← Cockpit
CYB_012predictionAIrecommendation-poisoning

'Recommendation poisoning' — deliberate corruption of the data lakes, training sets, and persistent memory banks that agents rely on for purchase/action decisions — emerges as the primary new cybersecurity-marketing vector, blurring the line between di...

Predictor: Alex Finn

Prior probability
78.0%
Current probability
43.9%
evolves via intake + LBP
Conviction
5/5
Signal quality
B
Resolution
in_progress
Window
2026-01-01 – 2029-08-31
Edges in / out
4 / 0
Tickers exposed
0

Prediction text

'Recommendation poisoning' — deliberate corruption of the data lakes, training sets, and persistent memory banks that agents rely on for purchase/action decisions — emerges as the primary new cybersecurity-marketing vector, blurring the line between digital advertising and unauthorized cyber manipulation. | First publicly-disclosed enterprise recommendation-poisoning incident

Key catalyst: First publicly-disclosed enterprise recommendation-poisoning incident

Watch events: OWASP LLM Top 10 updates; NIST AI-RMF updates; first enterprise-loss from recommendation poisoning

Resolution evidence

Status: in_progress

Academic research 2025-2026 documents agent-memory poisoning, prompt-injection attacks, training-data contamination demonstrations. AISI / NIST formal threat taxonomies emerging.

Predictor: Alex Finn

κ + Brier as of 2026-05-22
κ (discount)
0.643
Brier
0.0122
excellent
Hits / Misses
1 / 0
of 2 resolved
Hit rate
50.0%
Calibration plot (stated vs observed)

Evidence about this node from Alex Finn is multiplied by κ in /api/intake. Lower κ = less weight; floors at 0.10 (effectively silenced) and caps at 1.00 (full weight).

Reference class

Not linked

This node isn't linked to a reference class. The Bayesian update applies without outside-view blending.

Probability over time

5 prob_history rows
0%25%50%75%100%prior 78%2026-04-302026-05-102026-05-24
intake v2milestone miss sweeplbp propagationreference class assignedlegacy v1prior_prob (analyst seed)current = 43.9%

Milestone chain

Pre-event signals (upstream prereqs + window checkpoints) → resolution event → downstream cascades. Status/dates update from linked nodes; re-derive nightly via scripts/ops/derive_milestones.py.
Leading chain: 2 fired ✓ · 7 pending
  1. 2026-02-10hitMicrosoft Security Blog publishes detailed AI Recommendation Poisoning attack analysis
    How: Microsoft publishes formal blog/whitepaper documenting AI Recommendation Poisoning targeting persistent agent memory layer
    Source: Microsoft Security Blog - Manipulating AI memory for profit: The rise of AI Recommendation Poisoningconf 99%
    Notes: HIT - Microsoft formally named and described the attack class validating Finn's recommendation poisoning framing.
  2. 2026-02-10hitMicrosoft identifies 31 companies actively poisoning AI memory via Summarize with AI buttons
    How: Microsoft Security disclosure that 30 or more companies are actively running recommendation-poisoning campaigns against AI agents
    Source: Microsoft Security Blog - AI Recommendation Poisoningconf 95%
    Notes: HIT - confirms first publicly-disclosed enterprise recommendation-poisoning incident criterion in spirit. NPM packages reduce barrier to entry to near-zero.
  3. 2026-04-01 → 2026-12-31pendingMajor AI assistant vendor discloses successful e-commerce recommendation-engine manipulation incident
    How: OpenAI Anthropic Google Microsoft or major AI agent platform publicly discloses a confirmed enterprise-class recommendation-poisoning breach
    Source: TTMS / Lakera / SNS - Training data poisoning enterprise incident reportingconf 55%
  4. 2026-08-29pendingQ1 window check-in (25%)
  5. 2026-06-01 → 2027-12-31pendingStandards body publishes formal taxonomy / mitigations for recommendation poisoning
    How: NIST AI Risk Management Framework MITRE ATLAS or OWASP LLM Top 10 publishes named taxonomy entry and mitigation guidance for recommendation-poisoning attack class
    Source: MITRE ATLAS / OWASP LLM Top 10 / NIST AI RMF updatesconf 65%
  6. 2027-04-27pendingQ2 window check-in (50%)
  8. 2027-12-23pendingQ3 window check-in (75%)
  9. 2027-01-01 → 2029-08-31pendingFirst public regulatory action / enforcement targeting recommendation-poisoning vendor
    How: FTC EU regulator or state AG opens or settles an enforcement action against a vendor of recommendation-poisoning services / NPM packages
    Source: FTC press releases EU AI Act enforcementconf 40%
    Notes: Cascade - Finn predicts this becomes the primary new vector which implies enforcement attention.

