Data poisoning is an integrity violation where an attacker injects malicious samples into a model's training data to compromise the learning process. Unlike inference-time attacks, poisoning targets the model's internal logic during training, causing it to learn a spurious correlation or backdoor trigger that activates only when specific input patterns are present.
Glossary
Data Poisoning

What is Data Poisoning?
Data poisoning is a security attack where an adversary corrupts a model's training dataset to cause it to learn a hidden backdoor or systematically misaligned behavior.
In the context of agentic threat modeling, data poisoning is a critical supply chain risk. An adversary could corrupt fine-tuning data for an autonomous agent's policy, causing it to pursue a misaligned mesa-objective or execute harmful tool calls when a secret trigger condition is met, bypassing all post-deployment safety filters.
Types of Data Poisoning Attacks
Data poisoning is not a monolithic attack. Adversaries employ distinct strategies to corrupt training data, each targeting a different stage of the machine learning pipeline to implant backdoors or degrade model performance.
Label Flipping
An availability attack where an adversary corrupts the labels of training examples to degrade overall model accuracy. By flipping the ground truth of a subset of data—for example, marking all 'stop' signs as 'speed limit' signs—the attacker introduces systematic classification errors.
- Target: Supervised learning models
- Mechanism: Swapping
yvalues in the training set - Impact: Reduces model accuracy to random chance in severe cases
- Defense: Robust statistics like trimmed loss functions and label verification pipelines
Backdoor Injection
A targeted attack where an adversary inserts a trigger pattern into training data that causes the model to misbehave only when that pattern is present at inference time. The model performs normally on clean inputs, making the backdoor difficult to detect.
- Example: Adding a small yellow sticker to 'stop' sign images during training, labeled as 'speed limit'
- Mechanism: Poisoning a subset of examples with a trigger and target label
- Impact: Attacker gains control over model behavior at inference time
- Defense: Spectral signature detection and neuron pruning
Clean-Label Poisoning
A sophisticated attack where poisoned examples appear correctly labeled to human reviewers. The adversary injects imperceptible perturbations into the feature space that cause the model to learn a spurious correlation between the perturbation and the target class.
- Target: Models trained on curated, human-verified datasets
- Mechanism: Adversarial perturbations applied to correctly labeled images
- Example: A 'cat' image with adversarial noise that trains the model to classify all cats with that noise pattern as 'dog'
- Defense: Differential privacy during training and adversarial training
Split-View Poisoning
An attack exploiting the gap between data curation and model training views of the dataset. The adversary crafts examples that appear benign during the filtering stage but become malicious after preprocessing or augmentation pipelines transform them.
- Mechanism: Exploiting differences between human review format and training format
- Example: An image that looks like a 'cat' in thumbnail review but becomes a 'dog' trigger after resizing or normalization
- Impact: Bypasses both automated filters and human review
- Defense: End-to-end integrity verification from ingestion to training tensor
Availability Poisoning
An indiscriminate attack designed to maximize the model's generalization error rather than implant a specific backdoor. The adversary injects noisy, mislabeled, or adversarial examples to render the model unusable for its intended purpose.
- Goal: Denial of service through model degradation
- Mechanism: Gradient-based crafting of maximally harmful training points
- Impact: Model accuracy converges toward random guessing
- Defense: Robust aggregation methods and anomaly detection on gradient updates
Model Inversion via Poisoning
A privacy attack where poisoned data points are designed to cause the trained model to leak information about other training examples. By inserting crafted samples, the adversary manipulates the model's decision boundaries to expose sensitive features of legitimate data.
- Target: Federated learning and collaborative training environments
- Mechanism: Poisoned updates that amplify memorization of private data
- Impact: Extraction of proprietary or personally identifiable information
- Defense: Differential privacy guarantees and secure aggregation protocols
Frequently Asked Questions
Data poisoning is a critical threat vector in the agentic threat modeling landscape, where adversaries corrupt training data to implant backdoors or induce misaligned behavior. The following answers address the most common technical queries regarding this attack surface.
Data poisoning is an adversarial attack where a threat actor deliberately contaminates a machine learning model's training dataset to cause it to learn a backdoor, misaligned behavior, or degraded performance. The attack works by injecting maliciously crafted samples—often with subtle, imperceptible perturbations—into the training corpus. During the learning process, the model optimizes its parameters to fit these poisoned examples, embedding a hidden trigger-response pattern. For instance, an attacker might insert images of stop signs with a small sticker into an autonomous vehicle's training set, causing the model to classify them as speed limit signs when the sticker is present. In the context of agentic threat modeling, this is particularly dangerous because autonomous agents rely on learned objectives; a poisoned dataset can cause goal misgeneralization, where the agent pursues a proxy objective implanted by the adversary instead of the designer's intended goal. The attack exploits the model's inability to distinguish between genuine and malicious data distributions, making detection exceptionally difficult without robust data observability and quality posture pipelines.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Data poisoning is one of many attack vectors targeting the AI supply chain. These related concepts define the broader security and alignment challenges that emerge when training data integrity is compromised.
Backdoor Attacks
A targeted form of data poisoning where an adversary inserts a trigger pattern into training data that causes the model to produce a specific, malicious output when that pattern appears at inference time. Unlike indiscriminate poisoning, backdoor attacks leave model performance unchanged on clean inputs, making them exceptionally difficult to detect. A classic example is adding a small sticker to stop signs that causes a vision model to classify them as speed limit signs, enabling physical-world exploitation without degrading normal accuracy.
Label Flipping
A data integrity attack where an adversary systematically alters the ground truth labels in a supervised learning dataset. By flipping labels on a targeted subset of examples—such as marking all fraudulent transactions as legitimate—the attacker causes the model to learn an inverted or corrupted decision boundary. This attack is particularly dangerous in binary classification tasks common in fraud detection, content moderation, and medical diagnosis, where the cost of a single misclassification can be catastrophic.
Model Inversion Attacks
A privacy attack that reconstructs sensitive training data by exploiting a model's outputs and confidence scores. While distinct from data poisoning, model inversion shares the common thread of training data vulnerability. An attacker queries a model trained on private data—such as facial recognition systems or medical records—and uses gradient information or confidence values to generate realistic reconstructions of individual training examples, violating confidentiality guarantees and regulatory requirements like GDPR.
Adversarial Examples in Agents
Input perturbations specifically crafted to cause misclassification or erroneous actions in deployed models. In the context of data poisoning, adversaries may insert adversarial examples directly into training data to create persistent vulnerabilities. For embodied agents and robotic systems, these perturbations can span multiple modalities:
- Visual: Imperceptible pixel noise that fools object detectors
- Audio: Inaudible voice commands that hijack speech-controlled agents
- Physical: 3D-printed objects designed to break real-world perception systems
Differential Privacy
A cryptographic framework that provides mathematical guarantees against training data extraction. By adding calibrated noise to the training process, differential privacy ensures that the presence or absence of any single data point cannot be reliably inferred from model outputs. While primarily a privacy defense, differential privacy also provides poisoning resistance: the noise injection mechanism limits the influence any individual poisoned sample can exert on the final model parameters, bounding the attacker's maximum impact.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us