Data and Model Poisoning in LLM Applications
detect, understand, remediate

Pre-training corpus

The largest, longest-lived dataset in the pipeline. Most enterprise teams do not pre-train their own foundation model, but consume one from a provider. The corpus is rarely auditable end to end. Risk concentrates on the supplier discipline (the model card, the dataset disclosures, the integrity attestation) rather than on internal controls.

Fine-tune and instruction-tuning datasets

The middle layer where most internal teams actually write to the model. Datasets are usually small, often hand-curated, and frequently sourced from internal logs, customer transcripts, support tickets, or product telemetry. A single contaminated record in this layer leaves a long shadow because the model learns it explicitly.

Retrieval-augmented generation corpus

The runtime layer where documents are pulled at inference time and pasted into the prompt. The retrieval index is usually the most write-permissive surface in the AI pipeline. Public document upload, customer-contributed knowledge, partner ingestion feeds, and scraped third-party sites all land here. Planted content is read every time a relevant query fires.

Embedding indexes and vector stores

The serialised representation the retrieval layer reads against. An attacker who can write a chosen vector into the index can pull a chosen document into a chosen query response without ever touching the document store. Write authority on the index is the controlling boundary.

Reward and feedback signals

RLHF, DPO, and online preference signals feed back into model weights or routing heuristics. If the feedback channel is reachable from a multi-tenant surface (thumbs-up, edit suggestions, rating widgets, accepted-completion telemetry) and is aggregated without per-identity weighting and per-source vetting, an attacker who controls many low-trust identities can drift the model towards their preferred behaviour.

Third-party model artefacts

Open-weight checkpoints, LoRA adapters, embedding models, tokenisers, and quantised variants pulled from public registries. A checkpoint that ships with a backdoor activated by a specific token sequence has the same shape as a poisoned dependency in classical software supply chain risk.

Ingestion pipelines and scrapers

The crawlers, ETL jobs, and connectors that bring external content into the corpus on a schedule. A misconfigured scraper, an unauthenticated webhook, or an unsigned content feed becomes the unattended write path the attacker targets when the document store itself is hardened.

Multi-tenant write paths

A retrieval index, a fine-tune dataset queue, or a feedback aggregator that one tenant can write into and another tenant later reads from. Cross-tenant poisoning is the cleanest path to a real-world impact: the attacker pays for a low tier, contributes a payload, and a higher tier tenant queries the index and receives the planted response.

No provenance record on dataset records

The fine-tune dataset is a single CSV in a bucket. There is no per-record source URI, no per-record contributor identity, no per-record timestamp, no per-record approval flag. When a finding lands, the team cannot answer where any given training row came from, which is the first question the auditor and the incident responder will ask.

Unauthenticated ingestion paths

A webhook, a document upload endpoint, a partner connector, or a public scraper writes into the corpus or the retrieval index without verifying the source. The write path is the easiest, cheapest, and most reusable poisoning channel.

Shared retrieval index across tenants

One embedding index serves multiple tenants. Scope filtering at query time is the only boundary, and the filter logic depends on a single client-supplied or session-supplied claim. A broken filter or a stale rule lets one tenant write content the other reads.

No human-approval gate on the fine-tune queue

The training pipeline runs on a cron. A new dataset commit triggers a new fine-tune. No human reviews the diff between this dataset and the previous version, and no automated content scanner runs against the change before the model trains.

Open-weight checkpoints loaded without signature checks

The team uses Hugging Face, GitHub releases, or an internal artefact store as the checkpoint origin. The serving pipeline downloads the file and loads it. No SHA-256 verification, no Sigstore verification, no publisher key check, and no allow-listed digest gate the load.

Feedback aggregation without per-identity weighting

Thumbs-up, accepted-completion telemetry, edit-distance signals, and human-preference labels are aggregated by raw count. An attacker who can spawn many low-trust identities can outvote the signal from sanctioned users and drift the model towards the chosen pattern.

Automated detection

• SecPortal's code scanning runs against connected repositories and flags training and fine-tune pipelines where the dataset source URI is not pinned to a known artefact, where the model checkpoint download skips an integrity check (no hash verification, no signature verification, no allow-listed digest), where the retrieval ingestion path accepts content from an unverified origin, where the embedding upsert step lacks a write-side authorisation check, where the dataset queue lacks a per-record approval flag, or where the reward-signal aggregator weights all feedback identities equally
• Authenticated scanning drives RAG-backed and fine-tune-backed endpoints with corpus probing payloads under a real session: canary queries that read suspected planted content back from the index, trigger-phrase queries that test for installed behavioural backdoors against a known good baseline, role and tenant boundary checks across the retrieval surface, ingestion replay attempts against the document upload path, and reranking-attack probes against the embedding store, then records the response as evidence on the finding
• External scanning discovers exposed dataset endpoints, public document-ingestion webhooks, RAG admin surfaces, public fine-tune job APIs, embedding-index write paths, and scraper webhooks reachable from the verified perimeter that may accept attacker-controlled content without authentication
• Continuous monitoring re-runs the corpus probe, the trigger-phrase canary set, the tenant boundary check, and the retrieval scope filter test on a defined cadence so a newly added ingestion path, a regressed scope filter, a removed signature check, a removed approval gate, or a new third-party checkpoint is caught against the previous baseline rather than waiting for the next manual review

