← Blog/Security

What Is Data Poisoning? How Attackers Corrupt AI Training Data

June 18, 2026·10 min read·Sekurely Research

A single corrupted file can teach an AI model the wrong lesson. That lesson can stick around long after the file itself is forgotten. This is the quiet danger behind data poisoning. Most teams building AI products have never tested for it.

Data poisoning is an attack where someone deliberately tampers with the data used to train, fine-tune, or retrieve information for an AI model. It differs from prompt injection in one key way. Prompt injection targets a model while it is being used. This kind of attack targets a model before it ever reaches a user, by corrupting the material it learns from. The damage often stays hidden until it shows up in production, sometimes months after the original tampering happened.

For small and mid-sized companies building on large language models, this risk is easy to underestimate. Most teams test their prompts carefully. Far fewer test the pipeline feeding their models. That gap is exactly where this kind of attack lives.

How Data Poisoning Actually Works

Attackers do not need access to your servers or your codebase to pull this off. They only need a way to influence the data a model eventually learns from. That bar is lower than most teams assume. There are three main ways this happens in practice.

Training-time poisoning happens when malicious or mislabeled examples get mixed into a dataset before a model is trained from scratch. Large pretraining datasets are assembled from many sources. A relatively small number of corrupted samples can quietly shift how a model behaves across an entire category of inputs. The model never "knows" it was tampered with. It simply learned a pattern, and that pattern happened to be planted by someone else.

Fine-tuning poisoning targets the smaller, more focused datasets companies use to customize a general-purpose model. This is where real-world risk concentrates. Fine-tuning sets are often a fraction of the size of a full pretraining set. A handful of bad examples carries far more relative weight here. The same attack takes much less effort to pull off successfully.

Retrieval poisoning is the version most relevant to companies using retrieval-augmented generation, commonly known as RAG. Here, attackers do not touch the model's weights at all. Instead, they plant false content inside the documents, websites, or internal knowledge bases a model retrieves from at query time. The model has no built-in way to tell a trustworthy document from a tampered one. It treats whatever it retrieves as reliable and repeats that content back with full confidence.

Retrieval-based attacks have grown quickly as more companies connect their AI tools to live document stores, support tickets, internal wikis, and shared drives. Each of these becomes a potential entry point if nobody verifies what is inside it.

Why Small Teams Are Especially Exposed

Large AI labs dedicate real resources to auditing training sets at scale. They run automated filters, manual review passes, and statistical checks before a model is ever trained. Most startups and SMBs do not have that level of resourcing. They fine-tune existing models on customer data, internal documents, or scraped content. Often there is no formal review step for what actually goes into that pipeline.

A few realistic scenarios make this risk concrete rather than abstract.

A support chatbot fine-tuned on a company's ticket history can absorb wrong answers if even a few old tickets contained mistakes that were never corrected before training began. The resulting model repeats that same wrong answer to new customers. It states it with the same confidence as a correct one, because nothing in training distinguished good answers from bad ones.

A RAG-based internal assistant connected to a shared wiki can be manipulated if a single page gets edited with false instructions, whether by a careless employee or someone with malicious intent. The assistant has no inherent way to know that page changed, or that the change was deliberate rather than routine.

A model fine-tuned on user-submitted content, such as reviews or forum posts, can be poisoned gradually. Attackers submit a steady volume of subtly biased text designed to nudge outputs in a particular direction over time. Each submission looks harmless on its own. The cumulative effect does not.

None of these scenarios require advanced hacking skills. They require patience, a basic understanding of how the target system trains, and a pipeline that nobody is actively watching.

Where This Fits in AI Security Standards

This category of attack is not a niche concern. It appears directly in the OWASP Machine Learning Security Top 10 as ML06, alongside other supply chain risks that affect how models are built and maintained. The same underlying weakness shows up in OWASP's LLM Top 10 guidance too, listed as a training data integrity risk that sits alongside prompt injection as one of the core threats facing modern AI systems.

