Data poisoning explained: how training data becomes an attack surface

In-depth analyses of real-world cyber incidents and emerging threat trends, authored exclusively by our analysts.

Joanna Larson
7 min read
6 July 2026

Most AI security conversations focus on what happens when someone attacks your model while it is running, things like prompt injection. Data poisoning is different, and in some ways more unsettling, because it happens earlier, quietly, and can shape how your AI behaves long before anyone notices. It is the deliberate corruption of the data your AI learns from, retrieves, or remembers, so that the model behaves in a way the attacker wants rather than the way you intended.

This article explains what data poisoning actually is, why it matters even for a small AI startup, the real numbers behind how little it takes to succeed, and what genuinely reduces the risk.

What data poisoning actually is

Data poisoning means an attacker deliberately inserts misleading, corrupted, or malicious content into the data your AI system learns from or consults, in order to change its behaviour. It is not about attacking your infrastructure or hacking your servers. It is about quietly influencing the data itself, so the system you trained or deployed behaves differently than you think it does.

The attack surface is broader than most founders assume. It is not limited to the original training data of a foundation model. It reaches into fine tuning datasets, the knowledge base your retrieval system pulls from, and even the persistent memory some AI agents maintain across sessions. Anywhere your AI treats a piece of data as trustworthy is a place it can potentially be poisoned.

Why the numbers should genuinely worry you

This is the part that surprises most founders. Data poisoning is often assumed to require compromising a large share of a dataset to have any effect. Research shows the opposite. A model can be measurably degraded or given a hidden backdoor by corrupting a strikingly small fraction of its training data, sometimes well under one per cent, and in some documented research, as few as a few hundred crafted examples were enough to poison a model regardless of how large the overall dataset was.

The picture is even starker for retrieval systems. A retrieval augmented generation setup, which is how most AI startups ground their product in their own data, can have its outputs meaningfully manipulated by planting only a handful of malicious documents into the knowledge base it retrieves from. Studies on this have found high success rates for retrieval poisoning using a small number of well crafted documents, which means an attacker does not need broad access to your systems, only the ability to get a small amount of convincing looking content into a source your AI trusts.

For a startup, the implication is direct. You do not need a large, resourced attacker to be at risk. A handful of malicious inputs, planted in the right place, is enough.

Where this shows up in a real AI product

Strip away the research framing and here are the shapes this takes in a typical startup product.

  • Your RAG knowledge base gets seeded with poisoned content. If your product answers questions by retrieving from a knowledge base that can be added to by users, scraped from the web, or sourced from external documents, an attacker can plant content designed to be retrieved and treated as authoritative, quietly steering your AI's answers.
  • Fine tuning on external or crowdsourced data introduces hidden behaviour. If you fine tune a model on data collected from sources you do not fully control, web scraping, user submitted content, third party providers, a small number of poisoned examples slipped into that data can implant behaviour that only appears under specific triggering conditions, while the model performs normally otherwise.
  • Persistent agent memory gets manipulated over time. Agents that remember information across sessions can have that memory poisoned gradually, so a manipulation inserted once continues to influence the agent's behaviour long after the original interaction is gone.
  • Pre trained models and datasets sourced from open platforms carry hidden backdoors. Models, fine tuning datasets, and weights shared through open platforms can themselves already contain planted backdoors before you ever touch them, which is a supply chain risk as much as a data risk.

The common thread is that poisoned data behaves like ordinary input right up until a specific trigger activates it, which is exactly why it is so hard to catch through normal testing. A poisoned model can pass every standard benchmark and quality check while still carrying a hidden, attacker controlled behaviour.

Why this is a security incident, not a quality issue

It is tempting to file data poisoning under data quality, something for your machine learning team to worry about rather than security. That framing is a mistake. When the corruption is deliberate and attacker controlled, a model that behaves incorrectly under specific conditions is not a bug, it is a compromised system. For anything security sensitive, fraud detection, credit decisions, content moderation, or a product making judgements about people, this distinction matters enormously, because the failure is not random, it is exactly where an attacker wants it.

What genuinely reduces the risk

There is no single fix, but a handful of practical measures meaningfully reduce your exposure, and none of them require a large team to implement.

  • Know where every piece of your data actually came from. Data provenance, a clear record of the source and history of the data you train or retrieve from, is the foundation everything else builds on. You cannot secure data you cannot trace.
  • Treat third party and crowdsourced data as unverified until checked. If you fine tune on external datasets, scraped content, or user submissions, do not assume it is clean. Apply filtering, deduplication, and basic quality checks before it enters your pipeline.
  • Limit who and what can add to your knowledge base. For RAG systems specifically, control what sources can be ingested and treat any user or externally influenced content added to the knowledge base with real scrutiny, since this is the most accessible poisoning route for an attacker with no special access.
  • Validate inputs to your vector store, not just your model. The retrieval layer is as much an attack surface as the model itself, and it is often the easier one to defend, because you control what gets ingested.
  • Source pre trained models and datasets from reputable, verifiable origins. If you are building on an open model or dataset, understand where it came from and whether its provenance can be trusted, rather than assuming popularity equals safety.
  • Monitor continuously, not just at launch. Because poisoned content can sit dormant until triggered, a one time check at deployment is not enough. Ongoing validation and monitoring of both your data sources and your model's behaviour is what catches issues that a single audit would miss.

None of this requires enterprise scale tooling. It requires treating your data pipeline with the same seriousness you would treat any other part of your attack surface, because that is exactly what it is.

Why this matters for enterprise buyers

Data poisoning is increasingly part of what a sophisticated buyer's security team thinks about when they assess an AI vendor, particularly for products used in sensitive decision making. Being able to explain where your training and retrieval data comes from, how you validate it, and how you would detect if it had been tampered with is a genuine sign of maturity that most AI startups cannot yet demonstrate. Not being able to answer at all signals the opposite.

The honest takeaway

Data poisoning is not a distant, theoretical research problem. It takes a surprisingly small amount of corrupted data to meaningfully change how an AI system behaves, and the routes in, fine tuning on unverified data, an open RAG knowledge base, persistent agent memory, are present in a large share of AI products being built right now, including early stage ones.

You do not need a large security team to reduce this risk meaningfully. Know where your data comes from, treat anything you do not fully control as unverified until checked, and keep watching after launch rather than assuming a clean start stays clean. That discipline is what turns your training and retrieval data from a quiet vulnerability into something you can speak to with genuine confidence.

Not sure if your training or retrieval data could be poisoned?

Book a free review and we'll look at your data pipeline the way an attacker, or a buyer's security team, actually would.

Tags
#Compliance
#Cybersecurity
#Data Poisoning
#DPA
#Founder
#GDPR
#ISO 27001
#ISO 42001
#Procurement
#SOC
#SOC2
#United Kingdom

AI Security Insights

Cyber insurance for AI startups: what it covers and what it doesn't

Most startups buy cyber insurance, tick the box, and assume they are covered if something goes wrong with their AI prod…

Read article

Security questions investors ask AI startups before they invest

Most conversations about AI security focus on enterprise buyers, and for good reason, since that is where security most…

Read article

AI red teaming: what it is and how it differs from a normal pentest

If you have started researching security testing for your AI product, you have likely run into two terms that sound sim…

Read article

Model theft and IP protection: can someone steal your fine-tuned model

You have spent months and a meaningful amount of compute fine-tuning a model on your proprietary data, your domain expe…

Read article

More insights, delivered monthly

Get the latest insights on AI security and compliance.