Back to Courses

The LLM & RAG Threat Model: OWASP LLM Top 10

A RAG system joins your private data, a retrieval layer, an LLM, and often tools — every join is a new trust boundary. This opening lesson maps the OWASP Top 10 for LLM Applications onto a RAG pipeline and builds the threat model the rest of the week defends, with the regulated-industries stakes kept front of mind.

1Threat Model2Prompt Injection3PII/PHI De-ID4Data-Layer Security5Provenance & Audit
Day 1 Progress0%

Why RAG Expands the Attack Surface

A plain LLM call has a small attack surface: a prompt goes in, text comes out. A RAG system is a different animal. It stitches together your private data store, a retrieval layer, an LLM, and — increasingly — tools that take actions. Each seam where one component hands data to another is a new trust boundary, and security lives or dies at those boundaries.

The Four New Trust Boundaries

  1. Ingestion — you pull documents from wikis, tickets, PDFs, uploads. Some of that content was written by people you don't control.
  2. Retrieval — at query time the system pulls chunks back out and places them into the prompt. The model now reads text it didn't author and can't distinguish from your instructions.
  3. Generation — the model's output may be rendered as HTML, run as a tool call, or stored — so an unsafe output becomes an unsafe action.
  4. Tools / actions — an agentic RAG system can send email, run queries, or call APIs. The blast radius of a bad decision is no longer "a wrong sentence."

The Regulated-Industries Stake

For a consumer chatbot, a bad answer is embarrassing. For a RAG system over patient records, financial data, or legal files, the failure modes are compliance incidents:

  • A retrieved chunk leaks one patient's PHI into another patient's answer → a HIPAA breach.
  • The model invents a confident, wrong figure in a financial summary → a disclosure problem.
  • A user with no entitlement retrieves a document they shouldn't see → an access-control violation.
The mission of this track is the site's mission narrowed to one lens: production AI infrastructure for engineers shipping RAG into regulated industries. Security isn't a feature you bolt on at the end — it's the property that makes the system shippable at all.

Security Is a Property of the Whole Pipeline

You can't secure a RAG system by hardening one component. A perfectly locked-down vector store doesn't help if the prompt-assembly step trusts a malicious retrieved chunk. This week works boundary by boundary: the threat model (today), input defenses (Day 2), data minimization (Day 3), the data layer (Day 4), and provenance/audit (Day 5).

Key Takeaways
  • RAG adds four trust boundaries — ingestion, retrieval, generation, and tools — and security is decided at each seam, not in any one component
  • Retrieved documents are untrusted input: they came from content you ingested, which may include attacker-controlled text
  • In regulated industries, RAG failures (PHI leakage, fabricated figures, unauthorized retrieval) are compliance incidents, not cosmetic bugs

AI Learning Assistant

Powered by advanced LLM

Get personalized help with concepts, code examples, and explanations tailored to your learning pace.

Course Stats

Estimated Time
50 min
Lessons
5 sections

Up Next

Day 2

Prompt Injection