// GLOSSARY -- AI AGENT SECURITY

What is RAG Knowledge Poisoning?

1 min read Updated

A cognitive state attack that injects fabricated statements into retrieval corpora so agents treat attacker-authored content as verified fact, corrupting downstream reasoning and decisions.

WHY IT MATTERS

RAG-powered agents trust their retrieval corpus as a source of truth. If an attacker can insert content into that corpus — through compromised documents, poisoned web pages, or manipulated knowledge bases — the agent will retrieve and act on false information.

The attack is effective because RAG retrieval feels authoritative. The agent doesn't distinguish between legitimate knowledge and injected content — both arrive through the same retrieval pipeline.

HOW POLICYLAYER USES THIS

Intercept's policy enforcement catches the downstream effects of RAG poisoning. Even if an agent's knowledge is corrupted, the tool calls it makes are still evaluated against deterministic rules.

FREQUENTLY ASKED QUESTIONS

How is content injected into RAG corpora?
Through compromised documents in shared drives, poisoned web pages that get crawled, manipulated internal wikis, or even adversarial content in email threads that get indexed.
Can RAG poisoning be detected?
It's difficult. The injected content is designed to look legitimate. Detection requires provenance tracking and cross-referencing against trusted sources — an active research area.

FURTHER READING

Enforce policies on every tool call

Intercept is the open-source MCP proxy that enforces YAML policies on AI agent tool calls. No code changes needed.

npx -y @policylayer/intercept
github.com/policylayer/intercept →
// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.