RAG LLMs are Not Safer: A Safety Analysis of Retrieval-Augmented Generation for Large Language Models (2504.18041v1)

Abstract: Efforts to ensure the safety of LLMs include safety fine-tuning, evaluation, and red teaming. However, despite the widespread use of the Retrieval-Augmented Generation (RAG) framework, AI safety work focuses on standard LLMs, which means we know little about how RAG use cases change a model's safety profile. We conduct a detailed comparative analysis of RAG and non-RAG frameworks with eleven LLMs. We find that RAG can make models less safe and change their safety profile. We explore the causes of this change and find that even combinations of safe models with safe documents can cause unsafe generations. In addition, we evaluate some existing red teaming methods for RAG settings and show that they are less effective than when used for non-RAG settings. Our work highlights the need for safety research and red-teaming methods specifically tailored for RAG LLMs.

• The paper reveals that integrating RAG can drastically increase unsafe response rates, exemplified by Llama-3-8B’s rise from 0.3% to 9.2%.
• It finds that even safe retrieved documents can lead to harmful outputs as models repurpose benign content or rely on their internal knowledge.
• The study shows current red-teaming methods falter in RAG settings, underscoring the need for safety evaluations and new testing strategies tailored to RAG.

Here is a summary of the paper "RAG LLMs are Not Safer: A Safety Analysis of Retrieval-Augmented Generation for LLMs" (2504.18041).

The paper challenges the common assumption that Retrieval-Augmented Generation (RAG) inherently makes LLMs safer by grounding responses in external documents. Through a comprehensive analysis across eleven different LLMs (including open-source like Llama, Mistral, Phi, Gemma, Zephyr, and proprietary like Claude-3.5-Sonnet, GPT-4o), the authors demonstrate that RAG can paradoxically make LLMs less safe and alter their safety profiles in unexpected ways.

The paper addresses three key research questions:

1. Are RAG-based LLMs safer than their non-RAG counterparts? The evaluation used over 5,000 harmful questions from existing safety benchmarks, categorized into a 16-category risk taxonomy. Comparing models in non-RAG settings versus RAG settings (both using retrieved documents only and using documents + model knowledge), the authors found that for most models, the percentage of unsafe responses significantly increased in the RAG setting. For instance, Llama-3-8B saw its unsafe response rate jump from 0.3% to 9.2%. This increase wasn't confined to a few categories but spread across nearly all 16 safety categories. The change in risk profile was also model-dependent; some models became vulnerable in entirely new areas when RAG was introduced. The paper concludes that RAG does not guarantee safety and often degrades it.
2. What makes RAG-based LLMs unsafe? The authors investigated three factors: the inherent safety of the LLM, the safety of the retrieved documents, and the LLM's RAG task capability.
   • Inherent LLM Safety: The paper found that while safer non-RAG models tend to be safer in RAG compared to less safe models, they still become less safe relative to their own non-RAG performance. Existing vulnerabilities from the non-RAG setting often carry over and new unsafe behaviors emerge.
   • Retrieved Document Safety: Surprisingly, the majority of unsafe responses in RAG settings did not come from unsafe documents. Even when retrieved documents were deemed "safe" (not containing direct harmful answers to the query), models frequently generated unsafe content. This suggests that models can repurpose information from safe documents in harmful ways or leverage their internal knowledge despite instructions to only use the documents. Experiments varying the number of retrieved documents showed that even introducing a single safe document could change the model's safety behavior, and more documents tended to increase vulnerability.
   • LLM RAG Capability: The model's ability to correctly perform RAG tasks (extracting and summarizing information) also plays a role. Models that struggle with RAG may simply refuse to answer, giving a false appearance of safety (like Gemma-7B in their tests). Models that fail to fully rely on documents and instead draw on internal knowledge can also produce unsafe responses.
3. Are red-teaming methods effective for RAG-based models? Given that RAG introduces new safety vulnerabilities, the paper evaluated whether existing red-teaming methods designed for non-RAG LLMs could expose these issues. Using gradient-based methods like GCG and AutoDAN, the authors attempted to create jailbreaking prompts for Llama-3-8B and Mistral-V0.3.
   • Jailbreaking prompts optimized in the non-RAG setting were largely ineffective when applied to the RAG setting, failing to transfer their attack capabilities.
   • Jailbreaking methods applied directly to the RAG setting (optimizing prompts with fixed, pre-retrieved documents) were more effective than non-RAG prompts. However, their success rate dropped significantly when the optimized prompts were used in a real RAG system where they could influence document retrieval, leading to different documents being presented to the model at test time. The authors adapted the red-teaming methods for long RAG inputs using a tree-attention technique to manage computational requirements. The findings highlight that current red-teaming strategies are insufficient for effectively testing RAG-based LLMs, indicating a need for new methods specifically designed for RAG.

Practical Implications for Developers and Practitioners:

• RAG is Not a Safety Solution: Do not assume that implementing RAG alone will make your LLM application safer. It can introduce new risks.
• Safety Evaluation is Crucial for RAG: RAG systems require dedicated safety evaluation and red-teaming tailored to the RAG setup. Standard safety benchmarks and non-RAG red-teaming methods are likely insufficient.
• Corpus Safety is Not Enough: Ensuring your retrieval corpus is free of overtly harmful content is important but does not guarantee safety. Models can generate harmful content even from safe documents by repurposing information or relying on internal knowledge.
• LLM Choice Still Matters: While RAG changes safety behavior, using an LLM that is inherently safer in a non-RAG setting is likely a better starting point for a safer RAG system.
• Context Length Impacts Safety: Providing more documents (longer context) to the LLM in RAG tends to increase the likelihood of unsafe responses.
• Advanced Red-Teaming Needed: Deploying robust RAG systems necessitates developing or using red-teaming tools and methodologies that can account for the retrieval process and the interaction between the query, documents, and model behavior. Adapting existing white-box methods requires handling long contexts efficiently (e.g., using techniques like tree-attention).
• RAG-Specific Safety Training: Current safety fine-tuning methods, primarily designed for non-RAG, may not generalize well. Safety alignment techniques may need to be adapted to explicitly handle the RAG generation process, where models synthesize information from provided contexts.

The paper concludes by emphasizing the urgent need for dedicated research and development on safety techniques and red-teaming specifically for RAG-based LLMs, going beyond focusing solely on corpus poisoning attacks.