How Indirect Data Poisoning Weaponizes AI Research
I looked into some recent empirical evaluations involving frontier models—specifically testing Claude Code (Opus 4.7), Codex (GPT-5.5), and Gemini CLI (Gemini 3.1 Pro) across 450 experimental runs. The results are pretty brutal:
The study covered high-stakes topics like autonomous vehicle safety and hiring discrimination. What's interesting is that even when researchers tried to implement a "scientist persona" to help the agent catch inconsistencies, the success rate of the poisoning only dropped to 16.67%. It turns out that relying on the model's "personality" isn't enough to stop a systematic data attack.
The only real way to kill this attack vector is through strict data provenance auditing. The researchers tested a five-point check system:
1. Verifying paper references
2. Checking social markers
3. Scanning for statistical anomalies
4. Cross-referencing related datasets
5. Implementing a "poisoning caution" protocol
When these auditing steps were integrated into the agent's retrieval process, the attack success rate actually dropped to zero. For anyone building LLM agents that scrape the web or pull from academic repositories, you can't just trust the metadata. If you aren't auditing the provenance of your training or RAG data, you're basically leaving the door wide open for industrial-scale fraud.