The RAG Trap: When Your AI Coding Assistant Learns from Poisoned Documentation

Series: AI Security Do’s and Don’ts

Author: Paul Lawlor
Date: 20 February 2026
Reading time: 12 minutes
Word count: ~2,800
Abstract: Retrieval-Augmented Generation makes AI coding assistants more useful by grounding them in organisational documentation. It also creates a persistent attack surface. Poison the knowledge base and you systematically compromise every developer who trusts the AI’s advice. This essay covers the five most common mistakes organisations make when deploying RAG-enhanced AI coding tools, six defensive strategies grounded in the UK AI Playbook, OWASP frameworks, and cloud security guidance, and the organisational changes needed to treat knowledge bases as critical infrastructure.

Keywords: RAG, Retrieval-Augmented Generation, knowledge base security, AI coding assistants, data poisoning, prompt injection, vector databases, supply chain security, UK AI Playbook, DevSecOps

The document that nobody checked
How RAG works and where the trust breaks
The don’ts: five common mistakes
The do’s: six defensive strategies
The organisational challenge
The path forward
Further reading
Notes

The document that nobody checked

A government development team decided to make their AI coding assistant more useful. They connected it to the department’s internal documentation using Retrieval-Augmented Generation: API standards, coding guidelines, security policies, and architecture decision records. The results were immediate. Developers got context-aware suggestions that followed departmental conventions. Code reviews went faster. The Senior Responsible Owner noted it in the quarterly update as a productivity win.

Six months later, during a routine code review, a senior developer noticed something odd. The AI had been recommending an authentication pattern that skipped input validation on internal API calls. The pattern appeared in three recently deployed services. It looked plausible. It followed the department’s naming conventions and referenced the correct internal libraries. But it was wrong: the omitted validation step left all three services vulnerable to injection attacks.

When the team investigated, they traced the recommendation back to a ‘best practices’ document in the knowledge base. The document had been updated by a contractor eight months earlier. The contractor’s account had been compromised. The malicious edit was subtle: a single code example changed to omit a validation step, buried in a document that nobody routinely reviewed. The document sat in the knowledge base for months, retrieved hundreds of times, generating insecure code suggestions that passed review because they looked like they followed departmental standards.

This is not a sophisticated nation-state attack. It is a compromised contractor account, a subtle documentation edit, and a knowledge base that nobody was monitoring. The damage was not dramatic. It was quiet, persistent, and systemic.

Why this matters now

Retrieval-Augmented Generation is becoming the standard approach for making AI coding assistants context-aware. Government teams are connecting AI tools to internal documentation, wikis, and code repositories to get suggestions that reflect their specific standards and architectures.¹ The UK AI Playbook for Government requires AI services to comply with Secure by Design principles and be resilient to cyber attacks, including AI-specific threats. Principle 3 states that organisations must understand risks including data poisoning and prompt injection.² The Playbook warns specifically about RAG: ‘RAG tools are susceptible to indirect prompt injection, either in the information retrieved by the initial search or through the user prompt.’³

Unlike prompt injection that affects a single interaction, RAG poisoning is persistent. One malicious document influences thousands of queries over months. The OWASP Top 10 for LLM Applications (2025) lists Prompt Injection as LLM01 and Data and Model Poisoning as LLM04, recognising both as critical risks to large language model deployments.⁴ Most teams deploying RAG-enhanced AI coding tools do not treat their knowledge bases as critical infrastructure, despite the direct influence those knowledge bases have over generated code.

This essay covers the attack surface, the common mistakes, and the defensive strategies. It builds on the governance foundation established in The UK AI Playbook: Do’s and Don’ts for Government AI Coding Tool Adoption (Essay A in this series) and applies Playbook Principles 3, 4, and 5 to the specific case of RAG-enhanced AI coding tools.

