RAG SECURITY BOUNDARY CHECKLIST (2026)

Goal: prevent untrusted retrieved text from influencing privileged actions, and make every answer/action traceable to its sources.

1) Inventory and classify “actions”
- List every tool/action the LLM can trigger (email, ticket updates, refunds, DB writes, repo changes, webhooks).
- Mark which actions are irreversible or customer-visible.
- For each action, document required human approval (if any) and the intended policy constraints.

2) Enforce a hard separation between instructions and retrieved content
- Never concatenate retrieved text into system/developer messages.
- Wrap retrieved content as quoted context and label it explicitly (SOURCE, DOC_ID, URL/path).
- Ensure your app (not the model) decides whether a tool call is allowed.

3) Provenance by default (non-negotiable)
- Attach metadata to every chunk: source system, document ID, title, path/URL, author (if available), timestamps, ACL snapshot, ingest pipeline version.
- Store a stable chunk hash.
- In traces/logs, persist: query, retrieved chunk IDs/hashes, reranker output order, final context size.

4) Tenancy and access control
- Enforce tenant boundaries at the storage/index level where possible.
- Apply document-level ACL checks at retrieval time AND before prompt assembly.
- Add tests that attempt cross-tenant retrieval with “nearby” semantic queries.

5) Tool gating and policy checks
- Maintain an allowlist of tools per tenant and per user role.
- Require a policy decision before any tool executes; log user/tool/args plus retrieved_doc_ids.
- Add rate limits and spend limits for high-impact tools (email volume, refund count, record updates).

6) Context budgets
- Cap number of documents and total quoted characters per request.
- Cap per-source contribution (e.g., no single doc provides most of the context).
- Prefer fewer, higher-quality chunks with reranking over “stuff the window.”

7) Connector governance (ingestion controls)
- Maintain an approved connector list (Drive/Confluence/GitHub/Zendesk/etc.).
- Define risk tiers per connector and apply stricter rules to high-risk sources (external shares, public pages).
- Record exactly what was ingested and when; make reindexing reproducible.

8) Red-team and regression
- Plant subtle malicious instructions in realistic documents inside your actual connectors.
- Use normal user queries to trigger retrieval; inspect whether tool calls are proposed.
- Turn every failure into a CI regression test.

Deliverable to produce this week: an end-to-end trace showing (a) retrieved chunk IDs, (b) tool call proposal, (c) external policy decision, and (d) final action—tied to a single user request.