look simple from the outside: retrieve relevant context, send it to the model, return a useful answer. The security boundary is less simple. Retrieval moves sensitive context across document stores, embeddings, connectors, prompts, logs, caches, and model responses.

If the wrong context is retrieved or logged, the model does not need to be malicious. The system has already leaked.

Checklist

Use this as a starting point before production:

  • Inventory document stores, connectors, embeddings, indexes, caches, and downstream systems.
  • Map users, tenants, agents, roles, groups, and document permissions.
  • Verify that retrieval respects source-system authorization.
  • Test whether one tenant or role can retrieve another tenant's documents.
  • Review metadata leakage through titles, snippets, chunk IDs, and filenames.
  • Test prompt injection through retrieved documents, comments, tickets, or web content.
  • Review whether retrieved content can trigger tool calls or unsafe agent actions.
  • Inspect logs, traces, analytics, and customer evidence for sensitive context.
  • Confirm how deleted or revoked documents are removed from indexes and caches.
  • Retest fixes and preserve closure evidence.

Common failure pattern

The common failure is not "the model hallucinated." It is "the retrieval layer supplied context the user should not have had." That can happen through stale permissions, copied indexes, broad service accounts, over-shared document stores, or connector shortcuts.

What to produce

A useful RAG security assessment should produce a system map, access-boundary findings, leakage paths, prompt-injection scenarios, remediation guidance, and retest-ready evidence. If the system supports enterprise customers, the evidence should be packaged for customer security review and SOC 2 readiness.

For CyberGuard, RAG is an Access and Leak problem first. The review follows sensitive context from the source document to the final place it can be seen or stored.