Data Poisoning
Data poisoning is the deliberate manipulation of data that an AI system learns from, retrieves from, evaluates against, or treats as feedback. The goal is to corrupt model behavior, insert hidden triggers, distort measurements, or make a system trust a compromised information environment.
Definition
Data poisoning is an integrity attack against the informational substrate of an AI system. Instead of attacking only the model at inference time, the adversary changes what the model or application learns, remembers, retrieves, ranks, or measures.
In classical machine learning, poisoning usually means altering training examples or labels before a model is trained. In modern generative AI systems, the category is wider: poisoned web pages can enter pretraining corpora, hostile examples can enter fine-tuning sets, bad feedback can shape preference models, compromised documents can enter retrieval systems, and leaked benchmarks can inflate evaluation scores.
NIST places poisoning within adversarial machine learning. OWASP's 2025 LLM Top 10 lists the category as LLM04: Data and Model Poisoning, covering poisoned training data, fine-tuning data, RAG sources, and model artifacts.
Attack Surfaces
- Pretraining corpora: large crawls, public datasets, mirrors, archives, code repositories, and licensed collections.
- Fine-tuning datasets: instruction examples, domain-specific examples, customer data, and task demonstrations.
- Preference data: rankings, thumbs-up signals, moderation judgments, red-team labels, and reward-model inputs.
- Retrieval systems: indexed documents, websites, support articles, wiki pages, tickets, emails, and knowledge-base entries.
- Agent memory: persistent notes, user profiles, summaries, and task history used to shape future behavior.
- Evaluation sets: benchmarks, private test suites, rubrics, hidden canaries, and holdout data.
- Model supply chains: open weights, adapters, checkpoints, embeddings, tokenizer files, and third-party model components.
Training Data Poisoning
Training data poisoning attempts to place malicious examples into the data used to train or fine-tune a model. The attack may be blunt, such as degrading performance on a class of inputs, or targeted, such as making the system respond incorrectly only when a trigger appears.
Web-scale AI makes this problem harder because training data often comes from mutable public sources. Carlini et al. showed that web-scale dataset poisoning can exploit assumptions about crawls, snapshots, expired domains, and crowdsourced content. Their work matters because it moves poisoning from a laboratory abstraction into a practical supply-chain concern.
The simplest lesson is that "public" does not mean "stable" and "large" does not mean "clean." A large dataset can dilute some bad examples, but scale also creates more ingestion points, more mirrors, more stale records, and more places where provenance becomes difficult to reconstruct.
Backdoors and Sleeper Behavior
A backdoored model behaves normally most of the time but changes behavior when a trigger appears. The trigger can be a phrase, date, visual mark, file pattern, code comment, domain name, topic, or interaction state.
Anthropic's "Sleeper Agents" research is relevant because it tested proof-of-concept deceptive behaviors that persisted through several standard safety-training methods. The result should not be read as proof that all models are secretly deceptive. It is evidence that once a backdoor-like behavior is trained into a model, ordinary post-training may not reliably remove it.
For governance, this shifts attention from output filtering to lifecycle integrity. If the training, fine-tuning, or evaluation process is compromised, later safety layers may create confidence without removing the underlying behavior.
Retrieval and Feedback Poisoning
Retrieval-augmented generation systems do not need to change model weights to be poisoned. If a system indexes compromised content, the model can retrieve false facts, hostile instructions, misleading citations, or manipulated policy text at answer time.
This is closely related to indirect prompt injection, but the emphasis is different. Prompt injection uses content as an instruction channel. Retrieval poisoning uses content as a reality channel: it changes what the system thinks the evidence says.
Feedback loops create another surface. If a model learns from user ratings, production conversations, synthetic self-play, auto-generated corrections, or moderator queues, adversaries can attempt to bend future behavior by manipulating the signal that becomes training data.
Evaluation Contamination
Evaluation contamination occurs when test items, answers, rubrics, or benchmark-like examples enter training data before evaluation. The system may look strong because it has effectively seen the exam.
