Execution & Tools / Retriever
FR EN

Execution & Tools

Retriever

The retriever (RAG): it selects and returns relevant documents to augment the model’s context.

Plane
Execution & Tools
Flow steps
7
Frameworks
NIST 800-53 · OWASP LLM02/08

Technology

Why use it

Augment the model with up-to-date knowledge by retrieving relevant documents.

Why it matters to security

A leak and injection point: it must filter by permissions (a user retrieves only what they may see) and treat documents as untrusted.

Implementations LlamaIndexLangChain RetrieversAzure AI SearchElastic

Retrieval must respect permissions: a RAG with no access control is organized leakage.

Recommendations by maturity tier

Hover a recommendation for its explanation · each one carries its control number

Foundation

Minimum viable baseline
  • Result filtering by the user’s permissions.
    NIST 800-53 AC-3 · AC-4
    Retrieve only documents the caller is entitled to.
  • Retrieved content treated as untrusted.
    OWASP LLM01:2025
    A document may contain indirect injection.
  • Retrieval logging.
    NIST 800-53 AU-2
    Know which document fed which answer.

Enterprise

Enterprise standard
  • Attribute-based access control at document level.
    NIST 800-53 AC-16OWASP LLM02:2025
    Document sensitivity modulates its retrieval.
  • Redaction at retrieval.
    NIST 800-53 SI-15
    Sensitive fields are masked before reaching the model.
  • Source-provenance validation.
    NIST 800-53 SR-4
    An untrusted source does not enter the context.

Advanced

High-assurance / regulated
  • Retrieval decision delegated to the PDP (PBAC).
    NIST 800-53 AC-24
    “Can this caller see this document now” is a policy decision.
  • Index-poisoning detection.
    NIST 800-53 SI-4OWASP LLM08:2025
    Embeddings manipulated to bias retrieval are spotted.
  • Grounding verification of answers on sources.
    NIST AI 600-1 MS-2.3-003
    The answer must rely on what was actually retrieved.

Architecture notes

  • RAG must inherit permissions, not bypass them.details ▸
    Indexing everything risks exposing everything.
    Apply access control at retrieval time, per user and per document.

References

NIST SP 800-53 Rev5
AC-3, AC-4 (Information Flow), AC-16 (Attributes), AC-24, SI-15, SR-4.
OWASP LLM02 / LLM08:2025
Sensitive Information Disclosure and Vector & Embedding Weaknesses.
NIST AI 600-1
MS-2.3-003 — grounding verification (fact-checking).

Abbreviations

PDP
Policy Decision Point
PEP
Policy Enforcement Point
PIP
Policy Information Point
PAP
Policy Administration Point
IdP
Identity Provider
TSS
Token Service
NHI
Non-Human Identity
RBAC
Role-Based Access Control
ABAC
Attribute-Based Access Control
MFA
Multi-Factor Authentication
HITL
Human-in-the-loop
JIT
Just-In-Time
CAE
Continuous Access Evaluation
CAEP
Continuous Access Evaluation Profile
DPoP
Demonstrating Proof-of-Possession
mTLS
mutual TLS
PII
Personally Identifiable Information
KMS
Key Management Service
CI/CD
Continuous Integration / Continuous Delivery
SIEM
Security Information and Event Management
SOAR
Security Orchestration, Automation and Response
SCIM
System for Cross-domain Identity Management
XACML
eXtensible Access Control Markup Language
OPA
Open Policy Agent
OWASP
Open Worldwide Application Security Project
NIST
National Institute of Standards and Technology
ATLAS
Adversarial Threat Landscape for Artificial-Intelligence Systems
LLM
Large Language Model
WAF
Web Application Firewall
CDN
Content Delivery Network
DDoS
Distributed Denial of Service
DLP
Data Loss Prevention
JWT
JSON Web Token
API
Application Programming Interface
CRS
Core Rule Set (OWASP)
RAG
Retrieval-Augmented Generation
MCP
Model Context Protocol
PBAC
Permission-Based Access Control
HSM
Hardware Security Module
UEBA
User and Entity Behavior Analytics
SBOM
Software Bill of Materials
SLSA
Supply-chain Levels for Software Artifacts
WORM
Write Once, Read Many
SPIFFE
Secure Production Identity Framework For Everyone