Manual testing

• Enumerate every dataset the model consumes (pre-training disclosure, fine-tune dataset, instruction-tuning dataset, RAG corpus, embedding index, reward-signal aggregator, third-party checkpoint registry), the contributor identity that writes to each, the approval gate that governs each, and the integrity attestation that ships with each
• For each retrieval-corpus write path, send a planted canary document under a low-trust identity, query the index from a high-trust identity, and confirm whether the scope filter, the tenant boundary, the source-validation gate, and the quarantine workflow stop the planted content from reaching the response
• For each fine-tune pipeline, attempt to submit a dataset with a known trigger phrase against the approval gate, the content scanner, and the dataset signing workflow, and confirm whether the submission is reviewed, blocked, or accepted without comment
• For each model checkpoint load, simulate a checkpoint substitution against the deployment pipeline and confirm whether the hash check, the signature verification, or the allow-listed digest stops the load before serving traffic
• Read the activity log for the test session and confirm that each dataset write, each fine-tune run, each retrieval-index write, each checkpoint load, and each reward-signal aggregation captures the actor identity, the source reference, the timestamp, and the approval reference a finance, security, or audit responder would need to attribute the change

Finding record with corpus, contributor, and evidence

The finding captures the affected corpus (training, fine-tune, RAG, embedding index, or reward signal), the contributor identity, the source URI, the timestamp, the contaminated record reference, the trigger phrase or planted document, the affected checkpoint, the evaluation result, and the actor who reproduced the abuse. The evidence is what AppSec, AI engineering, ML platform, and security engineering need to reproduce the finding against the same dataset, the same pipeline, and the same model.

Code scanning across training and ingestion pipelines

Code scanning runs against connected GitHub, GitLab, and Bitbucket repositories. Findings surface at training and fine-tune pipelines where the dataset source URI is unpinned, where the checkpoint download skips integrity verification, where the retrieval ingestion path accepts content from an unverified origin, where the embedding upsert lacks a write-side authorisation check, where the dataset queue lacks an approval flag, or where the reward-signal aggregator weights all feedback identities equally.

Authenticated scanning with corpus probes

Authenticated scanning drives RAG-backed and fine-tune-backed endpoints with a curated set of corpus probes under a real session: canary document writes, trigger-phrase queries, tenant boundary checks, ingestion replay attempts, and embedding-store reranking probes. Each probe records whether the scope filter, the authorisation gate, or the approval workflow stopped the planted content, and the response becomes evidence on the finding.

External scanning across ingestion perimeter

External scanning discovers exposed document-ingestion webhooks, RAG admin surfaces, public fine-tune job APIs, embedding-index write paths, dataset connectors, and scraper webhooks reachable from the verified perimeter that may accept attacker-controlled content without authentication. The exposed path lands on the finding alongside the recommendation to authenticate or remove it.

Continuous monitoring against regression

Continuous monitoring re-runs the corpus probe, the trigger-phrase canary, the tenant boundary check, and the retrieval scope filter test on the configured cadence (daily, weekly, biweekly, or monthly). A new ingestion source, a regressed scope filter, a removed signature check, a removed approval gate, or a new third-party checkpoint shows up against the baseline rather than waiting for the next manual review.

Retest after the remediation ships

Once the fix deploys (provenance recorded, approval gate in place, signature verification active, scope filter restored, ingestion path authenticated), a targeted retest replays the original corpus probe and the original trigger-phrase canary against the new pipeline and records the post-fix response on the finding. The finding closes against the evidence rather than against a developer assertion that the dataset is now clean.

AI-assisted writeups with explicit honest scope

AI reports generate the writeup, the executive summary, and the developer-facing reproduction steps from the finding record. The narrative stays within the verified evidence (the corpus, the contributor, the source URI, the trigger phrase, the affected checkpoint, the evaluation result) and does not invent dataset lineage, signature infrastructure, or MLOps automation the product does not have.

Activity log for the dataset and checkpoint audit trail

The workspace activity log captures the security-side audit trail: who created the finding, who suppressed it, who closed it, who approved a related exception, who imported the third-party scanner result, and when the retest fired. Pair the workspace activity log with the engineering-side lineage record the pipeline writes (per-record provenance, approval reference, signature verification result) so post-incident reconstruction reads from both records.

Finding overrides for sanctioned ingestion paths

Where a documented ingestion path is a deliberate, sanctioned workload (an internal-only knowledge ingestion, a partner feed with a signed contract, a curated fine-tune dataset from a trusted contributor), finding overrides record the suppression rationale, the owner, and the expiry on the finding itself. The exception lives on the operating record alongside every other documented deviation.

Compliance tracking pairs the fix to control evidence

Compliance tracking maps data and model poisoning findings to the controls that read against them (ISO 27001 A.5.23 information security for cloud services, A.5.31 legal statutory regulatory, A.8.7 protection against malware, A.8.10 information deletion, A.8.30 outsourced development; SOC 2 CC6.1 logical access, CC7.1 system monitoring, CC8.1 change management; NIST 800-53 RA-3 risk assessment, SI-7 software firmware information integrity, SR-3 supply chain controls and processes; NIST AI RMF Map, Measure, Manage; ISO/IEC 42001 AI management system; NIST SSDF PS.2 protect all forms of code, PW.4 reuse existing well-secured software). The same finding feeds the engineering ticket and the auditor evidence pack.