RAG looks simple from outside the system boundary because the basic abstraction is intuitive: a user asks a question, a retriever selects material from an indexed corpus, selected context enters the prompt, and the model answers from the information that survived that path. The fragility sits inside that last phrase, because the answer only inherits the context that actually crosses the retrieval boundary before inference begins.
Lewis et al. described retrieval-augmented generation as a hybrid architecture combining parametric memory in the generator with non-parametric memory accessed through retrieval, where the generator conditions on the input plus retrieved passages rather than on the upstream corpus as a whole (Lewis et al., Retrieval-Augmented Generation for Knowledge-Intensive NLP Tasks, 2020).
The uncomfortable part is that upstream existence and prompt presence are different states. A document can sit safely inside the corpus, a manifest can commit to that document, and the answer can still be generated from a prompt that never received the decisive rule through the retrieval path.
That is the boundary this note cares about, not whether the model sounds confident, not whether a citation appears beside the final sentence, and not whether the broader corpus would have answered the question if the right passage had been selected. The narrower audit question is whether the critical rule crossed from a committed corpus snapshot into selected context and then into the final prompt.
That is also why citations are the wrong primitive to lean on too heavily. A citation is an output artifact, it can help a reader inspect whether a statement has documentary support, but it does not prove how the cited source was selected, whether selected context came from the intended corpus snapshot, or whether the model relied on that source while generating the answer.
Recent attribution work draws this line directly: citation correctness asks whether a cited document supports a statement, while faithfulness asks whether the model actually used that document rather than attaching a plausible source after the fact (Wallat et al., Correctness is not Faithfulness in RAG Attributions, 2024).
Generative-search audits show the same problem at the product surface, where fluent answers can contain unsupported statements and inaccurate citations while still looking well grounded to the user (Liu et al., Evaluating Verifiability in Generative Search Engines, 2023).
None of this means citations are useless, It means they are incomplete for retrieval audit. A source link can support a sentence while remaining silent about corpus state, query rewriting, ranking, truncation, context packing, and prompt inclusion, which are exactly the surfaces where retrieval-augmented systems can fail before the model begins to generate.
The retrieval layer has its own version of the same problem because a clean top-k list is still only a returned payload, not evidence of the corpus snapshot or retrieval semantics that produced it. Verifiable vector-search work starts from that gap, using commitments to corpus snapshots and proofs over stated retrieval semantics so that downstream systems do not have to treat dense retrieval output as self-authenticating (Qiu et al., V3DB: Audit-on-Demand Zero-Knowledge Proofs for Verifiable Vector Search over Committed Snapshots, 2026).
The missing-rule test
This local experiment is deliberately small because the claim it tests is narrow. There is no LangChain stack, vector database, LLM API call, or semantic retriever standing between readers and the artifact. The corpus contains 12 policy files, and the decisive rule is 'POLICY-042:' a payment resolver must reject a transfer to a restricted-beta beneficiary unless a signed override is attached.
The committed corpus manifest hash is 62bbe5fd21d86a7e0ca16447605c5ce89929e6c99d02e09f1c736ce1fc153e24, which gives the test a stable upstream state before any retrieval path begins.
Run 001 uses the lossy rewritten query payment resolver approval transfer signed manual override routing requirements. The rewrite preserves adjacent payment and override vocabulary, but it drops the decisive restricted-beta term, so retrieval selects 'POLICY-077' and 'POLICY-001' rather than the rule that controls the user question. 'POLICY-042' exists in the committed corpus but did not cross the retrieval boundary into selected context.
The control runs matter because they prevent the result from becoming a vague complaint about retrieval. Run 002 uses the original user question, 'Should a payment resolver approve a transfer to a restricted-beta beneficiary if no signed override is attached?', and the same corpus retrieves 'POLICY-042' alongside 'POLICY-001'. Preserving the decisive term is what changes the outcome: Run 003 rewrites the query but keeps restricted-beta beneficiary signed override payment resolver reject approval, which again brings 'POLICY-042' into selected context alongside 'POLICY-077'.
Query rewriting is therefore not the failure by itself; the failure appears when the rewrite drops the term that distinguishes the decisive rule from nearby policy fragments. Expanding the context window produces a similar correction: Run 004 keeps the lossy query from Run 001 but sets 'top_k = 3 rather than 2', recovering 'POLICY-042' in the third slot and confirming that the missing-rule result is retrieval-path dependent rather than evidence of corpus absence.
| Run | Selected docs | POLICY-042 selected | POLICY-042 in prompt |
| ----------------------------------------- | ---------------------------------------- | ------------------: | -------------------: |
| run-001-lossy-query | POLICY-077, POLICY-001 | False | False |
| run-002-direct-query | POLICY-042, POLICY-001 | True | True |
| run-003-rewrite-preserves-decisive-term | POLICY-042, POLICY-077 | True | True |
| run-004-lossy-query-topk3 | POLICY-077, POLICY-001, POLICY-042 | True | True |
This experiment does not reveal some exotic weakness in RAG. Top-k truncation always creates a boundary, and any retrieval system that compresses a larger corpus into a smaller context window has to decide what crosses. The useful part is that the failure state is explicit, hashed, and small enough to inspect by hand. A selected RAG context can exclude a decisive rule that exists upstream in a committed corpus, and once that happens, the failure has already occurred before inference.
RAG evaluation work already treats this as a separate surface from answer quality: ARES evaluates context relevance, answer faithfulness, and answer relevance as distinct dimensions (Saad-Falcon et al., ARES: An Automated Evaluation Framework for Retrieval-Augmented Generation Systems, 2023), while Mindful-RAG identifies failure points where systems do not adequately gather relevant context before answering (Agrawal et al., Mindful-RAG: A Study of Points of Failure in Retrieval Augmented Generation, 2024).
That boundary also sets the limit of the claim. The test does not prove the model had no parametric knowledge, because no model answer was generated and no model weights were examined. It does not test answer behavior, since a model might still answer correctly from another selected document, from prior knowledge, or from reasoning over a partial fragment. Production RAG systems are not proven to fail this exact way, because the harness here is a controlled keyword-overlap retriever rather than a deployed semantic retriever. Truthful AI is outside the proof target entirely. The experiment proves a narrower provenance claim: selected context can exclude a decisive rule that exists upstream.
Context attestation
Context attestation becomes interesting precisely because the disputed object is not the truth value of the answer. The disputed object is the information boundary around inference, which means the audit target should be the committed corpus, the retrieval path, the selected context artifact, and the final prompt handoff.
Context attestation would not say, "the answer is true." It would say something narrower: (a) this corpus snapshot was committed, (b) this retrieval path was executed under defined semantics, (c) these documents were selected, and (d) this context artifact entered the final prompt. That primitive is smaller than truthful AI, but it is more auditable because it gives reviewers a concrete place to check whether the answer had access to the decisive rule before judging whether the answer used it correctly.
The crypto analogy is useful as long as it stays modest. A validity proof does not prove that an economic policy is wise; it proves that a state transition followed the stated rules. Context attestation has the same shape, proving a boundary condition around the information supplied to inference rather than the correctness of the model's final claim. One possible later implication is binding retrieval validation and prompt assembly more tightly, because a proof over retrieval alone can show that the top-k set was produced under stated retrieval semantics while a compromised or misconfigured runtime could still alter context after retrieval and before prompt inclusion. That is an implementation direction, not the claim tested here. The missing-rule test is only a claim about provenance: if citations are the visible receipt, selected context is the object that needs the audit trail.

