Slide 17 · The Pattern
What all three scenarios share.
The attack surface is always the knowledge base — never the user’s prompt.
The Common Thread
In every LLM08 scenario: the attack enters through the knowledge base ingestion pipeline or the retrieval layer, not through a user’s query. The LLM is an innocent participant — it follows the context it’s given. Defending the model without defending what feeds it defends the wrong thing.
📄Resume attack (Scenario 1)
Attack entered via document upload. Defense required: sanitize at ingestion before embedding.
🏥Multi-tenant leakage (Scenario 2)
Attack enabled by missing ACL at retrieval time. Defense required: permission-aware vector store enforced per query.
🏢ConfusedPilot (Scenario 3)
Attack entered via any indexed document. Defense required: retrieval monitoring plus embedding persistence limits.
The Security Model to Internalize
A RAG system is only as trustworthy as what it retrieves. Securing the prompt while leaving the knowledge base unguarded is a false sense of safety.