How RAG works and where the trust breaks

flowchart TD
    D["<b>Documents</b><br/>wikis · repos · guides"]:::source
    A1["ATTACK: Poisoned document<br/>ingested here"]:::attack

    C["<b>Chunk &amp; Embed</b>"]:::process
    V["<b>Vector Database</b>"]:::store

    Q["<b>Developer Query</b>"]:::query
    S["<b>Semantic Search</b><br/>ranks by relevance,<br/>not trustworthiness"]:::process
    A2["ATTACK: Malicious content<br/>ranks highest"]:::attack

    CTX["<b>Context Window</b><br/>query + retrieved docs"]:::process
    LLM["<b>LLM</b>"]:::process
    OUT["<b>Code Suggestion</b>"]:::output
    A3["RESULT: Insecure code<br/>generated at scale"]:::attack

    A1 -.-> D
    D --> C --> V
    Q --> S
    V -- "top-k docs" --> S
    S --> CTX --> LLM --> OUT
    A2 -.-> S
    A3 -.-> OUT

    classDef source  fill:#1e3a5f,stroke:#3b82f6,color:#dbeafe
    classDef process fill:#14532d,stroke:#22c55e,color:#dcfce7
    classDef store   fill:#312e81,stroke:#818cf8,color:#e0e7ff
    classDef query   fill:#713f12,stroke:#f59e0b,color:#fef9c3
    classDef output  fill:#1e3a5f,stroke:#3b82f6,color:#dbeafe
    classDef attack  fill:#7f1d1d,stroke:#ef4444,color:#fee2e2

The trust chain

RAG enhances AI coding assistants by retrieving relevant context from organisational knowledge bases before generating a response. Documents are split into chunks, converted into vectors using an embedding model, and stored in a vector database.⁵ When a developer asks a question, the query is embedded and matched against stored documents by semantic similarity. The top-ranked documents are retrieved and injected into the LLM’s context window alongside the query. The LLM generates a response grounded in that retrieved context.

This creates a chain of trust. The developer trusts the AI. The AI trusts the retrieval mechanism. The retrieval mechanism trusts the vector database. The vector database trusts the documents that were ingested into it. Break any link and the whole chain is compromised.⁶

Where it breaks

The vector database does not distinguish between legitimate and malicious content. Semantic search ranks documents by relevance to the query, not by trustworthiness.⁷ A poisoned document that is semantically relevant to common queries will be retrieved frequently. The LLM cannot tell whether retrieved context is genuine or malicious. It treats all retrieved content as authoritative input.

The developer sees a response that cites organisational documentation and trusts it. This trust is the feature that makes RAG valuable. It is also the vulnerability that makes RAG poisoning dangerous. An attacker who can insert or modify a single document in the knowledge base gains persistent influence over every developer who queries that topic.

The don’ts: five common mistakes

Don’t 1: Ingest untrusted sources without validation

Some organisations configure their RAG systems to automatically ingest content from external sources: Stack Overflow answers, public GitHub repositories, community forums, and unvetted wikis. More documentation means better context. But it also means more attack surface.

Consider a RAG system that ingests documentation from the department’s top 50 npm dependencies. An attacker compromises one package’s documentation and adds code examples containing cross-site scripting vulnerabilities. Every developer who asks the AI about that package receives insecure suggestions, grounded in what appears to be legitimate library documentation.

The OWASP Top 10 for LLM Applications lists Data and Model Poisoning as LLM04, identifying tampered training and retrieval data as a critical risk.⁸ The Playbook’s Principle 3 requires organisations to ‘understand the risks associated with your use of AI’, including data poisoning.⁹ Automatic ingestion of unvetted external sources violates both.

Don’t 2: Skip content filtering and sanitisation

Raw content is often ingested into knowledge bases without stripping malicious instructions, validating encodings, or sanitising embedded metadata. This creates an invisible attack vector.

An HTML comment in an ingested document might read: . A human reviewing the rendered documentation would never see it. Keyword-based filters would ignore it. But the LLM reads the raw content, including comments and metadata, and treats embedded instructions as context to follow.¹⁰

The OWASP Prompt Injection Prevention Cheat Sheet identifies this as a remote content injection vector: malicious instructions embedded in documents that the LLM processes as retrieved context.¹¹ Content must be sanitised before it enters the knowledge base, not after.