Regulators have started paying closer attention here as well. Frameworks built around the NIST AI Risk Management guidelines increasingly expect organizations to document where their training data comes from and how it is validated, not just how the finished model performs. For companies pursuing SOC 2 or similar compliance work, being able to show a clear, auditable trail for training data sources is quickly becoming as expected as showing access logs for production systems.

How to Detect Data Poisoning Before It Spreads

Detection needs to happen at two points: before a model trains, and continuously while it runs in production.

Source validation means tracking exactly where every piece of training data originated. Sources that allow open or low-friction contributions deserve extra scrutiny. That includes public submission forms, scraped web content, and shared documents with wide edit access. These are the easiest entry points for an attacker to exploit.

Statistical anomaly checks catch poisoning attempts that rely on volume rather than subtlety. A sudden spike in similarly worded submissions, or a cluster of examples that deviate sharply from normal patterns, often signals an attempted attack rather than naturally occurring data.

Output drift monitoring tracks how a model's responses change over time against a fixed set of test questions. A model that starts answering the same question differently, especially in a way that conveniently favors one outcome, may be reflecting tampered data rather than an expected update.

Retrieval source audits matter specifically for teams running RAG systems. Every document a model can retrieve from should face roughly the same scrutiny as code entering production. Tools like Sekurely's Data Poisoning Shield are built to flag suspicious patterns across both training sets and live retrieval sources, ideally before that content ever reaches the model.

How to Defend Against Data Poisoning on a Small Budget

A handful of practical habits cut exposure significantly, even without a dedicated security team.

Treat every data source feeding a model the way you would treat a third-party code dependency. Know where it came from. Know who can change it. Review meaningful changes before they take effect inside the pipeline.

Keep a clean, versioned copy of every training and fine-tuning dataset you use. If unexpected behavior shows up later, you can trace it back to a specific data change instead of guessing after the fact.

Limit who can contribute to fine-tuning datasets or RAG knowledge sources the same deliberate way you would limit who can push to a production codebase. Broad, unmonitored access is the single biggest factor that makes this kind of attack easy to pull off.

Run periodic checks comparing current outputs against a known-good baseline from before any recent data changes. Catching drift internally costs far less than a customer discovering it first.

Frequently Asked Questions

Is data poisoning the same as a prompt injection attack?

No. Prompt injection manipulates a model through the input it receives during normal use. Data poisoning corrupts the data a model learns from, before any user ever interacts with it. The two attacks happen at completely different stages of a model's lifecycle.

Can data poisoning happen by accident, without an attacker?

Yes, in a sense. Mislabeled or low-quality data can degrade a model's accuracy even without malicious intent. The term "data poisoning" specifically refers to deliberate tampering, but the defenses, source validation, anomaly checks, and drift monitoring, help with both accidental and intentional corruption.

Does fine-tuning a model on my own company data put me at risk?

It can, if the data pipeline feeding that fine-tuning process is not reviewed or access-controlled. Smaller fine-tuning datasets are actually more vulnerable than massive pretraining sets, because each bad example carries more relative weight.

How is RAG poisoning different from training data poisoning?

Training and fine-tuning poisoning change the model itself, permanently, until it is retrained. RAG poisoning leaves the model untouched and instead corrupts the external content it retrieves at query time. Fixing a poisoned retrieval source is often faster, since it usually just means correcting or removing the bad document rather than retraining a model.

Conclusion

Data poisoning rarely announces itself. It works precisely because tampered data looks ordinary right up until the damage is already built into how a model behaves. By then, the fix is far more involved than patching a line of code. As more companies fine-tune models on their own data and connect them to live retrieval sources, the data pipeline becomes just as important a security boundary as the model itself. Treating data sources with the same scrutiny normally reserved for code is becoming a baseline expectation, not an advanced precaution, for any team serious about building safe AI products.

Protect Your AI Systems Today

Scan for PII, detect prompt injection, and enforce compliance — free to try, no signup needed.