Jump to pattern

When Retrieval Strategy Is Attackable

Why agents dynamically deciding retrieval strategy create new manipulation opportunities

The Conventional Framing

Agentic RAG uses an agent to decide retrieval strategy dynamically. The agent determines what to search for, which sources to query, and when to stop retrieving.

The pattern enables sophisticated retrieval behavior that adapts to query complexity.

Why This Adds Control Points for Attackers

Every decision the agent makes about retrieval strategy is a decision that can be influenced by injection. Which source to query? What terms to use? When to stop? All manipulable.

Agentic RAG combines the vulnerabilities of RAG with the vulnerabilities of agents. It's the intersection of two attack surfaces.

Architecture

Components:

Planning agent— decides retrieval strategy
Source selector— chooses which corpus to query
Query formulator— constructs actual retrieval queries
Termination logic— decides when enough is retrieved

Trust Boundaries

Agent decisions that can be manipulated: ├── Source selection → Route to compromised source ├── Query formulation → Search for attacker-specified content ├── Retrieval depth → Keep searching until poison found └── Result filtering → Prefer malicious content Each decision is influenced by context. Poisoned context = poisoned decisions.

Query → Agent decisions — injection influences strategy
Agent → Source selection — may route to attacker-controlled
Retrieved content → Agent — affects subsequent decisions

Threat Surface

Threat	Vector	Impact
Source steering	Manipulate agent to query attacker-controlled sources	Retrieval from compromised sources
Query manipulation	Influence what agent searches for	Retrieve attacker-specified content
Persistence through iteration	Manipulate termination to keep searching for poison	Eventually find and include malicious content
Combined attack surface	RAG vulnerabilities + agent vulnerabilities	More attack vectors than either pattern alone

The ZIVIS Position

•
Strategy decisions are attack surface.Every retrieval decision the agent makes can be influenced. Don't assume strategy selection is neutral.
•
Constrain source selection.If the agent can query arbitrary sources, attackers can route retrieval to their content. Limit to known-trusted sources.
•
Audit strategy decisions.Log what the agent decided to search for, where, and why. Unusual strategy patterns may indicate manipulation.

What We Tell Clients

Agentic RAG gives you sophisticated retrieval behavior and sophisticated attack surface. Every decision point—source, query, depth—is a manipulation opportunity.

Constrain what the agent can decide. Limit sources to trusted corpora. Monitor for unusual strategy patterns. The agent's "intelligent" decisions may be intelligently manipulated.

Related Patterns

Naive RAG— simpler retrieval without agent decisions
ReAct— agent pattern often combined with retrieval