The prompt injection that actually hurts an enterprise RAG deployment is rarely typed into the chat box. It arrives through the corpus: a vendor PDF with instructions hidden in white-on-white text, a support ticket quoting a phishing email, a wiki page pasted in from the open web three years ago. The moment retrieval pulls that content into the model’s context, it competes with your system prompt for control of the session, wearing your organization’s own letterhead.
Most teams still treat the document store as trusted infrastructure and the user as the only threat actor. That model is backwards: anyone who can write to an indexed source can write to your model’s context window. The real question is whether every SharePoint contributor, ticket submitter, and crawled page deserves the same authority as your engineering team.
Executive Takeaway
- Retrieved text is untrusted input. Any document a connector can index is a potential instruction channel into the model, including internal content.
- The defenses that hold are architectural: isolate retrieved content from instructions, allowlist tool calls, tier source trust, filter outputs, and log every prompt and completion.
- A RAG system that has never run against an injection test suite has not been secured. It has been assumed safe.
Where Injection Enters a Retrieval System
Direct injection, where a user types adversarial instructions, is the easy case: it can be rate-limited, filtered, and attributed to an authenticated account. Indirect injection is the harder problem. Content arrives through connectors to document repositories, ticketing systems, email archives, and crawled pages, so the attacker never touches your application. They send an email that lands in an indexed mailbox, or edit a page your crawler ingests, and wait for retrieval to deliver the payload.
The mechanism is trust laundering: once retrieved, a passage sits in the model’s context alongside your instructions, stripped of any signal about where it came from. Unless the architecture preserves provenance, the model has no basis for treating a poisoned ticket differently from your policy manual.
Architecture and Delivery Pattern
Injection defense is a set of design decisions made before the first document is indexed, not a hardening pass at the end. Six controls carry most of the weight.
- Retrieved content stays isolated from instructions. Passages enter the context delimited and labeled as quoted data from a named source, never blended into the instruction stream, so the rule that documents describe and never direct can be tested.
- Tool calls run against a per-workflow allowlist, with parameters validated and permissions derived from the requesting user, so a poisoned document cannot expand what the system is allowed to do.
- Every source carries a trust tier. Curated policy documents, user tickets, and crawled content do not deserve equal authority, and lower tiers cannot trigger actions or override higher-tier guidance.
- Outputs are filtered before they reach the user or a downstream system, screening for leaked instructions, unexpected tool syntax, and markdown link tricks used to exfiltrate data through a rendered response.
- An injection evaluation suite runs against every release: a seeded corpus of hostile documents plus a library of known attack patterns, with the pass rate tracked over time rather than checked once.
- Prompts, retrieved chunks with their source identifiers, tool calls, and completions are all logged, so when something does get through, the incident can be reconstructed end to end.
None of these controls depend on the model behaving well, and that is the point. Safety training and instruction hierarchy help, but they are probabilistic. Structural controls still hold on the day the model gets it wrong.
Production Readiness Signals
The difference between a defended pipeline and a described one shows up in the release process, not the architecture diagram.
- The injection suite runs in CI, and a regression blocks the release the same way a failing unit test would.
- Prompt and completion logs are complete enough that a security analyst can replay an incident without asking engineering for help.
- Tool allowlists have a named owner, and any workflow change or new connector reopens the review.
- New sources are quarantined and scanned before they become retrievable, with a documented path for pulling a poisoned document out of the index.
Common Failure Modes
- Assuming the corpus is safe because it is internal. Internal only means the attacker needs one compromised mailbox or one careless paste instead of zero.
- Letting retrieved text share an undifferentiated context window with system instructions, which quietly turns every indexed document into a candidate system prompt.
- Testing only with friendly documents, so the first genuinely hostile input the system ever sees is in production, unflagged and unlogged.
The pattern behind all three is the same. The team secured the application and forgot that the corpus is an input.
Questions to Ask
- Can retrieved content cause this system to take an action, and if so, which actions, under whose authority?
- If a poisoned document entered the corpus last week, what signal would tell us, and who would act on it?
- When a retrieved source conflicts with policy, which one wins, and where in the architecture is that decision enforced?
A team that cannot answer these in a design review will not answer them during an incident. The honest next step is not another feature sprint. It is a short, scoped exercise to inventory sources, assign trust tiers, and run the first hostile-document test against the existing pipeline.
Sprinklenet Perspective
Sprinklenet builds retrieval systems designed for enterprise and government-grade requirements, and we treat injection defense as platform work rather than per-project heroics. Knowledge Spaces, our managed AI platform, serves as the control layer where source trust tiers, tool allowlists, output filtering, and prompt and completion logging live, so every application built on it inherits the same boundaries instead of reinventing them. Our six-week pilot-to-production engagements include an injection evaluation run against the client’s own corpus, because the attack that matters is the one written into your documents, not a generic benchmark.
Explore our AI services, see how Knowledge Spaces enforces these boundaries at the platform layer, or contact Sprinklenet to pressure-test a RAG system you already run.

AI Governance Analyst, Sprinklenet Research
Priya Desai is a Sprinklenet Research contributor focused on policy translation, compliance evidence, and executive-ready AI operating controls.
She writes about turning governance requirements into practical review paths, risk registers, documentation, and metrics that delivery teams can maintain.