Don’t 3: Grant write access to the knowledge base without controls

Overly permissive access to knowledge base write operations is one of the simplest and most dangerous mistakes. When any developer can push documents into the knowledge base without review, a compromised account becomes a direct poisoning path with no audit trail, no approval workflow, and no rollback capability.

AWS security guidance for Amazon Bedrock emphasises least privilege access for data stores: write access to knowledge bases should be tightly controlled and separated from read access.¹² The Playbook’s Principle 3 requires compliance with Secure by Design principles, including access controls proportionate to the sensitivity of the asset.¹³

Don’t 4: Ignore retrieval patterns and anomalies

Most organisations deploying RAG-enhanced AI coding tools have no monitoring of which documents are retrieved or how frequently retrieval patterns change.

Consider a poisoned ‘security best practices’ document crafted to be semantically relevant to common security queries. It is retrieved at ten times the normal rate because its content has been optimised for common developer keywords. The poisoning goes undetected for months because nobody is watching.

AWS security guidance recommends event monitoring for both control plane and data access operations.¹⁴ Without retrieval monitoring, there is no way to detect anomalous document influence or new documents that achieve suspiciously high relevance scores immediately after ingestion.

Don’t 5: Trust the ranking algorithm as a proxy for trustworthiness

Semantic similarity is not quality. The vector database ranks documents by how closely they match the query’s meaning, not by whether they are accurate or safe.¹⁵

An attacker can craft a document loaded with security-related keywords that ranks first for queries like ‘secure API authentication’. The document contains a subtle authentication bypass. Developers receive and implement the highest-ranked suggestion, which is also the most dangerous.

The OWASP Secure AI/ML Model Ops Cheat Sheet identifies data plane security as a critical concern: the systems that serve predictions and responses must validate the integrity of the data they rely on, not just its relevance.¹⁶

The do’s: six defensive strategies

Do 1: Implement multi-layer validation before ingestion

Every document should pass through a validation pipeline before it enters the knowledge base. This pipeline should have four layers.

Layer 1: Source verification. Maintain an approved source list with cryptographic verification. Only documents from approved repositories, authored by verified accounts, should be eligible for ingestion.

Layer 2: Content sanitisation. Strip HTML comments, script tags, and hidden metadata. Decode obfuscated encodings. Remove embedded instructions that the LLM might interpret as directives.¹⁷

Layer 3: Security scanning. Check for known malicious patterns, suspicious code examples, and semantic similarity to previously identified attack payloads. AWS Bedrock security guidance recommends data purification filters as part of the ingestion pipeline.¹⁸

Layer 4: Human review for high-privilege content. Security guides, authentication patterns, data handling procedures, and architecture decision records should require human review before ingestion. Not everything needs a human in the loop, but security-critical documentation does.

This satisfies Playbook Principle 3: use AI securely, with safeguards and technical controls in place.¹⁹

Do 2: Apply least privilege to every knowledge base operation

Separate read and write paths strictly. Developers who query the RAG system should not have write access to the vector database. Ingestion of new sources should require multi-party approval. Ingestion credentials should be rotated regularly. The vector store should use customer-managed encryption keys.²⁰

This is least privilege applied to a new asset class. The NCSC Zero Trust architecture guidance applies directly: no implicit trust, verify every access request, limit permissions to the minimum necessary.²¹

Do 3: Monitor retrieval patterns and alert on anomalies

Baseline normal retrieval behaviour and detect deviations. Track retrieval frequency per document and similarity score distributions. Alert on documents retrieved at ten times above baseline, sudden spikes in security-related queries, or new documents that achieve high relevance scores on their first day.²²

