Retrieval Pivot Attacks in Hybrid RAG: Measuring and Mitigating Amplified Leakage from Vector Seeds to Graph Expansion

This paper identifies and formalizes "Retrieval Pivot Attacks" in Hybrid RAG systems, demonstrating how vector-retrieved seeds can inadvertently pivot through knowledge graph links to cause cross-tenant data leakage, and proves that enforcing authorization specifically at the graph expansion boundary effectively mitigates this risk with minimal overhead.

The Gist

Here is an explanation of the paper using simple language and creative analogies.

The Big Idea: The "Secret Door" in Your AI Library

Imagine your company has a massive digital library where an AI assistant (the "Librarian") helps employees find information.

1. The Old Way (Vector Search): The Librarian looks at your question, finds the most similar books on the shelf, and hands them to you. If you aren't allowed to see the "Top Secret" section, the Librarian simply never walks over there. It's safe.
2. The New Way (Hybrid RAG): To answer complex questions, the Librarian doesn't just grab books; they also look at a giant Family Tree (a Knowledge Graph) that connects people, projects, and companies.
   • You ask: "How does our server work?"
   • The Librarian finds a safe book about your server.
   • The Librarian sees the book mentions a shared vendor, "CloudCorp."
   • The Librarian follows the Family Tree to the "CloudCorp" node.
   • The Mistake: From "CloudCorp," the Librarian sees a file belonging to the HR department (which you aren't allowed to see) that also mentions "CloudCorp." The Librarian grabs that file and hands it to you, thinking, "Well, this file is connected to the safe book you asked for, so it must be safe too."

The Paper's Discovery: This "Family Tree" connection creates a secret backdoor. Even if the first book is safe, the connections leading away from it can lead straight into restricted areas. The paper calls this a "Retrieval Pivot Attack."

---

The Core Problem: The "Confused Deputy"

The authors describe this as a "Confused Deputy" problem.

• The Deputy: The AI system that goes looking for answers.
• The Boss: The security guard who says, "You can only look at Engineering documents."
• The Glitch: The security guard checks the first book you ask for and says, "Yes, this is safe." But once the AI starts following the connections (the Family Tree), it forgets the guard's rules. It acts like it has a master key to the whole building, even though it was only supposed to visit one room.

The Experiment: How Bad Is It?

The researchers tested this in three different "libraries":

1. A Fake Company: Made up of 1,000 documents.
2. The Enron Emails: Real emails from the famous scandal (50,000 emails).
3. SEC Filings: Real financial reports from 20 big companies.

The Shocking Results:

• Without the "Family Tree" (Vector Only): 0% leakage. The AI never saw secret stuff.
• With the "Family Tree" (Hybrid):
  • In the Fake Company, 95% of the time, the AI accidentally showed secret data.
  • In the Enron emails, 70% of the time, it leaked data.
  • Crucially: They didn't even need to hack the system or plant fake documents. Just by asking normal questions about shared things (like "Who is the CEO?" or "What software do we use?"), the AI naturally walked through the secret door because those shared things existed in both the public and private sections.

The "Two-Step" Dance (Why it happens)

The paper found that the leak almost always happens in exactly two steps:

1. Step 0: You get a safe document (e.g., "Our Server").
2. Step 1: The AI sees a shared name in that document (e.g., "CloudCorp").
3. Step 2: The AI follows "CloudCorp" to a secret document (e.g., "HR Salary List for CloudCorp").

Because the AI treats the "Shared Name" as a bridge, it jumps over the security fence in just two hops.

The Solution: The "Checkpoint"

The researchers tested five different ways to fix this. They found that you don't need a super-complex, expensive security system. You just need one simple rule:

"Check the ID badge at every single step."

• The Fix (Per-Hop Authorization): Every time the AI moves from one node to the next in the Family Tree, it must stop and ask: "Does this user have permission to see THIS specific node?"
• The Result: When they added this simple check, the leakage dropped to 0%.
• The Cost: It was incredibly fast (less than 1 millisecond delay) and didn't break the AI's ability to answer questions. It just stopped it from walking into the wrong rooms.

Why This Matters

• It's not a "Hack": You don't need a villain to break in. The structure of the system itself creates the hole.
• It's everywhere: As companies start using these "Hybrid" AI systems (combining search with graphs) to make smarter decisions, they are accidentally building secret tunnels between their departments.
• The Fix is Simple: Don't trust the path. Trust the permission. Check the badge at every turn.

Summary Analogy

Imagine you are in a hotel. You are allowed to be in the Lobby (Public). You see a map that connects the Lobby to the Kitchen (Shared Entity). The map also connects the Kitchen to the CEO's Private Suite (Secret).

If the hotel staff (the AI) assumes that because you are in the Lobby, you can follow the map anywhere, you will end up in the CEO's suite. The fix is simple: The staff must check your room key at the Kitchen door before letting you walk through to the CEO's suite.

The paper proves that without that second check, your AI is leaking secrets, and the fix is to check the key at every door.

Technical Summary

Here is a detailed technical summary of the paper "Retrieval Pivot Attacks in Hybrid RAG: Measuring and Mitigating Amplified Leakage from Vector Seeds to Graph Expansion."

1. Problem Statement: The Pivot Boundary Vulnerability

The paper identifies a critical security failure mode in Hybrid Retrieval-Augmented Generation (RAG) systems, which combine vector similarity search with Knowledge Graph (KG) expansion to enable multi-hop reasoning.

