DARR
MR-014 Security & adversarial System scope

Data and model poisoning and backdoors

Adversaries corrupt training/fine-tuning data or implant backdoors/trojans that alter model behavior under triggers.

Risk family
Security & adversarial
MIT domain
2. Privacy & Security
MIT subdomain
2.2 > AI system security vulnerabilities and attacks
AI type
GPAI, Classical_ML, Agentic
Scope
System
Source standard
MIT AI Risk Repository v4

Provenance

Source standard
MIT AI Risk Repository v4
Source frameworks
9 source framework citation keys
Cui2024, Gipiškis2024, Hammond2025, IBM2025, Liu2024, Marchal2024, Schnitzer2024, TC2602024, Tang2025
ISO/IEC references
23894 obj A.11; src 6, 10; mech B.5 | 42001 ctrl A.7.3, A.7.5

Framework crosswalk

Every framework item mapped to this risk. Items marked partial overlap only in part; definitions appear on hover where the source licence permits.

Sourcesframeworks that contributed to the register
ISO 238941
  • A.11 ISO/IEC 23894 Annex A A.11
ISO 420012
  • A.7.3 ISO/IEC 42001 Annex A A.7.3
  • A.7.5 ISO/IEC 42001 Annex A A.7.5
MITRE ATLAS7

Expanded into this risk’s technique sub-risks.

Cross-checksframeworks mapped in to test coverage
IBM1
  • ibm-data-poisoning Data poisoning
Cisco6
  • AISubtech-6.1.1 Knowledge Base Poisoning
  • AISubtech-6.1.2 Reinforcement Biasing
  • AISubtech-6.1.3 Reinforcement Signal Corruption
  • AISubtech-7.3.1 Corrupted Third-Party Data
  • AISubtech-9.2.1 Obfuscation Vulnerabilities
  • AISubtech-9.2.2 Backdoors and Trojans
NIST AML10
  • NISTAML.011 Model Poisoning (availability)
  • NISTAML.012 Clean-label Poisoning
  • NISTAML.013 Data Poisoning
  • NISTAML.02 Integrity Violations
  • NISTAML.021 Clean-label Backdoor
  • NISTAML.023 Backdoor Poisoning
  • NISTAML.024 Targeted Poisoning
  • NISTAML.026 Model Poisoning (integrity)
  • NISTAML.05 Supply Chain Attacks
  • NISTAML.051 Model Poisoning (supply chain)
OWASP LLM1
  • LLM04:2025 Data and Model Poisoning

Sub-risks (4)

Technique-level decompositions of this risk, each anchored to the MITRE ATLAS technique it derives from.

MR-014.1

Direct model manipulation and backdoor insertion

#

The model is altered directly to change its behavior or embed a hidden backdoor trigger.

MITRE ATLAS technique: AML.T0018 Manipulate AI Model
MR-014.2

Poisoned datasets published for ingestion

#

Poisoned datasets are placed where the deployer is likely to collect and train on them.

MITRE ATLAS technique: AML.T0019 Publish Poisoned Datasets
MR-014.3

Training-data poisoning

#

Adversaries modify training or fine-tuning data to degrade the model or implant chosen behavior.

MITRE ATLAS technique: AML.T0020 Poison Training Data
MR-014.4

Dataset integrity erosion

#

Portions of a dataset are poisoned or altered to reduce its usefulness and reliability.

MITRE ATLAS technique: AML.T0059 Erode Dataset Integrity

More in Security & adversarial

Part of the Deployer AI Risk Register, an open-source resource developed by MindXO. Version 1.0, 3 July 2026. Derived from the MIT AI Risk Repository (V4, December 2025) under CC BY 4.0; an independent derivative work, not endorsed by or affiliated with MIT. Sub-risk decomposition references MITRE ATLAS™ v5.6.0 (© 2021-2026 The MITRE Corporation, reproduced and distributed with permission). ISO/IEC and EU AI Act references are by number only. License: CC BY 4.0. Full attribution and licensing.