Your RAG Knowledge Base Is Now a Security Risk
At RSAC 2026, the message is clear: the AI knowledge layer is the primary attack surface. Here's what that means for enterprise security.
RSAC 2026 is live in San Francisco this week. Forty-three thousand security professionals are working through 600 exhibitors and a schedule where roughly 40% of sessions are AI-weighted. XM Cyber just published research documenting eight validated attack vectors inside AWS Bedrock, all starting from low-level permissions, all ending inside critical enterprise systems. In most of them, the knowledge base is the entry point. Not the model.
The security community has been focused on the wrong layer
The last three years of enterprise AI security conversation have centered on output safety: guardrails, content filters, red-teaming models, jailbreak detection, output monitoring. Then came the agent governance era — identity management, least-privilege access, runtime controls for autonomous agents. Both conversations were necessary. Neither was sufficient.
The documents your AI reads have been treated as a content problem. Quality concern, maybe. Outdated information, sure. But not a security problem.
That framing is now wrong.
XM Cyber's research, published this week alongside RSAC, is the most concrete evidence yet that the knowledge layer is an attack surface in its own right. A validated breach path that security teams aren't currently monitoring.
We've written before about the missing layer in enterprise AI security and about why guardrails alone aren't enough. RSAC 2026 is making that argument unavoidable for CISOs who were still unconvinced.
Three signals arriving at the same time
XM Cyber's eight Bedrock attack vectors
XM Cyber's research into AWS Bedrock identified eight distinct attack vectors, and the most consequential ones don't touch the model at all.
Take the knowledge base data source path. An attacker with access to the S3 bucket or SharePoint instance connected to Bedrock doesn't need to compromise the AI. They bypass the model entirely and exfiltrate the raw knowledge base content directly. The same OAuth tokens Bedrock uses to connect to enterprise SharePoint enable lateral movement into Active Directory. The AI is irrelevant to the breach.
Or the data store path. Credentials stored in vector database configurations — Pinecone, Redis Enterprise Cloud, Aurora, Redshift — give attackers full administrative access to indexed enterprise knowledge. Not read access. Administrative access. Your entire embedded document corpus, every chunk, every source, accessible to someone who found a configuration file.
The prompt template vector is the subtler one. Attackers with access to centralized prompt management can inject instructions that alter AI behavior across every agent and workflow connected to that system, with no redeployment needed, no obvious behavioral change, and no audit trail most security teams are watching.
XM Cyber's conclusion: "Attackers target the permissions, configurations, and integrations surrounding the model — not the model itself. A single over-privileged identity is enough to redirect logs, hijack an agent, poison a prompt, or reach critical on-premises systems from a foothold inside Bedrock."
The knowledge base isn't infrastructure adjacent to the attack surface. It is the attack surface.
Microsoft's Zero Trust for AI
Last week, Microsoft added a full AI pillar to its Zero Trust framework: 700 security controls across 116 logical groups. One of the explicit pillars is AI data layer governance. Not model governance. Not agent governance. The data the AI reads.
Microsoft put it plainly: "Agents that are overprivileged, manipulated, or misaligned can act like 'double agents,' working against the very outcomes they were built to support."
When Microsoft codifies something into Zero Trust, it usually means the pattern is already being exploited at scale and the industry needs shared language to address it. ZT4AI arriving at RSAC week isn't a coincidence.
The SaaS cascade breach
Grip Security published research this week showing a 490% year-over-year spike in public SaaS attacks (SecurityWeek). The average enterprise now runs 140 AI-enabled SaaS environments. Most are connected to internal knowledge stores. Few are in scope for the current security audit cycle.
The "Great SaaS Breach of 2025" — still being analyzed — involved attackers compromising a single SaaS provider's data stores, stealing OAuth tokens, and then compromising 700 enterprise Salesforce installations through AI connectors. One stolen credential, 700 downstream victims.
This is the cascade pattern that RAG architectures inherit when knowledge store access isn't governed. One over-permissioned OAuth token connecting a document source to an AI pipeline is, right now, a plausible single point of failure for everything those documents contain. The credentials and governance problem for AI agents isn't a future concern — it's showing up in post-mortems today.
What a governed knowledge layer actually changes
The instinct is to respond with more access controls. That's necessary but incomplete. The harder problem is the knowledge base itself: what's in it, who can write to it, whether contradictions exist across documents, and whether you can audit what your AI actually read before it responded to a sensitive query.
Mojar's approach treats the knowledge layer as a security control rather than a content bucket. Controlled write paths mean you know exactly what entered the knowledge base and when. Contradiction detection across documents means poisoned or conflicting content surfaces before it reaches the retrieval layer. Every AI response is traceable to a specific document at a specific version, so you can audit what the agent saw.
This isn't a content quality argument. It's a blast-radius argument. When the knowledge layer gets compromised — and based on RSAC week research, "when" is the right framing — the question is how much an attacker can actually do with what they found. A governed, auditable knowledge store with controlled write access is a fundamentally different target than an unmonitored vector database connected to every sensitive document your company has uploaded.
The noise vs. the signal
RSAC 2026 will generate a lot of AI security conversation over the next four days. Much of it will be vendor-driven, speculative, or repackaged fear. The XM Cyber research, Microsoft's ZT4AI framework, and the Grip Security cascade pattern are different. They're validated, specific, and pointing at the same thing.
The knowledge base was never just a content problem. It was an ungoverned write surface connected to sensitive data stores, running on inherited permissions from OAuth tokens nobody audits, feeding AI systems enterprises trust with consequential decisions.
RSAC 2026 is the week the security community officially agrees on that. Whether organizations running these systems are ready to act on it is the question that matters now.