> it requires a bad actor with critical access

This isn't particularly hard. Lots and lots of these tools take from the public internet. There's already plenty of documented explanes of Google's AI summary being exploited in a structurally similar way.

For what it concerns internal systems, getting write access to documents isn't hard either. Compromising some workers is easy. Especially as many of them will be using who knows what AI systems to write these documents.

> it also requires that the final rag output doesn't provide a reference to the referenced result.

RAG systems providing a reference is nearly moot. If the references have to be checked; If the "Generation" cannot be trusted to be accurate and not hallucinate a bunch of bullshit, then you need to check every single time, and the generation part becomes pointless. Might as well just include a verbatim snippet.

> Might as well just include a verbatim snippet.

I guess im looking more at semantic search as ctrl + F on steroids for a lot of use cases. some use cases you might just want the output, but i think blindly making assumptions in use cases where the pitfalls are drastic requires the reference. I'm biased the rag system I've been messing with is very heavy on the reference portion of the functionality.