# Prompt injection and corpus poisoning — the RAG gap vendors smooth over.


*Security · Retrieval · April 2026 · April 2026 · 8 min read*


A normal-looking document hides instructions that derail policy or leak index content. This is not sci-fi — it is a realistic attack pattern that needs operational defense, not a marketing disclaimer.

In a security workshop, an engineer uploaded a file titled "leave policy — draft." Hidden instructions told the model to ignore prior rules and invent an account number. Retrieval fired, generation followed — output left policy despite a "locked down" UI [1].

Prompt injection exploits the fact that LLMs do not separate "system instructions" from "document text" like a classical program. Corpus poisoning places malicious content where retrieval will surface it [2].


## A simple threat map: file to response.
Attackers often do not need firewall breaches — they need upload rights or a poisoned wiki. Treat knowledge-base write permissions like database roles — not like a shared drive [1][3].


*[Figure: FIG. 1 — RAG THREAT PATH: UPLOAD → CHUNK → INDEX → RETRIEVE → LLM]*


## Operational defenses we run with regulated clients.
Separate upload from publish: new files do not hit the production index without raw-text review and alert keywords. Log uploader identity. Constrain generation policy for low-trust sources [3][5].


> The index is not a library — it is an attack surface if everyone can write to it.


## Effort numbers: prevention vs post-incident counsel.
A upload-review gate often takes one to three engineering days to stand up — versus weeks of legal review if a wrong answer reaches an external customer. Directional from our projects [5].


## Caveats: defense is not a keyword blocklist.
Models are linguistically flexible; symbolic blocks are bypassed. Combine document governance, output policy, and periodic red-team samples [1].


## Closing.
Prompt injection and corpus poisoning show RAG expands surface area — it does not shrink it. Tie defenses to [RAG metrics](/en/journal/five-rag-metrics-before-blaming-llm-2026) and [MCP boundaries](/en/journal/mcp-enterprise-boundaries-2026) when wiring tools. If you cannot name who may upload to the corpus this month, you still run an open index.


## Frequently asked questions.
- Is content filtering enough? Partially; governance beats filters alone [1].
- Shared vendor documents? Contract access and mutual upload review.
- Insider-only threat? Often yes — permissions first [3].
- How to test? Poisoned fixtures in an isolated environment pre-production.
- Does private AI fix it? It reduces external leakage but not malicious internal upload; read [Private AI](/en/private-ai).


## Sources.
[1] OWASP — LLM Top 10. https://owasp.org/www-project-top-10-for-large-language-model-applications/

[2] Perez & Ribeiro — Ignore Previous Prompt (NAACL 2022 workshop). https://aclanthology.org/

[3] NIST — AI RMF. https://www.nist.gov/itl/ai-risk-management-framework

[4] MITRE ATLAS. https://atlas.mitre.org/

[5] Nuqta — internal KB security checklists, April 2026.