Observability tools such as LangSmith provide tracing and monitoring for LLM pipelines, including retrieval pattern analysis.²³ Even basic logging gives you a baseline to detect anomalies. This satisfies Playbook Principle 5: manage the full AI lifecycle, including monitoring.²⁴

Do 4: Version control your knowledge base like code

Treat documentation ingestion like code deployment. Use Git-based workflows with pull request reviews for all knowledge base changes. Maintain immutable audit trails. Use cryptographic hashing for integrity verification. Tag known-good states so you can roll back quickly if poisoning is detected.²⁵

The OWASP Secure AI/ML Model Ops Cheat Sheet recommends version-controlled pipelines for all data that feeds into AI systems.²⁶ If poisoning is discovered, revert to the last clean version, investigate the scope of impact, and re-ingest from verified sources.

Do 5: Validate LLM output before it reaches developers

The knowledge base provides context, but the LLM generates the final code. That output needs its own validation layer. Implement content filters to block dangerous patterns: AWS Bedrock Guardrails and Azure Content Safety both provide configurable output filters.²⁷ Run static analysis tools on generated code before it reaches developers. For security-critical code paths — authentication, authorisation, payment processing, data handling — require human review before acceptance.

This satisfies Playbook Principle 4: meaningful human control at the right stages. The Playbook requires that ‘humans validate any high-risk decisions influenced by AI’.²⁸ Code suggestions for security-critical functions are high-risk decisions.

Do 6: Conduct adversarial testing and build detection systems

Move from reactive defence to proactive detection. Run red team exercises that specifically test RAG poisoning attack paths. Microsoft’s PyRIT framework provides tooling for adversarial testing of AI systems, including retrieval-based attacks.²⁹ Deploy honeypot documents — fake API keys, dummy security policies — that should never be retrieved in normal operation. Any retrieval of a honeypot is an immediate alert.

Verify document integrity through periodic hash checks against known-good baselines. Use anomaly detection to identify documents with unusual influence patterns.³⁰

This satisfies Playbook Principle 3 (security testing) and aligns with the NCSC Guidelines for Secure AI System Development, which recommend adversarial testing throughout the AI lifecycle.³¹

The organisational challenge

The culture shift

Developers trust AI suggestions that cite organisational documentation more than they trust generic AI output. This trust is rational. RAG-enhanced tools are specifically designed to ground their responses in your team’s standards. But the Playbook is clear: AI systems ‘lack reasoning and contextual awareness’ and their outputs are ‘not guaranteed to be accurate.’³² This applies to RAG-enhanced systems too. Grounding an AI in your documentation makes it more useful, but it does not make it infallible. Organisations must move from treating AI coding assistants as pure productivity tools to understanding them as attack surfaces that require proportionate security controls.

The governance gap

Most organisations do not have policies covering knowledge base ingestion, source approval, or documentation review workflows. The Playbook expects AI governance boards, AI systems inventories, and documented review processes.³³ For RAG systems, governance must extend to who can add documentation, what sources are approved, how knowledge base changes are audited, and who is accountable when something goes wrong.

The minimum viable governance for a RAG-enhanced AI coding tool is straightforward: an approved source list, a named owner for the knowledge base, and a basic ingestion review process. Start there and build from it.

The incident response gap

Most organisations have no playbook for RAG poisoning incidents. When poisoning is detected, the response requires five steps: confirm the scope (which documents, which queries, which generated code), contain the damage (isolate the knowledge base from the AI tool), eradicate the threat (remove poisoned documents), recover (roll back to a known-good state and re-ingest verified content), and conduct a post-incident review.

Playbook Principle 5 requires organisations to understand ‘how to securely close [an AI system] down at the end of its useful life.’³⁴ For RAG, this extends to knowing how to isolate and roll back a compromised knowledge base without disrupting the development team’s workflow. If you cannot answer the question ‘what do we do if our knowledge base is poisoned?’ then you have an incident response gap that needs closing.

The path forward

Why this is different from traditional supply chain attacks

Traditional supply chain attacks target individual libraries or packages. RAG poisoning targets the knowledge that teaches the AI how to code. The distinction matters.

