What makes dense retrievers vulnerable to partition-based poisoning exploitation?

This explores why dense retrievers are structurally easy to poison, and what 'partition' has to do with it. The short version from the corpus: a dense retriever ranks documents by their geometric closeness to a query in a single shared embedding space, and nothing bounds how much influence any one document can have over that space. A poisoned passage crafted to sit near many queries at once can therefore dominate retrieval for all of them — its reach isn't partitioned, so it leaks everywhere. That's exactly the lever the defense in Can we defend RAG systems from corpus poisoning without retraining? pulls on: RAGPart deliberately partitions retriever learning so a single poisoned document's influence is bounded to a slice rather than the whole corpus, and RAGMask flags documents whose similarity score collapses abnormally under token masking — a tell that the text was optimized to be retrieved rather than to be relevant.

The deeper reason the attack works lives in the geometry. Where do retrieval systems fail and why? makes the load-bearing point: embeddings measure *association*, not *relevance* — so a document doesn't have to be a good answer, it just has to be geometrically near. An attacker who can optimize text against that similarity function is playing the retriever's own game. And Why can't cosine space retrievers distinguish word order? shows the space is even friendlier to abuse than it looks: cosine spaces force concepts into linear superposition, which means a crafted passage can be near many distinct query directions simultaneously without the geometry pushing back. The retriever literally cannot tell a precise topical match from an adversarial near-miss using compressed vectors alone.

There's a trap here too, and it's worth knowing: you can't just train the vulnerability away. Does training for compositional sensitivity hurt dense retrieval? finds that pushing dense retrievers to be more structurally discriminating (the same sensitivity that would help reject crafted poison) consistently *degrades* zero-shot generalization by 8–40% nDCG. That's why poisoning is a retrieval-layer problem, not a tuning problem — the fix has to sit outside the embedding bottleneck.

Which is why the most durable answers in the corpus add a second stage rather than a better first stage. Can verification separate structural near-misses from topical matches? puts a small verifier on the full token-to-token similarity map *after* cosine recall, and it reliably rejects structural near-misses that compressed-vector matching waves through — the same class of object a poisoned document is. Pair that with RAGPart's partitioning and you get the shape of a real defense: bound any single document's blast radius, then verify survivors on signals the embedding space throws away.

The last thing worth knowing you didn't ask: retrieval-time poisoning isn't even the worst case. How much poisoned training data survives safety alignment? shows that at just 0.1% contamination, denial-of-service, context-extraction, and belief-manipulation attacks survive standard safety alignment entirely. So a partitioned, verified retriever is defending one layer of a stack where poison can also be baked in far earlier — and the retrieval layer is, encouragingly, the one place you can detect it without retraining anything.