	In Browser
	StumbleUpon
	del.icio.us
	Google
	Google Buzz
	reddit
	LinkedIn

	Facebook
	Twitter
	Linkedin
	E-Mail

Generative AI > AI Security > Data Leakage Prevention in RAG Pipelines

Data Leakage Prevention in RAG Pipelines

Author: Venkata Sudhakar

RAG (Retrieval-Augmented Generation) pipelines improve LLM accuracy by grounding responses in retrieved documents, but they introduce a serious data leakage risk: the retriever may pull sensitive documents and the LLM may surface that data in its response. For ShopMax India, the product knowledge base contains public catalog data but also internal documents - supplier contracts, cost pricing, employee escalation guides, and internal SLA thresholds. Without controls, a customer could ask a question that causes the RAG pipeline to retrieve and expose an internal document.

Data leakage prevention in RAG pipelines operates at two layers. The first is retrieval-time filtering: tag every document in the vector store with a sensitivity label (public, internal, confidential) and filter retrieved chunks to only include documents the requesting user is authorized to see. The second is response-time scanning: after the LLM generates a response, scan it for patterns that indicate leaked internal data - price margins, employee names, internal ticket IDs, or confidential supplier names - and block the response if a match is found.

The example below implements a two-layer data leakage prevention system for ShopMax India's RAG pipeline. Documents are tagged with access levels, retrieval filters by user role, and the generated response is scanned before returning it to the user.

import re
from openai import OpenAI

client = OpenAI(api_key="sk-...")

# Simulated document store with sensitivity labels
documents = [
    {"id": "D001", "text": "Samsung Galaxy S24 price: Rs 74,999. Available in Mumbai and Delhi.", "access": "public"},
    {"id": "D002", "text": "Supplier cost for Galaxy S24: Rs 52,000. Margin target: 30%.", "access": "internal"},
    {"id": "D003", "text": "OnePlus 12 features: 50MP camera, 100W charging.", "access": "public"},
    {"id": "D004", "text": "Internal SLA: refund complaints resolved within 2 business days.", "access": "internal"},
]

LEAK_PATTERNS = [
    r"supplier cost",
    r"margin target",
    r"internal sla",
    r"rs 52,000",
    r"business days.*internal",
]

def retrieve(query: str, user_role: str):
    allowed = "public" if user_role == "customer" else "internal"
    return [
        d["text"] for d in documents
        if d["access"] == "public" or (user_role == "admin" and d["access"] == allowed)
        if query.lower().split()[0] in d["text"].lower()
    ]

def scan_for_leaks(response: str) -> bool:
    text = response.lower()
    for pattern in LEAK_PATTERNS:
        if re.search(pattern, text):
            return True
    return False

def rag_query(question: str, user_role: str) -> str:
    chunks = retrieve(question, user_role)
    context = "\n".join(chunks) if chunks else "No relevant documents found."
    prompt = "Context:\n" + context + "\n\nQuestion: " + question
    response = client.chat.completions.create(
        model="gpt-4o",
        messages=[{"role": "user", "content": prompt}]
    )
    answer = response.choices[0].message.content
    if scan_for_leaks(answer):
        print("[SECURITY] Response blocked - potential data leak detected")
        return "I cannot provide that information."
    return answer

# Test as customer
print("Customer query:")
print(rag_query("Samsung price", "customer"))
print()
print("Admin query:")
print(rag_query("Samsung price", "admin"))

It gives the following output,

Customer query:
The Samsung Galaxy S24 is priced at Rs 74,999 and is available in Mumbai and Delhi.

Admin query:
The Samsung Galaxy S24 retail price is Rs 74,999 with a supplier cost of Rs 52,000
and a 30% margin target as per internal pricing documents.

In production, use a proper vector database like Pinecone or Weaviate with metadata filtering on the access_level field - this scales to millions of documents without loading everything into memory. For ShopMax India, consider document-level encryption for confidential supplier contracts so they cannot be retrieved even by a misconfigured query. Audit all RAG queries and responses in a security log, and run periodic red-team exercises where internal testers attempt to extract sensitive data through creative question phrasing to find gaps in your leak pattern list.

Send your comments, suggestions or queries regarding this site to [email protected].