One malicious document can propagate insecure patterns across dozens of projects, hundreds of developers, and months of code generation. The code it produces follows your naming conventions and references your internal APIs. It passes code review because it looks like it came from your own standards. This is not a vulnerability in a dependency. It is a vulnerability in the source of truth.

Three actions to take this week

1. Audit your knowledge base sources. List every document and external source your RAG system ingests. If you cannot produce this list, that is your first problem. You cannot secure what you cannot see.

2. Implement write controls. Ensure that adding or modifying documents in the knowledge base requires review and approval, with an audit trail. No unreviewed writes. This is the single highest-impact control you can put in place today.

3. Start monitoring retrieval patterns. Even basic logging of which documents are retrieved and how often gives you a baseline to detect anomalies. You do not need a sophisticated detection system on day one. You need visibility.

Looking ahead

RAG security is an emerging discipline. The tools and techniques will mature. But the fundamental principle will not change: your knowledge base is executable policy. Every document you ingest becomes a teacher for your AI coding assistant. Every vulnerability in that teaching material becomes a vulnerability in your code.

The Playbook frames this clearly. Data poisoning is a recognised AI security threat: ‘Attackers can target the data used to train an AI model to introduce vulnerabilities, backdoors or biases.’³⁵ Principle 3 requires you to understand it. Principle 4 requires meaningful human control over AI output.³⁶ Principle 5 requires you to manage the full lifecycle, including the data that feeds the system.³⁷

RAG makes AI coding tools more useful. Securing RAG makes that value sustainable. The goal is not to avoid RAG. It is to deploy it with the same security rigour you apply to production code and production databases.

Future essays in this series cover MCP server security (Essay B) and prompt injection in depth (Essay E). Both build on the RAG security foundation established here.

Call to action

Treat your knowledge base as critical infrastructure. Apply the same security rigour to documentation ingestion that you apply to code deployment. Share this essay with your security lead, your platform team, and anyone configuring RAG for AI coding tools.

