Data poisoning

An attack that corrupts and contaminates training data to compromise an AI system’s performance.

Source: AIEOG AI Lexicon (Feb 2026), adapted from BIS FSI Insights No. 63

Data poisoning is a deliberate attack where an adversary introduces corrupted, misleading, or malicious data into the dataset used to train an AI model. Because AI models learn patterns from their training data, poisoned data teaches the model incorrect patterns that benefit the attacker.

The attack is insidious because the corrupted data may be difficult to detect. The poisoned records may look individually legitimate but collectively shift the model’s learned behavior in a targeted direction. For example, an attacker might inject training examples that teach a fraud detection model to ignore a specific type of fraudulent transaction pattern.

Data poisoning can occur at multiple points:

• Direct injection. The attacker gains access to the training data repository and adds or modifies records.
• Source contamination. The attacker corrupts a data source that feeds into the training pipeline, such as a public dataset or a third-party data feed.
• Feedback loop manipulation. In systems where model outputs feed back into training data, the attacker manipulates the model’s inputs to generate biased feedback that gradually shifts model behavior.

Data poisoning represents a serious threat to financial institutions because the consequences of a successful attack are both harmful and difficult to detect.

• BSA/AML impact. A poisoned transaction monitoring model could fail to detect money laundering or terrorist financing activity, exposing the institution to enforcement action and criminal exploitation.
• Credit risk. A poisoned underwriting model could approve loans that should be denied, increasing default risk, or deny loans that should be approved, creating fair lending exposure.
• Fraud losses. A poisoned fraud model could allow specific fraud patterns to pass undetected, resulting in direct financial losses.
• Delayed detection. Unlike many cyberattacks that produce immediate, visible effects, data poisoning can remain undetected for extended periods because the model continues to function and appears healthy by surface-level metrics.

1. Secure training data pipelines. Apply strict access controls, integrity monitoring, and audit logging to all data used for model training.
2. Validate training data quality. Implement automated checks that detect anomalies, outliers, and suspicious patterns in training datasets.
3. Control data sourcing. Vet and monitor all data sources used for model training, including third-party data feeds and public datasets.
4. Test for poisoning during validation. Include data integrity analysis as part of model validation, checking for evidence of systematic bias or contamination.
5. Monitor model behavior for sudden shifts. Unexpected changes in model behavior (new blind spots, accuracy drops in specific segments) can indicate data poisoning.
6. Maintain data provenance records. Document the source, collection method, and processing history for all training data.

Adversarial AI, Training data, Data quality/validity, AI model/system exploitation, Model integrity, Data lineage