How do I reduce membership inference risk that reveals whether a document is in my RAG index?

To reduce membership inference risk that reveals whether a document is in your RAG index, treat vector databases as containing the original text for access control purposes and implement robust data classification and access control mechanisms.

Concrete controls include:

• Treat vector databases as primary data stores for governance purposes because embedding inversion attacks can reconstruct original text from embeddings. This addresses OWASP LLM02 (Sensitive Information Disclosure) by preventing unauthorized access to potentially reconstructible data.
• Implement classification inheritance where any data derived from classified inputs inherits at least the classification of its inputs. This ensures that derived data, such as embeddings, maintains the same security properties as the source data, preventing accidental disclosure.
• Enforce explicit access control on memory retrieval and use separate physical or logical vector indexes for confidential data to prevent memory contamination across sessions or tenants. This aligns with the NIST AI RMF's Govern function by establishing clear policies for data access.
• Apply least privilege to the data lifecycle, ensuring the agent retrieves only the data needed for the task, and that classification flows with the data, with downstream operations inheriting restrictions. This minimizes the exposure of sensitive information.
• Implement content classification on ingestion for RAG corpora, along with source vetting and change tracking with audit. This helps prevent RAG corpus poisoning, which could weaponize retrieved content and potentially reveal document membership.