AI Poisoning the Quiet Enterprise Threats and CISSP Questions (Domain 1)
May 14, 2026EPISODE SUMMARY
- Podcast: CISSP Cyber Training Podcast | Host: Shon Gerber, vCISO, CISSP | Episode: CCT 347 | Duration: 28:05
- Opening News Segment: Shon covers a CSO Online article by Cynthia Brumfield titled "Poisoned Truth: The Quiet Security Threat Inside Enterprise AI." The core warning: enterprise AI systems can be corrupted slowly and silently — no alarms, no encrypted files, just a model making confident but wrong decisions. Shon draws a distinction between two threat types: data poisoning (deliberate manipulation by an attacker) and data pollution (accidental garbage data at scale — the more likely threat for most organizations). Key research finding: just 250 maliciously crafted documents can corrupt a large language model regardless of its size (per research from Anthropic, the UK AI Security Institute, and the Alan Turing Institute). The episode also breaks down RAG (Retrieval Augmented Generation) pipelines — explaining how they give AI real-time access to internal knowledge bases, but that same knowledge base becomes the primary attack surface. Practical defenses covered: audit what your AI trusts, map the full AI contact surface, treat the AI pipeline like an untrusted third-party vendor, and assign a named owner for AI accuracy and security governance.
- CISSP Domain/Topic: Domain 1 — Security and Risk Management | Practice questions covering ALE-based risk treatment, NIST RMF, ISC2 Code of Ethics, BCP/RTO/RPO gap analysis, and HIPAA vs. GDPR
- Key Topics Table:
| Topic | Key Takeaway |
|---|---|
| AI Data Poisoning | Deliberate manipulation of AI inputs — even 250 bad documents can corrupt an LLM |
| Data Pollution vs. Poisoning | Pollution is accidental (stale/bad data at scale); poisoning is intentional — both are dangerous |
| RAG Pipeline Risk | RAG gives AI real-time internal data access — that knowledge base is the #1 attack surface |
| AI Governance Controls | Audit AI trust sources, map contact surface, treat pipeline as untrusted vendor, assign named owner |
| ALE-Based Risk Treatment | $50K compensating control reducing $1.76M annual loss expectancy = clear risk-adjusted win |
| NIST RMF & FedRAMP | Inherited controls still require implementation documentation — no steps can be skipped |
| ISC2 Code of Ethics | Document discrepancies regardless of management instruction; escalate through internal channels |
| BCP Gap: RPO vs. Backup Frequency | 2-hour backup intervals vs. 15-minute RPO = up to 119 minutes of potential data loss — critical gap |
| HIPAA ≠ GDPR | GDPR adds data subject rights, lawful basis for processing, and cross-border transfer restrictions not in HIPAA |
| CISSP Sprint Cohort | 8-week live cohort starting July 7th; early bird pricing available on waitlist |
- Resources Mentioned:
- đź”— FreeCISSPQuestions.com — 360 free CISSP practice questions delivered to your inbox
- đź”— CISSPCyberTraining.com — Free and paid CISSP training, cohort waitlist, and study blueprint
- đź”— ReduceCyberRisk.com — Cybersecurity consulting, software sourcing, and vCISO services
CISSP Cyber Training Academy Program!
Are you an ambitious Cybersecurity or IT professional who wants to take your career to a whole new level by achieving the CISSP Certification?Â
Let CISSP Cyber Training help you pass the CISSP Test the first time!
