RAG Databases - AI Security Technique
AI Security TechniqueAdversaries may prompt the AI service to retrieve data from a RAG database. This can include the majority of an organization's internal documents.
Overview
A source-backed snapshot of this AI security technique.
Technique details
Identifiers, maturity, and source taxonomy for this technique.
- ATLAS ID
- AML.T0085.000
- Maturity
- demonstrated
- Priority score
- 42
Attack flow
How to read the public records connected to this technique.
Impact
Why this technique may deserve attention in the current dataset.
- Evidence leveldemonstrated
- Mapped defenses4 ATLAS mitigation records
- Public examples1 linked case study records
- Research risks0 related MIT AI Risk records above the confidence threshold
- Vulnerabilities0 linked CVE records
Mitigations
Defenses that may help against this attack.
AML.M0024 - AI Telemetry Logging
Log requests to AI services to detect malicious queries for data.
AML.M0026 - Privileged AI Agent Permissions Configuration
Configuring privileged AI agents with proper access controls can limit an adversary's ability to collect data from RAG Databases if the agent is compromised.
AML.M0032 - Segmentation of AI Agent Components
Segmentation can prevent adversaries from utilizing tools in an agentic workflow to collect sensitive data from RAG databases.
AML.M0027 - Single-User AI Agent Permissions Configuration
Configuring AI agents with permissions that are inherited from the user can limit an adversary's ability to collect data from RAG Databases if the agent is compromised.
Case studies
Examples from public reports and exercises.
Data Exfiltration via Agent Tools in Copilot Studio
Researchers from Zenity demonstrated how an organization’s data can be exfiltrated via prompt injections that target an AI-powered customer service agent.
The target system is a customer service agent built by Zenity in Copilot Studio. It is modeled after an agent built by McKinsey to streamline its customer service needs. The AI agent listens to a customer service email inbox where customers send their engagement requests. Upon receiving a request, the agent looks at the customer’s previous engagements, understands who the best consultant for the case is, and proceeds to send an email to the respective consultant regarding the request, including all of the relevant context the consultant will need to properly engage with the customer.
The Zenity researchers begin by performing targeting to identify an email inbox that is managed by an AI agent. Then they use prompt injections to discover details about the AI agent, such as its knowledge sources and tools. Once they understand the AI agent’s capabilities, the researchers are able to craft a prompt that retrieves private customer data from the organization’s RAG database and CRM, and exfiltrate it via the AI agent’s email tool.
Vendor Response: Microsoft quickly acknowledged and fixed the issue. The prompts used by the Zenity researchers in this exercise no longer work, however other prompts may still be effective.
Source evidence
Original public records and references for this page.
Original source
Original source links
Open the public records and source datasets used for this page.
