Executive Summary

Artificial intelligence now informs intelligence analysis, military operations, critical infrastructure, public-sector decision-making, and core economic systems. The reliability of these capabilities depends on the integrity of the data from which AI systems learn, retrieve information, and generate outputs. Data poisoning, the intentional manipulation of training datasets, pre-trained models, or upstream knowledge repositories, has become a major strategic vulnerability. Its power lies upstream. Unlike influence operations that depend on people actively consuming manipulated content, such as propaganda, fake accounts, or deepfakes, poisoning can passively affect users. The user may never see the original manipulation. They encounter its effects later through an AI system, analytic tool, search result, model output, or decision-support workflow that has already absorbed compromised material.

This report argues that data poisoning exposes a core weakness in modern statecraft: governments, militaries, firms, and analysts increasingly rely on data and models they do not fully control. Classic cyber operations usually require access to protected systems. Influence operations usually require exposure to persuasive content. Poisoning works differently. It exploits ordinary AI development and deployment practices, including pre-training, fine-tuning, open-source reuse, public dataset scraping, model sharing, and retrieval-based systems. In doing so, it allows adversaries to use ordinary institutional workflows as routes into analytic and operational systems.

Four cases illustrate the problem. Microsoft’s Tay chatbot in 2016 showed how real-time interaction with users can rapidly redirect model behavior. Manipulations of Wikipedia and LAION demonstrated how small changes to widely scraped resources can enter large-scale training corpora and affect the background assumptions of vision and language models. The Russian-linked Pravda Network showed how an influence ecosystem can place manipulated content into open knowledge environments, including Wikipedia language editions, where it may later be scraped into LLM training data or surfaced through retrieval systems. The Warfarin regression poisoning case showed that even small, targeted changes to biomedical data can misdirect clinical models, with potentially life-critical consequences.

To explain how poisoning moves through the AI ecosystem, the report uses a “Three-Story Building” framework. The data layer is the foundation on which learning and retrieval depend. The algorithmic layer determines how models internalize, weight, and reproduce information. The application layer is where model behavior affects human judgment, institutional processes, and operational decisions. Poisoning can target any of these layers. Attacks that enter at the data layer may later appear as distorted assessments, recommendations, classifications, or generated answers.

The actor landscape is broad. Nation-states, state-aligned groups, cybercriminals, corporate competitors, insiders, and low-resource actors all have plausible pathways for poisoning public datasets, model hubs, annotation pipelines, or retrieval environments. This matters because the barrier to entry is often lower than for conventional cyber operations. A successful poisoning operation does not always require breaching a classified system or directly compromising a deployed model. It may be enough to place corrupted material where future systems are likely to ingest it.

Detection and defense remain weak relative to the scale of the problem. Data-level screening tools struggle when poisoned samples are designed to look valid. Model-level audits are expensive and may miss small but strategically placed distortions. Post-training remedies such as pruning, unlearning, and forensic attribution remain immature and costly. No single defensive layer can reliably prevent poisoning. Defense, therefore, has to be built around layered assurance, provenance, monitoring, and resilience.

The national security implications are significant. Poisoning can affect intelligence assessments, targeting and ISR pipelines, cyber defense, emergency response, financial monitoring, and public-health surveillance. It can also create a shared distortion between machines and people. Foundational resources such as Wikipedia, scientific corpora, open-source datasets, and model repositories now supply knowledge to both human analysts and AI systems. If those sources are compromised, both may reason from the same corrupted base. This is where data poisoning differs most clearly from ordinary influence activity: the manipulation does not need to persuade the end user directly. It can operate through trusted systems that summarize, classify, retrieve, or recommend information on the user’s behalf.

Dormant poisoning creates a separate problem. A manipulation can remain inactive until a crisis, a specific trigger, or a particular operational context causes the poisoned behavior to appear. This allows adversaries to pre-position effects before they are needed, while leaving defenders uncertain about whether a model or dataset is clean.

Several research gaps remain: scalable detection for internet-size corpora, model forensics and attribution, targeted remediation and unlearning, supply-chain assurance, simulation and wargaming environments, and methods for managing analyst confidence when AI behavior is degraded or uncertain. These gaps point to a larger problem. Adversaries can often impose downstream effects cheaply, while defenders face high costs in detection, verification, and restoration.

The recommendations are directed at national-level AI governance and mission owners. Public datasets, model repositories, cloud platforms, and government AI pipelines should be treated as part of the national security attack surface. Agencies should require provenance and integrity controls earlier in dataset and model creation, not only at the point of deployment. Red-teaming and wargaming should test how analysts and decision-makers behave when AI outputs are plausible but unreliable. Mission owners should assume that some level of poisoning will occur and build procedures for operating under uncertainty. For election, intelligence, defense, and public-sector AI systems, the practical objective is not perfect trust in data. It is the ability to know where data came from, how it entered the system, how much confidence it deserves, and what to do when that confidence breaks down.

Data poisoning is no longer a hypothetical vulnerability. It is a practical method for contaminating the information base on which AI-enabled institutions increasingly depend. The central challenge is preserving judgment, accountability, and operational effectiveness when the systems built to support decision-making may themselves become compromised sources of distortion.