Data and model poisoning and backdoors
Adversaries corrupt training/fine-tuning data or implant backdoors/trojans that alter model behavior under triggers.
- Risk family
- Security & adversarial
- MIT domain
- 2. Privacy & Security
- MIT subdomain
- 2.2 > AI system security vulnerabilities and attacks
- AI type
- GPAI, Classical_ML, Agentic
- Scope
- System
- Source standard
- MIT AI Risk Repository v4
Provenance
9 source framework citation keys
Framework crosswalk
Every framework item mapped to this risk. Items marked partial overlap only in part; definitions appear on hover where the source licence permits.
- A.11 ISO/IEC 23894 Annex A A.11
- A.7.3 ISO/IEC 42001 Annex A A.7.3
- A.7.5 ISO/IEC 42001 Annex A A.7.5
Expanded into this risk’s technique sub-risks.
- ibm-data-poisoning Data poisoning
- AISubtech-6.1.1 Knowledge Base Poisoning
- AISubtech-6.1.2 Reinforcement Biasing
- AISubtech-6.1.3 Reinforcement Signal Corruption
- AISubtech-7.3.1 Corrupted Third-Party Data
- AISubtech-9.2.1 Obfuscation Vulnerabilities
- AISubtech-9.2.2 Backdoors and Trojans
- NISTAML.011 Model Poisoning (availability)
- NISTAML.012 Clean-label Poisoning
- NISTAML.013 Data Poisoning
- NISTAML.02 Integrity Violations
- NISTAML.021 Clean-label Backdoor
- NISTAML.023 Backdoor Poisoning
- NISTAML.024 Targeted Poisoning
- NISTAML.026 Model Poisoning (integrity)
- NISTAML.05 Supply Chain Attacks
- NISTAML.051 Model Poisoning (supply chain)
- LLM04:2025 Data and Model Poisoning
Sub-risks (4)
Technique-level decompositions of this risk, each anchored to the MITRE ATLAS technique it derives from.
The model is altered directly to change its behavior or embed a hidden backdoor trigger.
Poisoned datasets are placed where the deployer is likely to collect and train on them.
Adversaries modify training or fine-tuning data to degrade the model or implant chosen behavior.
Portions of a dataset are poisoned or altered to reduce its usefulness and reliability.
Part of the Deployer AI Risk Register, an open-source resource developed by MindXO. Version 1.0, 3 July 2026. Derived from the MIT AI Risk Repository (V4, December 2025) under CC BY 4.0; an independent derivative work, not endorsed by or affiliated with MIT. Sub-risk decomposition references MITRE ATLAS™ v5.6.0 (© 2021-2026 The MITRE Corporation, reproduced and distributed with permission). ISO/IEC and EU AI Act references are by number only. License: CC BY 4.0. Full attribution and licensing.