• The Core Issue: While vector retrieval typically enforces tenant isolation (e.g., via metadata pre-filters), the transition to graph expansion creates a "pivot boundary." In this boundary, an authorized text chunk (retrieved via vector search) is linked to an entity node in the graph. Because entity nodes are often tenant-neutral (shared across organizations or departments) and lack sensitivity labels, the graph traversal engine expands from these entities into unauthorized neighborhoods.
• The Consequence: A user with legitimate access to a "seed" chunk can inadvertently retrieve sensitive data belonging to other tenants or higher sensitivity tiers simply by traversing shared entities (e.g., a common vendor name, infrastructure component, or compliance standard).
• The Amplification: This leakage does not exist in vector-only systems. The hybrid composition creates a new attack surface where the graph expansion acts as an uncontrolled "confused deputy," inheriting the user's seed but ignoring their access constraints.

2. Methodology and Metrics

The authors formalize the risk and propose a framework to measure and mitigate it.

Key Metrics

• Retrieval Pivot Risk (RPR): The probability that a query's retrieval context contains at least one unauthorized item.
• Leakage@k: The count of unauthorized items in the context window.
• Amplification Factor (AF): The ratio of leakage in the hybrid pipeline versus the vector-only baseline.
• Pivot Depth (PD): The minimum number of graph hops from the seed chunk to the first unauthorized node.

Experimental Setup

The study evaluated three distinct corpora to ensure generalizability:

1. Synthetic Enterprise Corpus: 1,000 documents, 4 tenants, 2,785 nodes.
2. Enron Email Corpus: 50,000 emails, 5 departments, 376,000 nodes.
3. SEC EDGAR 10-K Filings: 887 sections across 20 companies, 19,527 nodes.

The evaluation included 500 queries (benign and adversarial) and tested various pipeline configurations, from vector-only to hybrid with and without defenses.

Attack Strategies

The paper defines four non-adaptive attacks (A1–A4) and three adaptive attacks (A5–A7):

• Seed Steering (A1): Crafting chunks to maximize vector retrieval while embedding pivot entities.
• Entity Anchor Injection (A2): Creating dense connections between injected chunks and sensitive graph areas.
• Neighborhood Flooding (A3): Inflating local graph density to increase BFS expansion volume.
• Bridge Node Attack (A4): Creating artificial cross-tenant edges via co-mentioning.
• Organic Leakage: Crucially, the study demonstrates that no adversarial injection is required. Naturally occurring shared entities (e.g., "CloudCorp," "auth-service") create pivot paths that cause massive leakage even with benign queries.

3. Key Results

High Leakage in Undefended Systems

• Synthetic Corpus: The undefended hybrid pipeline (P3) exhibited an RPR of 0.954 (95.4% of queries leaked data) and an Amplification Factor of 160–194× compared to vector-only retrieval.
• Enron Corpus: RPR was 0.695.
• EDGAR Corpus: RPR was 0.085 (lower due to fewer cross-sector entity connections, but still non-zero).
• Vector-Only Baseline: RPR was 0.0 across all corpora, confirming the vulnerability is specific to the hybrid composition.

The Structural Invariant: Pivot Depth = 2

A critical finding is that all leakage occurs at exactly Pivot Depth (PD) = 2 hops.

• Hop 0: Authorized seed chunk (Vector retrieval).
• Hop 1: Shared entity node (Tenant-neutral, no access control).
• Hop 2: Unauthorized chunk (Connected to the shared entity).
  This 2-hop pattern is a structural invariant of bipartite chunk-entity graphs used in hybrid RAG.

Defense Efficacy

The authors tested five layered defenses (D1–D5). The most significant finding is that a single mechanism, D1 (Per-Hop Authorization), is sufficient to eliminate leakage.

• Mechanism: Re-checking tenant and sensitivity labels at every node visited during graph expansion.
• Result: D1 reduced RPR from ~0.95 to 0.0 across all three corpora and all attack variants.
• Overhead: Negligible latency increase (<1ms).
• Utility: D1 retains authorized graph-expanded content, providing 5.6× more context than vector-only retrieval while maintaining zero leakage.

4. Key Contributions

1. Formalization of Retrieval Pivot Risk (RPR): Defined the specific security failure mode where vector-to-graph composition creates a compound attack surface.
2. Discovery of Organic Leakage: Demonstrated that the vulnerability is structural and exists in real-world data without any adversarial document injection, driven by naturally shared entities.
3. Structural Invariant Identification: Proved that in bipartite chunk-entity graphs, leakage consistently occurs at PD=2, regardless of corpus size or domain.
4. Practical Mitigation: Proposed and validated Per-Hop Authorization (D1) as a minimal, high-impact fix that requires no model retraining or infrastructure overhaul, only a policy enforcement change at the graph boundary.

5. Significance and Implications

• Security Paradigm Shift: The paper challenges the assumption that securing the vector retrieval layer is sufficient for hybrid RAG. It highlights that authorization must be re-evaluated at the graph expansion boundary.
• Agentic Systems: The vulnerability is particularly dangerous for autonomous agents (e.g., LangGraph, CrewAI) that perform graph traversal without human oversight, potentially leading to rapid, uncontrolled data exfiltration.
• Defense-in-Depth: While D1 is the "minimum viable guardrail," the paper suggests a layered approach (D1–D5) for production systems, where D1 handles security and subsequent layers (D2–D5) optimize context quality and noise reduction.
• Industry Impact: With the rapid adoption of Hybrid RAG (LangChain, LlamaIndex, Microsoft GraphRAG), this work provides an immediate, actionable fix (per-hop authorization) to prevent a widespread class of data leakage vulnerabilities in enterprise AI deployments.

In conclusion, the paper argues that the vulnerability is primarily a boundary enforcement problem rather than a complex defense problem. By re-checking access controls at the point where vector seeds become graph seeds, organizations can secure hybrid RAG systems with minimal overhead.