137AI > AI Risks & Management > Data Risks from AI

Data Risks from AI

Every deployed AI agent sits inside a closed loop. Sensors capture data from the agent's environment. Telemetry flows over networks to a cloud or fleet backend. The data informs model training and operational decisions. Updated models, policies, and configurations flow back to the deployed agents over the air. The agents act on the new instructions, producing more sensor data that feeds the next training cycle. Each stage of this loop is a target, and corruption introduced at any stage propagates forward. What separates data risks from conventional cybersecurity is that the loop closes — a successful attack on training data does not merely expose information, it shapes the behavior of every agent that subsequently runs the corrupted model.

The Data Risks pillar covers eight risk categories that map onto the stages and targets of the loop, from the sensor that captures data through the transit path, the training process, the update pipeline, the fleet orchestration plane, and the operational environments where AI-mediated decisions feed back into physical systems. Each category has its own dedicated treatment; this page is the overview that locates them relative to each other.

The Eight Risk Categories

Telemetry Capture Integrity covers the first link in the loop — the sensor itself. The category addresses sensor spoofing and tampering including camera blinding, lidar confusion through adversarial reflectors, GNSS spoofing, and ultrasonic microphone injection, the sensor redundancy and cross-validation approaches that bound the risk, and the cryptographic attestation patterns being developed to prove a sensor's output came from the sensor at the time it claims.

Transit Security covers the path telemetry travels between edge and cloud — edge gateways, cellular and WiFi links, content delivery networks, and cloud ingress points. The category addresses interception, modification, replay, and deletion attacks across the transit path, the end-to-end encryption and message authentication that bound them, the AI-specific transit categories including model weights and agent communications, and the provenance tracking that detects telemetry alteration between source and destination.

Training Data Poisoning covers the corruption of the data that models train on. The category addresses how small perturbations in a small fraction of training samples can produce models that behave correctly on most inputs and incorrectly on attacker-chosen inputs, how poisoning can be introduced upstream of the operator through open datasets, labeling contractors, or foundation models, the dataset provenance and curation controls that bound the risk, and the detection mechanisms developed to catch poisoning before deployment.

Model Update Integrity covers the integrity of the specific updates that reach deployed agents through update pipelines. The category addresses the two integrity dimensions of cryptographic provenance and behavioral integrity, what model updates actually are, the silent capability change problem for vendor-hosted models, the signing, attestation, staged rollout, and rollback mechanisms that bound the risk, and the failures that have demonstrated the consequences when those controls are weak.

Fleet-Scale Coordinated Attacks covers attacks that reach the orchestration plane controlling many agents at once, producing events with no per-agent equivalent. The category addresses the monoculture problem and the correlated-exposure property of fleet deployment, what fleet units share that creates fleet-wide propagation paths, the correlated failure dimension alongside deliberate attacks, the amplification math that makes fleet scale a distinct risk, and the segmentation, staged rollout, and blast radius limiting that bound the risk.

Surveillance Material Harvesting covers the intimate material that agents with cameras, microphones, and behavioral sensors accumulate as a byproduct of normal operation. The category addresses harvesting as a data lifecycle problem distinct from the act of surveillance, the overlap between AI training data scraping and surveillance harvesting, the aggregation amplification, the data broker ecosystem, the re-identification problem, and the access control and encryption mechanisms that bound who can reach harvested material.

Supply-Chain-of-Updates Attacks covers the upstream vectors through which an operator may ship a compromised model despite signing and staging their own updates with discipline. The category addresses the trustworthiness of the entire chain of parties, dependencies, build processes, and distribution infrastructure that produces AI updates, the SolarWinds pattern applied to AI, the dependency depth and vendor concentration dimensions, the documented incidents, and the bill-of-materials and provenance tracking that surface upstream compromise.

OT/ICS Telemetry & Digital Twin Deception covers the data risk specific to AI embedded in operational technology environments including grid forecasting, predictive maintenance, traffic optimization, and process control. The category addresses how tampered telemetry produces operational decisions the legitimate operator would never authorize, how a digital twin built on corrupted telemetry shows a synthetic state diverging from physical reality, the cross-validation and physical-model-consistency checks that bound the risk, and the governance vacuum at the intersection of AI regulation and industrial control regulation.

How the Categories Combine

The categories combine because they map onto the stages of a single closed loop. Telemetry Capture Integrity addresses the loop's first stage — the sensor. Transit Security addresses the stage where captured data travels to backends. Training Data Poisoning addresses the stage where data trains models. Model Update Integrity and Supply-Chain-of-Updates Attacks address the stage where updated models flow back to agents — the first addressing the integrity of the specific update, the second addressing the trustworthiness of the chain that produced it. Fleet-Scale Coordinated Attacks addresses the orchestration plane that coordinates the agents the loop runs across. Surveillance Material Harvesting addresses the material the loop accumulates as a byproduct. OT/ICS Telemetry & Digital Twin Deception addresses the specific loop where AI-mediated decisions feed back into industrial control.

The loop structure is what makes data risks distinct from conventional cybersecurity. Corruption introduced at any stage propagates forward through the loop; a poisoned training input becomes a poisoned model, a poisoned model becomes corrupted agent behavior, corrupted agent behavior becomes corrupted sensor data feeding the next cycle. No single category addresses the loop alone. The integration with the engineering controls covered in the Controls pillar, the governance frameworks covered in the Governance pillar, the trust posture covered in the Security & Trust pillar, and the compliance practice covered in the Compliance & Conformity pillar produces the comprehensive data risk practice that AI deployment at scale depends on.

The Reframe

Data risks are the risks to the closed loop that every deployed AI agent runs inside — and the loop closing is what distinguishes them from conventional cybersecurity, because corruption at any stage does not merely expose information but propagates forward to shape the behavior of every agent that runs the corrupted model. The eight categories address the stages and targets of the loop, and the integration across the broader site disciplines determines whether the loop can be trusted end to end.

Related Coverage

Risks & Management | Human Risks | Risk Management | Agents