Enterprise adoption of retrieval-augmented generation has moved sensitive corporate content into a new storage format that existing security tools cannot inspect. Companies deploying internal AI assistants convert documents into high-dimensional numerical vectors and ship them to embedding services and vector databases over ordinary HTTPS connections. Data loss prevention products scan documents and network traffic, and they read none of it.
A research framework called VectorSmuggle, released by Jascha Wanger of ThirdKey under the Apache 2.0 license, demonstrates what an attacker can do with that gap. The project pairs an empirical study of steganographic exfiltration techniques against vector embeddings with a proposed cryptographic defense called VectorPin.
The attack
VectorSmuggle catalogs six ways an attacker with access to an ingestion pipeline could hide data inside embeddings. Some methods add small amounts of noise to each vector. Others rotate, rescale, or shift them. One technique splits content across multiple embedding models so each individual vector store only sees a fragment. The perturbed vectors still return the right documents when someone runs a legitimate search. They just also carry information the attacker wants to smuggle out.
The companion preprint tested these techniques against the OpenAI text-embedding-3-large model and four open models from Nomic, EmbeddingGemma, Snowflake Arctic, and MXBai. The corpus testing spans a synthetic personally identifiable information set, the BEIR medical research corpus NFCorpus, and a Quora question subset, totaling more than 26,000 chunks of content.
The findings split along a line that matters for defenders. Noise, scaling, and offset techniques shift the statistical distribution of the embeddings enough that off-the-shelf anomaly detectors catch them reliably. Rotation does something different. Because rotating a vector preserves its mathematical relationships with other vectors, the same detectors miss it across every model and corpus combination the researchers tested. At the channel’s theoretical ceiling, a working encoder built on rotation can move roughly 1,920 bytes of hidden payload per vector at zero error rate.
The payload survives passage through the popular vector databases security teams already use, including FAISS, Chroma, and Qdrant in standard and scalar-quantized configurations. When researchers gave attackers full knowledge of the defending anomaly detectors, the attackers could evade detection entirely. Statistical detection is useful as a first filter and does not hold up as a primary control.
The conversation with leadership
Wanger frames the deal organizations are making when they approve internal AI assistants in stark terms. “In exchange for productivity gains, the company agrees to convert its sensitive documents into a new file format and ship them to a service nobody on the security team has visibility into. That new file format is called a vector embedding. Existing DLP tools cannot read it. Existing egress monitoring cannot interpret it.”
He says VectorSmuggle shows that “an attacker with insider access, or a compromised RAG pipeline, can hide arbitrary data inside those vectors using techniques borrowed from steganography. The vectors still function correctly for legitimate search. They just also carry payloads the security team cannot see, headed somewhere the security team is not monitoring.”
For CISOs and board members signing off on these deployments, Wanger recommends one specific question for security teams: “What is our visibility into the contents of the vector embeddings leaving our network, and who is responsible for monitoring that channel?” His assessment of where most companies stand today: “no visibility and no one. That answer is the finding.”
A defensive proposal
The repository also includes a companion defense called VectorPin. It cryptographically signs each embedding when it is created so that any later modification breaks the signature. If an attacker perturbs a vector to hide data inside it, verification fails and the tampered embedding gets flagged. Reference implementations are available in Python and Rust.
Wanger sees the work as part of a broader investigation. “Almost all current AI security work is happening at the model layer. Prompt injection, jailbreaks, output filtering, alignment. That is the visible surface, and it is where the conference talks and the funding go. The infrastructure layer underneath, the embeddings, the vector stores, the tool contracts, the agent identity, has been largely treated as plumbing. Plumbing is exactly the place attackers go when the front door is heavily defended.”
He predicts the next several years of enterprise AI security incidents will come from this layer. “Companies will fine-tune their models, train refusals, run red team exercises against prompts, and still leak data through channels that existing tooling was never designed to see.”
