teaching your AI to read the manual before answering. except 40% of the time it reads the wrong manual and answers with full confidence anyway.
An architecture pattern retrieving relevant documents from a knowledge base and providing them as context to an LLM at inference time. Introduces data governance requirements: the retrieval layer must enforce classification ceilings, access permissions, and data freshness. RAG reduces hallucination by grounding responses in source documents — but it does not eliminate it. The model can still ignore, misinterpret, or fabricate beyond the retrieved context.
Why It Matters
RAG has become the default enterprise AI architecture. When an organisation says “we built an AI assistant on our internal documents,” they almost certainly mean RAG. The pattern is elegant: instead of fine-tuning a model on proprietary data (expensive, slow, creates a new model to govern), you retrieve relevant documents at query time and include them in the prompt context. The model generates answers grounded in your documents rather than its training data.
The governance problem is that RAG is treated as a hallucination fix when it is actually a data access architecture. The moment you connect an LLM to a document store, you have created a system that can surface any document in that store to any user who asks the right question. If your vector database contains board minutes, salary data, M&A plans, and customer complaints — and your retrieval layer has no access controls — you have built the most powerful data leak tool in your organisation and called it a productivity assistant.
The retrieval failure rate compounds the problem. Research consistently shows that naive RAG pipelines fail at retrieval approximately 40% of the time. The system retrieves irrelevant documents, then generates a fluent, confident, citation-bearing answer based on the wrong context. The user sees citations and assumes accuracy. The citations are real. The answer is wrong. This is worse than a hallucination without citations, because the user’s guard is down.
The Stress Test
Your legal team deploys a RAG-based contract review assistant. It retrieves relevant clauses from your contract database and drafts analysis. A junior lawyer asks it about indemnification terms in a supplier agreement. The system retrieves three clauses — but one is from a different contract with a different counterparty. The generated analysis blends terms from two unrelated agreements into a single coherent-looking summary.
The junior lawyer, seeing proper citations and professional language, includes the analysis in a memo to the client. The blended terms do not exist in any single contract. Nobody catches it because the output looks grounded. Three months later, a dispute arises and the client relies on the memo. Your firm has a professional liability problem that originated in a retrieval precision failure — not a hallucination, not a model error, but a search result that returned the wrong document.
In the Wild
When organisations deployed Microsoft 365 Copilot — a RAG system layered on top of Microsoft Graph — security researchers at Zenity and others discovered that the system would surface documents the user technically had access to in SharePoint but was never meant to see. Overly permissive SharePoint configurations, inherited permissions, and stale access grants meant Copilot could retrieve salary spreadsheets, HR investigations, and M&A documents in response to innocuous queries.
The problem was not the AI. The problem was that RAG faithfully enforced the permissions as configured — and the permissions were wrong. Organisations discovered their access control hygiene was inadequate only after the AI started surfacing what was already technically accessible.
RAG does not create access control problems. It reveals them at scale. The retrieval layer is only as secure as the permissions it enforces.
A 2024 study by Barnett et al. catalogued seven distinct failure modes in RAG pipelines: missing content (the answer is not in the knowledge base), missed top-ranked documents (the answer exists but retrieval fails), context window limitations (too many documents dilute relevance), extraction failure (the model cannot identify the answer in retrieved text), incorrect specificity (the answer is too broad or too narrow), incomplete answers (partial retrieval leads to partial responses), and wrong format (correct information, wrong presentation).
The researchers found that naive implementations failed at one or more of these points approximately 40% of the time across diverse query types. The failure was not always visible to the end user — the system produced fluent, citation-bearing responses even when the retrieval was incorrect.
RAG does not solve hallucination. It restructures where the failure occurs. Instead of the model hallucinating from training data, the system hallucinates from wrong retrievals. The output looks more credible. It is not.
Multiple government agencies deploying RAG-based citizen service chatbots encountered a systematic failure: the knowledge base contained outdated policy documents. Citizens received answers grounded in superseded regulations, expired benefits criteria, and withdrawn guidance. The chatbot cited real documents with real URLs — but the policies had changed, sometimes months earlier.
