This work addresses the challenge of auditing image copyright protection in Image Retrieval-Augmented Generation (IRAG) systems by proposing the first membership inference attack tailored for IRAG. The method decomposes the attack into two stages—cross-modal retrieval and discriminative signal extraction—and innovatively integrates reward-guided policy optimization (RGPO), cross-modal embedding navigation, and a task-adaptive joint design of prompts and scoring functions. Multi-query signals are aggregated via K-means clustering to enhance inference accuracy. Theoretical analysis establishes the optimality of the approach under limited query budgets. Empirical results demonstrate that with only four queries, the attack achieves over 80% AUROC across diverse IRAG systems, substantially outperforming existing methods and exhibiting both high efficiency and robustness in auditing capabilities.

Image-based Retrieval-Augmented Generation (IRAG) conditions a frozen generator on reference images retrieved from an external database, supporting both text-to-image (T2I) and question answering (Q&A) tasks. Because these databases are opaque and web-scraped, copyright holders need ways to audit whether specific images appear in them. While prior work employs membership inference attacks (MIAs) to audit uni-modal, text-based RAG, they fail to transfer to IRAG due to two key challenges. First, cross-modal retrieval: text-RAG MIAs force retrieval of the target passage by injecting its content into the query, which is unavailable in IRAG since images cannot be embedded into text queries; even accurate image captions fail to bridge the modality gap. Second, discriminative signal extraction: text-RAG MIAs extract membership signals by prompting the generator to answer multiple questions over the target passage, whereas T2I generators in IRAG produce images rather than follow Q&A commands. To fill this gap, we introduce the first MIA tailored to IRAG, ImageAuditor, which decomposes each attack query into a retrieval segment and an extraction segment, enabling dedicated optimization for each challenge. For retrieval, we propose Reward-Guided Policy Optimization (RGPO), which updates a stochastic policy from reward-ranked candidates to navigate the cross-modal embedding landscape and admits finite-sample optimality guarantees to balance exploration and exploitation. For extraction, we analyze the distribution of the MIA score to guide the co-design of the prompting strategy and scoring rule, and derive task-specific instantiations for T2I and Q&A tasks. We aggregate signals across queries via K-means clustering for reliable membership decisions. Across various IRAG systems, ImageAuditor exceeds 80% AUROC with only four queries per audited image and remains robust across diverse settings.