🔍AI RiskAtlas
← Scenario library

Poison the Vector, Not the Words

An attacker crafts a gibberish passage whose embedding sits near thousands of questions — so it's retrieved everywhere

Technique first revealed 29 Oct 2023

RAG Knowledge Assistant
UntrustedExternal sourcesYour systemcrawled🧑User💬Chat / AppInterface🎛️Orchestrator /Agent Loop🔍Retriever📚Knowledge Store/ Vector DB📥IngestionPipeline🌐UntrustedContent🧩Prompt Assembly🧠LLM🌐Attackercollision
InstructionsDataActionsControl / decisionFeedback / logs
👆 Click a component to inspect
SetupStep 1 / 7

An open ingestion path

The assistant's library is filled automatically from places staff can add to — a shared wiki, an uploads folder, a public docs site. Anyone with access to one of those can put a document into the library.

⚙️Ingestion config (over-permissive)config
sources:
  - kb_internal_wiki        # staff-editable
  - partner_docs_site       # third-party contributions accepted
  - public_uploads/         # anyone with a link
sanitize_active_content: false
provenance_scoring: false
new_chunk_anomaly_check: false
reindex: nightly

AI RiskAtlas is an educational model of how GenAI & agentic systems work and fail. Architectures and payloads are illustrative and simplified for learning — not operational guidance. Real-world cases are summarised from public reporting.

Sources & further reading →·Built by Shi Yuan ↗