Research Notes

Retrieval-Augmented Generation (RAG)

By Satwik ยท February 10, 2026

RAG (Lewis et al., 2020) coupled a parametric generator with a non-parametric memory: a retriever pulls relevant passages from an external corpus, and the generator conditions on those passages to produce its answer. The retriever and generator are trained together so the system learns to use what it fetches. The motivation is that facts change and parameters are a poor place to store them; a document index can be updated, inspected, and cited.

Why it mattered

RAG offered a path to more factual, more current outputs without retraining, and it made a model's claims partly attributable to sources. This grounding became a dominant design pattern for knowledge-intensive applications, and it directly targets the hallucination problem that plagues purely parametric models.

Reading angle

RAG is central to modern security thinking because it deliberately injects external, often untrusted, text into the model's context. Once retrieved documents can carry instructions, you have an indirect prompt-injection surface: an attacker who can place content in the corpus, a wiki page, a scraped site, an email, can influence the model's behavior when that content is retrieved. The security posture of a RAG system therefore depends on the trustworthiness of its index and on treating retrieved content as data, not commands. There is also a data-governance benefit, sensitive facts can live in an access-controlled store rather than in weights, but only if retrieval respects those controls. Read RAG as both a factuality tool and the archetype of the untrusted-context problem that later red-teaming would explore in depth.