The failure was not in the model or the retrieval algorithm. It was in the absence of a data freshness control — no mechanism existed to flag when source documents were outdated, trigger re-indexing when policies changed, or mark retired documents as inactive in the vector store.
A RAG system is only as current as its last index update. If nobody owns the freshness cycle, your AI is giving yesterday’s answers to today’s questions — with today’s confidence.
How to Govern It
RAG is a data access architecture. Govern it like one.
Within the AI Control Index, RAG governance spans multiple layers and shields:
- Applications & Agents (L4) — The primary control layer. RAG systems require classification ceiling enforcement (the retrieval layer must not return documents above the user’s clearance), access control inheritance (permissions from the source system must propagate to the vector store), and freshness policies (maximum age for indexed content).
- AI Engineering (L5) — Retrieval quality evaluation: precision, recall, and relevance metrics measured against ground-truth query-document pairs. If you are not measuring retrieval quality, you are not measuring anything meaningful about your RAG system.
- Observability (S4) — Runtime monitoring of retrieval confidence scores, citation verification rates, and user feedback signals. A RAG system that is not monitored for retrieval quality is a system you trust on faith.
- Data (L6) — Data lineage for the knowledge base: source documents must be catalogued, versioned, and tagged with classification and retention metadata. The vector store is a data asset requiring the same governance as any other data store.
- GRC (S1) — Evidence Factory captures RAG evaluation results, access control audit logs, and freshness compliance records as governance artifacts.
When It’s Relevant
Every enterprise deployment of generative AI that connects to internal documents, knowledge bases, databases, or APIs. This includes chatbots, copilots, search assistants, document drafting tools, and any system where an LLM accesses organisational data at inference time.
RAG governance is critical when:
- The knowledge base contains documents with different classification levels or access restrictions
- The system serves users with different authorisation levels accessing the same interface
- Source documents are updated frequently and stale answers create liability
- The output is consumed by users who will treat citations as proof of accuracy
- The system is customer-facing and incorrect answers create contractual or regulatory exposure
Related Terms
References
- [1] Lewis, P., Perez, E., Piktus, A., Petroni, F., Karpukhin, V., Goyal, N., Küttler, H., Lewis, M., Yih, W., Rocktäschel, T., Riedel, S. and Kiela, D. (2020) ‘Retrieval-Augmented Generation for Knowledge-Intensive NLP Tasks’, Proceedings of NeurIPS 2020. Available at: arxiv.org/abs/2005.11401.
- [2] Barnett, S., Kurber, S., Sinha, S., Goel, L., Khosla, A. and Raghavan, S. (2024) ‘Seven Failure Points When Engineering a Retrieval Augmented Generation System’, arXiv preprint, arXiv:2401.05856. Available at: arxiv.org/abs/2401.05856.
- [3] OWASP Foundation (2025) OWASP Top 10 for Large Language Model Applications v2025.1. LLM06: Excessive Agency; LLM09: Misinformation. Available at: owasp.org/www-project-top-10-for-large-language-model-applications.
- [4] Gao, Y., Xiong, Y., Dibia, V., Chi, E.H., Ren, X. and Wang, H. (2024) ‘Retrieval-Augmented Generation for Large Language Models: A Survey’, arXiv preprint, arXiv:2312.10997v5.
- [5] European Parliament and Council (2024) Regulation (EU) 2024/1689 laying down harmonised rules on artificial intelligence (AI Act), Article 10: Data and data governance. Official Journal of the European Union.
- [6] NIST (2024) Artificial Intelligence Risk Management Framework: Generative AI Profile (AI 600-1). National Institute of Standards and Technology, U.S. Department of Commerce.
- [7] Zenity Labs (2024) ‘Copilot for Microsoft 365: Data Exfiltration and Security Risks in Enterprise Deployments’, Zenity Research.
AI Control Index v6.0 · Glossary · June 2026 · i-DEPOT 158508 (BOIP) · CC BY-NC-ND 4.0
By Jeroen Janssen, Apparens