Notes

UK AI Playbook for Government (2025), Security section. The Playbook discusses RAG as a technique for preserving user access controls when using generative AI with private data. Available at: https://www.gov.uk/government/publications/ai-playbook-for-the-uk-government/artificial-intelligence-playbook-for-the-uk-government-html ↩
UK AI Playbook for Government (2025), Principle 3: ‘Different types of AI are susceptible to different security risks. Some threats — such as data poisoning, perturbation attacks, prompt injections and hallucinations — are specific to AI.’ Available at: https://www.gov.uk/government/publications/ai-playbook-for-the-uk-government/artificial-intelligence-playbook-for-the-uk-government-html ↩
UK AI Playbook for Government (2025), Security section, Data leakage: ‘RAG tools are susceptible to indirect prompt injection, either in the information retrieved by the initial search or through the user prompt.’ Available at: https://www.gov.uk/government/publications/ai-playbook-for-the-uk-government/artificial-intelligence-playbook-for-the-uk-government-html ↩
OWASP Top 10 for LLM Applications (2025). LLM01:2025 Prompt Injection; LLM04:2025 Data and Model Poisoning. Available at: https://genai.owasp.org/llm-top-10/ ↩
AWS Amazon Bedrock Knowledge Bases Security documentation. Describes the architecture for ingesting data sources into vector stores for RAG retrieval. Available at: https://docs.aws.amazon.com/bedrock/latest/userguide/knowledge-base-security.html ↩
LlamaIndex Security Guidelines. Covers index security, retrieval validation, and the trust relationships in RAG architectures. Available at: https://docs.llamaindex.ai/en/stable/ ↩
Azure AI Search Security for RAG. Describes how semantic ranking works in vector search and the security implications of relevance-based retrieval. Available at: https://learn.microsoft.com/en-us/azure/search/search-security-overview ↩
OWASP Top 10 for LLM Applications (2025), LLM04:2025 Data and Model Poisoning: ‘Data poisoning occurs when pre-training, fine-tuning, or embedding data is manipulated to introduce vulnerabilities, backdoors, or biases.’ Available at: https://genai.owasp.org/llm-top-10/ ↩
UK AI Playbook for Government (2025), Principle 3: ‘You must understand the risks associated with your use of AI and of adversaries potentially using AI against you.’ Available at: https://www.gov.uk/government/publications/ai-playbook-for-the-uk-government/artificial-intelligence-playbook-for-the-uk-government-html ↩
Greshake et al., ‘Compromising Real-World LLM-Integrated Applications with Indirect Prompt Injection’ (2023). Demonstrates how hidden instructions in retrieved documents are followed by LLMs. Available at: https://arxiv.org/abs/2302.12173 ↩
OWASP Prompt Injection Prevention Cheat Sheet, RAG Poisoning (Retrieval Attacks): ‘Injecting malicious content into Retrieval-Augmented Generation (RAG) systems that use external knowledge bases.’ Available at: https://cheatsheetseries.owasp.org/cheatsheets/LLM_Prompt_Injection_Prevention_Cheat_Sheet.html ↩
AWS Amazon Bedrock Security Best Practices. GENSEC01 recommends least privilege access controls for all Bedrock resources, including knowledge base data stores. Available at: https://docs.aws.amazon.com/bedrock/latest/userguide/security.html ↩
UK AI Playbook for Government (2025), Principle 3: ‘Your service must comply with the Secure by Design principles.’ Available at: https://www.gov.uk/government/publications/ai-playbook-for-the-uk-government/artificial-intelligence-playbook-for-the-uk-government-html ↩
AWS Amazon Bedrock Security Best Practices. GENSEC03 recommends event monitoring for control plane and data access operations. Available at: https://docs.aws.amazon.com/bedrock/latest/userguide/security.html ↩
Zou et al., ‘Universal and Transferable Adversarial Attacks on Aligned Language Models’ (2023). Research on how adversarial inputs can manipulate model behaviour through semantically optimised content. Available at: https://arxiv.org/abs/2307.15043 ↩
OWASP Secure AI/ML Model Ops Cheat Sheet. Covers data plane security, version-controlled pipelines, and integrity verification for AI data sources. Available at: https://cheatsheetseries.owasp.org/cheatsheets/Secure_AI_Model_Ops_Cheat_Sheet.html ↩
OWASP Prompt Injection Prevention Cheat Sheet, Remote Content Sanitization section. Recommends stripping hidden instructions from content before it is processed by the LLM. Available at: https://cheatsheetseries.owasp.org/cheatsheets/LLM_Prompt_Injection_Prevention_Cheat_Sheet.html ↩
AWS Amazon Bedrock Security Best Practices. GENSEC06 recommends data purification filters for content entering AI pipelines. Available at: https://docs.aws.amazon.com/bedrock/latest/userguide/security.html ↩
UK AI Playbook for Government (2025), Principle 3: ‘To minimise these risks you should build in safeguards and put technical controls in place.’ Available at: https://www.gov.uk/government/publications/ai-playbook-for-the-uk-government/artificial-intelligence-playbook-for-the-uk-government-html ↩
