Build Secure RAG Systems Architecture With Threat Models and Access Controls
Most enterprise RAG deployments ship with a retrieval layer that has never seen a threat model. The embedding pipeline ingests documents with broad permissions, the vector store returns whatever the query matches, and the LLM synthesizes output from content it was never authorized to surface. That is not a security posture, it is an uncontrolled data exfiltration surface dressed up as a product feature. Building secure RAG systems architecture from the ground up requires treating the retrieval layer as a security boundary, not a search convenience. This article breaks down the threat model, the access control patterns, the isolation requirements, and the audit infrastructure that enterprise deployments must have in place before going into production.
Why Secure RAG Systems Architecture Is Underspecified, and Why That's a Liability
Traditional application security focuses on authentication, authorization, and network boundaries. RAG breaks that model because it introduces a dynamic, query-driven data retrieval step that existing frameworks don't account for. The document corpus is no longer passive storage, it becomes an active component in every LLM response, and it can be manipulated, misdirected, or over-permissioned in ways that bypass every upstream access control you've built.
Most organizations bolt security onto RAG after the architecture is already committed. They add API authentication at the front door and call it done. What they don't address is what happens inside the retrieval step: which documents get returned, to whom, and whether any filtering logic enforces the same rules as the rest of the system. In JEH Consulting's RAG engagements, the most common security gap is not at the LLM layer, it's in the embedding pipeline, where ingestion permissions are broad and retrieval filters are absent. Most clients arrive without a threat model documented for their retrieval system.
That gap is a liability. Regulators and auditors increasingly treat AI systems as data systems subject to the same access control, logging, and governance obligations. A RAG deployment with no documented threat model is an undocumented risk, and in regulated industries, undocumented risk is non-compliance by default.
The RAG Threat Model: What You're Actually Defending Against
RAG pipelines introduce a retrieval surface that traditional application security models don't account for. The document corpus becomes an attack vector, not just a data store. Access control must be enforced at query time with the same rigor applied to API endpoints.
Four threat vectors are specific to RAG and largely absent from conventional software security models.
Over-permissioned embedding pipelines are the most common starting point for failure. When ingestion jobs run with broad service account credentials, they index documents regardless of the originating permission context. The vector store then inherits that over-permission silently, there is no record of what a given user should or should not see, because that context was never captured at index time.
Prompt Injection and Retrieval Hijacking
Prompt injection via retrieved documents is one of the most frequently cited attack patterns in enterprise LLM deployments in 2026. It requires no credential compromise, an attacker only needs to influence what gets indexed. A malicious actor embeds instruction text inside a document that looks like legitimate content. When the retrieval system surfaces that document, the LLM interprets the embedded instructions as part of its task context, not as retrieved data. The attack propagates invisibly through the pipeline.
Preventing this requires output encoding at the retrieval layer. Retrieved chunks must be structurally separated from the system prompt, never concatenated as free text. The OWASP LLM Top 10 lists prompt injection (LLM01) as the primary risk category for LLM-integrated systems. A strict retrieved-content wrapper, combined with input sanitization before embedding, reduces the attack surface materially.
Retrieval hijacking is the access control failure mode: the system returns documents the requestor has no clearance to see, not because of a breach, but because no retrieval-time filter was enforced. The query executes successfully, the documents are returned, and the LLM synthesizes a response from content that should have been inaccessible. No alarm fires because nothing technically failed.
Data Poisoning and Index Integrity
Data poisoning targets the vector index directly. An attacker, internal or external, introduces documents that embed false context, biased conclusions, or manipulated instructions into the corpus. Because retrieval is semantic rather than exact-match, poisoned content can surface across a wide range of queries without any single obvious trigger. Index integrity controls must include provenance tracking for every ingested document: who submitted it, when, through what pipeline, and whether it passed validation gates before embedding.
Vector Database Access Control: Enforcing Boundaries at the Retrieval Layer
Understanding how vector databases function in enterprise search environments is a prerequisite for securing them. The retrieval system security failure most organizations make is enforcing access control only at the application layer, checking permissions before the user submits a query, but not when the vector store executes it. Those are two different enforcement points, and only one of them matters at retrieval time.
Role-Based and Attribute-Based Access at Query Time
Vector database access control must operate at query execution, not just at session establishment. Two patterns handle this in production: role-based access control (RBAC) and attribute-based access control (ABAC).
RBAC assigns document namespaces or collections to roles, and queries are scoped to the namespaces the requesting role can access. This works well for coarse-grained segmentation, separating HR documents from engineering runbooks, for example. ABAC goes further: metadata attributes on each embedded chunk (classification level, department, project ID, data sensitivity tag) are evaluated dynamically against the requestor's attribute set at query time. The retrieval filter is not a pre-query gate. It is a per-result filter applied inside the retrieval operation.
Pinecone, Weaviate, Qdrant, and similar vector stores support namespace isolation and metadata filtering natively. The failure mode is not a missing feature, it is an architectural omission: developers deploy without configuring retrieval-time filters because the system returns results without them. Silence is not authorization. Every production RAG deployment must have an explicit, documented retrieval filter policy: what attributes are evaluated, in what order, and what happens when a document has no metadata.
Data Isolation and Retrieval System Security Across Multi-Tenant Environments
Multi-tenant RAG deployments running a shared vector index without namespace isolation are one architectural omission away from a compliance failure. A SaaS platform deploying RAG over customer data has a concrete risk: Tenant A's proprietary documents surface in Tenant B's query results, not through a breach, but through missing segmentation. That is not a misconfiguration that gets patched quietly. Under SOC 2 or GDPR, it is a reportable data exposure event.