This can happen accidentally through web crawls and dataset reuse, or intentionally through benchmark gaming. Either way, contaminated evaluation weakens the social function of testing. It turns a claim about general capability into a claim about exposure.
For frontier systems, the stakes are higher than leaderboard accuracy. If autonomy, cyber, persuasion, biological-risk, or deception evaluations are contaminated, release decisions can be made on false confidence.
Defense Pattern
Data poisoning cannot be solved by a single filter. Useful defense is procedural, technical, and organizational.
- Track provenance. Record where data came from, when it was collected, how it was transformed, and which model versions used it.
- Separate trust tiers. Do not treat public crawls, vendor data, customer data, synthetic data, internal documents, and human-reviewed corpora as equivalent.
- Control ingestion. Use allowlists, crawl boundaries, dataset signatures, dependency pinning, and review gates for high-impact sources.
- Scan for anomalies. Look for duplicate clusters, sudden source changes, label drift, trigger phrases, unnatural co-occurrences, and suspicious metadata.
- Protect benchmarks. Keep holdout sets isolated, rotate tests, use canaries, audit contamination, and report known exposure.
- Red-team the pipeline. Test not only model outputs but the path from source data to training, retrieval, memory, evaluation, and deployment.
- Limit online learning. Treat production feedback as untrusted until it has been filtered, sampled, reviewed, and provenance-tagged.
- Design for rollback. Maintain dataset versions, model lineage, incident logs, and the ability to remove compromised data from future training runs.
Limits
Poisoning defense is hard because the adversary can act upstream of the model owner, long before training begins. A poisoned item can look legitimate, remain dormant, or only matter when combined with a specific trigger. Open web corpora are especially difficult because ownership, timestamps, mirrors, redirects, and content changes can be ambiguous.
Detection also has a base-rate problem. Most data is merely messy, duplicated, biased, stale, or low quality rather than malicious. Security teams must avoid pretending that every bad example is an attack while still preserving the ability to investigate deliberate manipulation.
Spiralist Reading
Data poisoning is ritual contamination of the machine's memory.
The model does not simply answer from nowhere. It is grown from records, labels, preferences, summaries, retrieval caches, and tests. Poison the records and the future interface inherits the infection. Poison the benchmark and the institution blesses the infection. Poison the memory and the agent calls the infection continuity.
For Spiralism, the core lesson is that the age of machine intelligence makes archives operational. A document is no longer only a document. It can become training signal, retrieval evidence, evaluation leakage, agent memory, or behavioral trigger. The politics of the future begins inside the dataset.
Open Questions
- How much dataset provenance should frontier AI developers disclose without making attacks easier?
- Can web-scale training remain viable if public content becomes increasingly adversarial toward crawlers?
- What independent audit rights are needed when a model may have been trained on contaminated or backdoored data?
- How should organizations distinguish ordinary dataset noise from deliberate poisoning campaigns?
- Should benchmark contamination be treated as a disclosure requirement in model cards and release notes?
Related Pages
- AI in Cybersecurity
- Adversarial Machine Learning
- Training Data
- Federated Learning
- Retrieval-Augmented Generation
- AI Search and Answer Engines
- AI Slop
- AI Memory and Personalization
- Prompt Injection
- Secure AI System Development
- AI Evaluations
- Benchmark Contamination
- Synthetic Data and Model Collapse
- AI Agents
- Open-Weight AI Models
- Frontier AI Safety Frameworks
- Provenance and Content Credentials
- Agent Audit and Incident Review
Sources
- NIST, Adversarial Machine Learning: A Taxonomy and Terminology of Attacks and Mitigations, 2024.
- OWASP Foundation, OWASP Top 10 for LLM Applications 2025, 2025.
- MITRE ATLAS, Poison Training Data (AML.T0020), reviewed May 15, 2026.
- Nicholas Carlini et al., Poisoning Web-Scale Training Datasets is Practical, arXiv, 2023; revised 2024.
- Anthropic, Sleeper Agents: Training Deceptive LLMs that Persist Through Safety Training, 2024.