AI poisoning and the CISO’s crisis of trust

The CISO’s role has always been to protect the organization from threats it does not yet understand. AI poisoning requires CISOs to rethink risk, architecture, relationships, and shared responsibility.

In May 2025, the NSA, CISA, and FBI issued a joint bulletin authored with the cooperation of the governments of Australia, New Zealand, and the United Kingdom confirming that adversarial actors are poisoning AI systems across sectors by corrupting the data that trains them. The models still function — just no longer in alignment with reality.

For CISOs, this marks a shift that is as significant as cloud adoption or the rise of ransomware. The perimeter has moved again, this time inside the large language models (LLMs) being used to train the algorithms. The bulletin’s guide to address the corruption of data via data poisoning is worthy of every CISO’s attention.

AI poisoning shifts the enterprise attack surface

In traditional security frameworks, the goal is often binary: deny access, detect intrusion, restore function. But AI doesn’t break in obvious ways. It distorts. Poisoned training data can reshape how a system labels financial transactions, interprets medical scans, or filters content, all without triggering alerts. Even well-calibrated models can learn subtle falsehoods if tainted information is introduced upstream.

Prominent examples include:

• Foundation models began parroting Kremlin-aligned propaganda after ingesting material seeded by a large-scale Russian network known as the “Pravda Network.”
• A high-profile AI-generated reading list published by two American news outlets included 10 hallucinated book titles mistakenly attributed to real authors.
• Researchers showed that imperceptible perturbations in training images could trigger misclassification. 
• Researchers in the healthcare domain demonstrated how data poisoning in LLMs at the rate of just 0.001% triggered medical misinformation.

Rethinking risk: From system to epistemology

Cybersecurity has always been about defending systems. But in an AI-first environment, systems are not static. That shifts the CISO’s role from traditional perimeter defense to inference defense. The adversary is not simply breaching networks; when AI is employed, the adversary’s use of data poisoning is tampering with knowledge itself.

In 2023, I made the case that CISOs would need to begin treating AI systems less like tools and more like unpredictable teammates. I spoke with Rebecca Herold, a longtime privacy and infosec advisor, about what this new alignment would require. She surfaced eight foundational questions that remain vital to every CISO probing AI systems fidelity, inference drift, and institutional trust:

1. What is the provenance of the data used to train your AI? Can you trace where it came from, how it was processed, and whether it was curated or scraped?
2. Can your AI explain its decision-making process in a way your compliance team understands?  Interpretability is essential when regulators or auditors come calling.
3. What happens when your AI hallucinates or fabricates information?  Do you have detection mechanisms and escalation protocols in place?
4. Who is accountable when your AI makes a mistake?  Is there a clear chain of responsibility for AI-driven outcomes?
5. How do you detect if your AI has been tampered with or poisoned?  Are you monitoring behavioral drift, adversarial inputs, or training set contamination?
6. Is your AI teammate aligned with your organization’s ethical framework?  Does it reflect your values — or just your data?
7. What safeguards are in place to prevent adversarial manipulation?  Have your teams red-teamed the models for prompt exploits, data poisoning, or synthetic identity injection?
8. Are you prepared to defend your AI’s decisions in court or in the court of public opinion? Can you explain and justify outcomes to regulators, customers, and the media?

Alignment requires architecture

Anurag Gurtu, CEO of cybersecurity copilot maker Airrived, has long warned that generative AI models, absent contextual reinforcement, will tend to drift toward plausible falsehoods. He has advocated for integrating graph-based structure and domain-specific rulesets to help constrain AI inference. That advice has taken on new urgency.

The lesson is clear: When AI ingests without oversight and outputs without auditability, the gap between reality and response widens. That gap becomes the breach of system integrity, semantic fidelity, and trust.

The CISO remains the linchpin of organizational resilience and finds themselves addressing AI poisoning surfaces risks that cut across domains. That’s why partnership matters. The chief trust officer, where present, brings a perspective focused on aligning model behavior with institutional values and social accountability. The chief data officer governs the integrity, sourcing, and lifecycle of training assets. The chief privacy officer ensures lawful and ethical treatment of data throughout the AI pipeline.

These leaders collaborate, but the CISO integrates. Ultimately, it is the CISO who will be called to explain to both internal and external audiences how a compromised model made its decisions and what the organization did to prevent it.

Six actions every CISO can take now

To reduce risk and reclaim visibility over model behavior, security leaders should take the following six actions aligned to three imperatives: Visibility, vigilance, and viability.

Visibility

1. Map AI dependencies:  Identify every system — internal or third party — where AI influences material decisions, including embedded AI in SaaS platforms and shadow deployments.

2. Establish data provenance protocols: Require documentation of training inputs, version control, and digital chain of custody for every model build.

Vigilance

3. Monitor for behavioral drift: Use known benchmarks, canary inputs, and adversarial probes to detect semantic drift across time, context, and user cohorts.

4. Red team for meaning, not just access: Simulate poisoned inputs, prompt-based exploits, and synthetic identity interactions to gauge model resilience.

Viability

5. Develop model failure playbooks: Prepare for scenarios involving hallucinated outputs, regulatory non-compliance, or public disinformation incidents. Include escalation paths, rollback procedures, and public communication protocols.

6. Invest in AI fluency across the organization: Security, legal, compliance, and risk leaders must all understand how to interrogate AI and not just trust the AI.

Thought for CISOs to chew on

AI systems are now co-authors of enterprise decisions. They forecast credit risk, flag health anomalies, screen applicants, and triage threats. But when those systems are trained on poisoned data, the harm doesn’t begin with their deployment. It begins in their formation.

The CISO’s role has always been to protect the organization from threats it does not yet understand. AI poisoning is that threat.

Trust, once broken by an algorithm, cannot be restored with a patch. It must be rebuilt. Deliberately. Transparently. And under the CISO’s watch.