Chunking, Embedding, and Isolation Boundaries
Isolation must be enforced at every stage of the RAG pipeline, not just at query time. At ingestion, each chunk must carry a tenant identifier as a non-nullable metadata field. The embedding job must validate that identifier before indexing, no identifier, no index entry. At query time, the tenant context from the authenticated session must be injected into the retrieval filter as a hard constraint, not an optional parameter.
Shared embedding models do not automatically create shared embedding spaces, but shared indexes do create shared retrieval spaces. Tenant-scoped namespaces or separate index collections per tenant are the correct architectural patterns for enterprise secure AI architecture. The infrastructure cost is real but bounded. The cost of cross-tenant data exposure, regulatory, reputational, contractual, is not.
The chunking strategy itself affects isolation integrity. Overlapping or sliding-window chunks that span document boundaries can embed content from multiple source documents into a single vector. If those source documents belong to different tenants or classification levels, the resulting chunk is a security boundary violation before the query even runs. Chunk boundaries must align with document-level access boundaries, not just with token count optimization.
This is why approaching enterprise RAG implementation from a systems engineering perspective matters, security properties emerge from structural decisions made during pipeline design, not from controls layered on afterward.
RAG Compliance Requirements: Audit Trails and Governance Infrastructure
A healthcare organization deploying RAG over clinical documentation must treat every query as a potential PHI exposure event. Query logs, retrieved chunk identifiers, and LLM outputs must all be correlated and retained to satisfy HIPAA audit requirements. Most off-the-shelf RAG frameworks do not provide this out of the box.
A defensible audit trail for a production RAG system has four required components.
Query logs capture the full query text, the authenticated user identity, the timestamp, and the session context. Partial logging, recording only that a query occurred, is insufficient for compliance. The query content itself is the record.
Retrieved chunk provenance records which specific chunks were returned for each query: chunk identifiers, source document metadata, retrieval scores, and the filter parameters that were active at retrieval time. This is the evidence layer that proves what content the LLM had access to when generating its response.
LLM response correlation links each generated output back to its retrieval event. This correlation must be maintained as a tamper-evident record, not a log file that can be overwritten, but an append-only audit store.
Access event records capture every retrieval attempt, including rejected queries where access filters blocked results. Rejected access attempts are as important as successful ones. They are the evidence that controls are functioning.
For HIPAA §164.312 technical safeguards, SOC 2 Type II, and FedRAMP Moderate controls, all four components are non-negotiable. They are also the foundation for closed-loop AI workflow design, you cannot close the loop on a system whose outputs you cannot trace.
This infrastructure also supports enterprise AI governance obligations that have grown more prescriptive through 2026: organizations must demonstrate not just that access controls exist, but that they functioned correctly on every retrieval event. Audit logs are the mechanism of demonstration.
RAG Security Best Practices: A Systems Engineering Checklist
This is a minimum-viable security baseline for the four structural layers required to operationalize generative AI in enterprise environments. If a RAG deployment cannot check every item on this list, it is not production-ready for regulated or sensitive data.
Threat model documentation
- Threat model exists in writing, covers all four RAG-specific vectors: prompt injection, retrieval hijacking, data poisoning, over-permissioned pipelines
- Threat model is reviewed at each major change to corpus, pipeline, or retrieval logic
Retrieval-layer access gates
- Retrieval-time metadata filters enforced on every query, no query executes without a scope constraint
- RBAC or ABAC policy documented and tested; no role returns results outside its namespace
- Retrieval filter failures result in zero results returned, not unfiltered results
Index integrity controls
- Every ingested document has provenance metadata: source, submitter, timestamp, classification
- Ingestion pipeline validates metadata completeness before embedding, no metadata, no ingestion
- Chunk boundaries respect document-level access boundaries; no cross-document chunks across classification levels
Prompt injection defense
- Retrieved chunks are structurally isolated from the system prompt in every LLM call
- Input sanitization applied before embedding to strip instruction-pattern text
- LLM output monitoring in place to detect anomalous instruction-following behavior
Audit logging
- Query logs capture full query text, user identity, timestamp, active filters
- Chunk provenance logged per query: chunk IDs, source document metadata, retrieval scores
- LLM responses correlated to retrieval events in tamper-evident append-only store
- Rejected access attempts logged with same fidelity as successful retrievals
Multi-tenant isolation
- Tenant identifiers as non-nullable metadata on all chunks
- Separate namespaces or index collections per tenant, no shared indexes across tenants
- Tenant context injected as hard retrieval constraint, not optional parameter
Red-team and validation
- Red-team exercise conducted against retrieval layer before production launch, testing cross-tenant leakage and prompt injection paths
- Retrieval filter bypass attempts documented and validated as blocked
- Quarterly review of access control configuration against current threat model
If your RAG system cannot pass this checklist before go-live, the risk is not theoretical, it is structural. A retrieval layer without a documented threat model, enforced access controls, and audit infrastructure is an uncontrolled data surface, regardless of what the LLM layer does downstream.
JEH Consulting conducts structured secure RAG architecture assessments: threat model documentation, retrieval-layer access control review, index integrity audit, and compliance gap analysis against HIPAA, SOC 2, and FedRAMP requirements. If your RAG deployment is in production or approaching it, contact us to schedule an assessment before the next query returns something it shouldn't.