How do I defend against embedding inversion attacks that reconstruct source text from vectors?

To defend against embedding inversion attacks, treat vector databases as containing original text for access control, encrypt embeddings, and consider differentially-private embedding techniques. This addresses the OWASP LLM Top 10 risk of PII Leakage (L2) and is part of the Data Operations (L2) layer of the MAESTRO framework.

• Treat vector databases as primary data stores: For governance purposes, vector databases should be treated with the same level of security and access control as the raw text they were derived from, rather than just as search indexes with relaxed controls.
• Encrypt embeddings at rest: Where warranted by data sensitivity, encrypt embeddings stored in vector databases.
• Implement differentially-private embedding techniques: For highly sensitive data, consider using differentially-private embedding techniques to add noise and prevent reconstruction.
• Classify and inherit data classifications: Implement a data classification service where source data is classified at ingestion, and derived data (including embeddings) inherits at least the classification of its inputs. Access control at retrieval, context assembly, and output should enforce these classifications.
• Partition memory stores: Memory stores, including embedding stores, should be partitioned by tenant and by classification level to prevent cross-tenant context leakage. This can involve separate physical or logical vector indexes for confidential data.
• Maintain a data inventory: Keep a continuously updated map of where personal and sensitive data exists, how it flows, who has access, and its persistence duration. This helps in demonstrating control and incident response.