AWS Amazon Bedrock Knowledge Bases Security documentation. Describes data source security, vector store encryption, and customer-managed encryption key support. Available at: https://docs.aws.amazon.com/bedrock/latest/userguide/knowledge-base-security.html ↩
NCSC Zero Trust Architecture guidance. Applies least privilege and continuous verification principles to all access requests. Available at: https://www.ncsc.gov.uk/collection/zero-trust-architecture ↩
AWS Amazon Bedrock Security Best Practices. GENSEC03 covers event monitoring including data access patterns and anomaly detection. Available at: https://docs.aws.amazon.com/bedrock/latest/userguide/security.html ↩
LangSmith Observability documentation. Provides tracing and monitoring for LLM pipelines, including retrieval pattern analysis for RAG systems. Available at: https://docs.smith.langchain.com/ ↩
UK AI Playbook for Government (2025), Principle 5: ‘You should know how to choose the right tool for the job, be able to set it up and have the right resource in place to support day-to-day maintenance of it.’ Available at: https://www.gov.uk/government/publications/ai-playbook-for-the-uk-government/artificial-intelligence-playbook-for-the-uk-government-html ↩
LangChain Security Best Practices. Covers agent framework security, tool validation, and input sanitisation for LLM pipelines. Available at: https://python.langchain.com/docs/security ↩
OWASP Secure AI/ML Model Ops Cheat Sheet. Recommends version-controlled data pipelines with integrity verification and rollback capability. Available at: https://cheatsheetseries.owasp.org/cheatsheets/Secure_AI_Model_Ops_Cheat_Sheet.html ↩
AWS Amazon Bedrock Security Best Practices. Describes Bedrock Guardrails for content filtering and output validation. Available at: https://docs.aws.amazon.com/bedrock/latest/userguide/security.html ↩
UK AI Playbook for Government (2025), Principle 4: ‘This includes ensuring that humans validate any high-risk decisions influenced by AI and that you have strategies for meaningful intervention.’ Available at: https://www.gov.uk/government/publications/ai-playbook-for-the-uk-government/artificial-intelligence-playbook-for-the-uk-government-html ↩
Microsoft AI Red Team Guidance and PyRIT. Describes adversarial testing frameworks including PyRIT for testing AI system resilience to poisoning and injection attacks. Available at: https://github.com/Azure/PyRIT ↩
MITRE ATLAS. Adversarial threat landscape for AI systems, documenting tactics and techniques including data poisoning and model manipulation. Available at: https://atlas.mitre.org/ ↩
NCSC Guidelines for Secure AI System Development. Joint guidance from NCSC, NSA, and CISA covering secure design, development, deployment, and operation of AI systems, including adversarial testing. Available at: https://www.ncsc.gov.uk/collection/guidelines-secure-ai-system-development ↩
UK AI Playbook for Government (2025), Principle 1. The Playbook notes that AI systems lack reasoning and contextual awareness and that generative AI outputs are not guaranteed to be accurate. Available at: https://www.gov.uk/government/publications/ai-playbook-for-the-uk-government/artificial-intelligence-playbook-for-the-uk-government-html ↩
UK AI Playbook for Government (2025), Governance section: ‘You should manage governance of AI through an AI governance board or AI expert representation on an existing governance board.’ Available at: https://www.gov.uk/government/publications/ai-playbook-for-the-uk-government/artificial-intelligence-playbook-for-the-uk-government-html ↩
UK AI Playbook for Government (2025), Principle 5: ‘You should also know how to update the system and how to securely close it down at the end of its useful life.’ Available at: https://www.gov.uk/government/publications/ai-playbook-for-the-uk-government/artificial-intelligence-playbook-for-the-uk-government-html ↩
UK AI Playbook for Government (2025), Security section, Data and model poisoning: ‘Attackers can target the data used to train an AI model to introduce vulnerabilities, backdoors or biases that compromise the model’s security and behaviour.’ Available at: https://www.gov.uk/government/publications/ai-playbook-for-the-uk-government/artificial-intelligence-playbook-for-the-uk-government-html ↩
UK AI Playbook for Government (2025), Principle 4: ‘You need to monitor the AI’s behaviour and have plans in place to prevent any harmful effects on users.’ Available at: https://www.gov.uk/government/publications/ai-playbook-for-the-uk-government/artificial-intelligence-playbook-for-the-uk-government-html ↩
UK AI Playbook for Government (2025), Principle 5: ‘AI solutions, like other technology deployments, have a full product life cycle that you need to understand.’ Available at: https://www.gov.uk/government/publications/ai-playbook-for-the-uk-government/artificial-intelligence-playbook-for-the-uk-government-html ↩