Retrieval-augmented generation (RAG) and tool-using LLM agents are increasingly deployed in enterprise and safety–critical settings, but the retrieval and action layers expand the attack surface beyond standard prompt-based threats. This survey synthesizes end-to-end security research across three dominant threat classes: retrieval poisoning, indirect prompt injection, and tool attacks such as action manipulation, parameter tampering, and cross-tool data exfiltration. The literature is organized into a unified pipeline covering ingestion, indexing, retrieval, context assembly, generation, and tool execution. Defense algorithms are compared at each stage, including robust ANN retrieval, query expansion, context filtering, instruction and taint detection, capability scoping, sandboxing, and output validation. Key research gaps are identified, including limited cross-layer benchmarks, weak provenance and trust scoring for retrieved sources, scarce realistic agentic tool-chain testbeds, and inconsistent reporting of attack success, cost, and latency under adaptive adversaries. To mitigate these gaps, a novel hybrid defense algorithm, AegisRAG-RADMS, is introduced. It integrates HNSW retrieval with embedding-oriented query expansion (EoQ), hybrid context selection (SelSim + SelRand), a transformer-based prompt-injection classifier (ModernBERT or BERT), and dual tool firewalls consisting of an input minimizer and an output sanitizer. The survey concludes with deployment-oriented guidelines and open research directions for measurable robustness, continuous evaluation, and governance of secure RAG-enabled LLM agents.
Khonde et al. (Thu,) studied this question.