No downstream cascades — this prediction is a leaf in the dependency graph.

What if this resolves?

Clamp this prediction TRUE or FALSE and run a counterfactual Gibbs sample. Surfaces the predictions whose marginals shift most under that assumption.
(live posterior: 44%)

Click a button to clamp this prediction and run a Gibbs sample. Returns the predictions whose marginals shift most. ~30s per run; ideal for stress-testing "if X resolves, what else moves?"

Evidence chain

Every probability update with full Bayesian provenance — chronological, latest first
LBP2026-05-24T02:00:02Z43.9%-1.2pp
Network propagation: 45.1% → 43.9%
4-iter LBP, residual 0.01000 · damping 0.5, w_intrinsic 0.5 · method lbp_v3 · run 806b02f8
LBP2026-05-17T02:00:01Z45.1%-2.5pp
Network propagation: 47.6% → 45.1%
5-iter LBP, residual 0.00689 · damping 0.5, w_intrinsic 0.5 · method lbp_v3 · run e607fa96
LBP2026-05-10T02:00:02Z47.6%-5.1pp
Network propagation: 52.7% → 47.6%
6-iter LBP, residual 0.00584 · damping 0.5, w_intrinsic 0.5 · method lbp_v3 · run e5c18d29
LBP2026-05-03T02:00:01Z52.7%-9.7pp
Network propagation: 62.4% → 52.7%
6-iter LBP, residual 0.00677 · damping 0.5, w_intrinsic 0.5 · method lbp_v3 · run 1a683ac9
LBP2026-04-30T16:39:51Z62.4%-15.6pp
Network propagation: 78.0% → 62.4%
5-iter LBP, residual 0.00825 · damping 0.5, w_intrinsic 0.5 · method lbp_v2 · run 0c8a4ea3

Network propagation neighbors

Top edges sorted by latest LBP cross-impact
All propagation →

No propagation data yet. Run inference/.venv/bin/python scripts/ops/run_loopy_belief_propagation.py on the droplet, or wait for the Sunday 02:00 UTC weekly cron.

Prerequisites (4)

Predictions that must hit first
TypePredTitleDomainLag
correlateS_AGI_MID_2029AGI mid: Kurzweil 2029 pathagi_general_capability
correlateS_AGI_FAST_2027AGI fast: drop-in remote worker by 2027-09agi_general_capability
correlateS_AGI_SLOW_2031AGI slow: Schmidt/Hassabis 5-10 year pathagi_general_capability
correlateS_AGI_WINTER_2036PLUSAGI delayed: capability plateau or AI winteragi_general_capability

Dependents (0)

Predictions enabled by this
TypePredTitleDomainLag
No dependents

Validations (1)

Resolution events
Observed atStatusByNotes
2026-04-29partialthesis_timeline_v1.0_importAcademic research 2025-2026 documents agent-memory poisoning, prompt-injection attacks, training-data contamination demonstrations. AISI / NIST formal threat taxonomies emerging.

Linked documents (10)

Auto-generated by cosine similarity from Polymarket / Manifold / EDGAR / GDELT
SimSourceTitleMarket probPolarityReviewedPublished
0.681arxivArchitecture Matters: Comparing RAG Systems under Knowledge Base Poisoningmentionspending2026-05-07
0.678arxivSkillHarm: Lifecycle-Aware Skill-Based Attacks via Automated Constructionmentionspending2026-06-01
0.667arxivHijacking Agent Memory: Stealthy Trojan Attacks Through Conversational Interactionmentionspending2026-05-28
0.665arxivRealistic honeypot evaluations for scheming propensitymentionspending2026-05-28
0.663arxivSPADE-Bench: Evaluating Spontaneous Strategic Deception in Agents via Plan-Action Divergencementionspending2026-06-01
0.663arxivMEMSAD: Gradient-Coupled Anomaly Detection for Memory Poisoning in Retrieval-Augmented Agentsmentionspending2026-05-05
0.648arxivSkillSafetyBench: Evaluating Agent Safety under Skill-Facing Attack Surfacesmentionspending2026-05-12
0.643arxivInvestigating and Alleviating Harm Amplification in LLM Interactionsmentionspending2026-06-01
0.641arxivClawHub Security Signals: When VirusTotal, Static Analysis, and SkillSpector Disagreementionspending2026-05-31
0.641arxivSoK: Unlearnability and Unlearning for Model Dememorizationmentionspending2026-05-12

Raw metadata

From Thesis_Timeline_v1.0_FINAL workbook
{
  "nia": false,
  "mode": "FORECAST",
  "role": "Cited-Other",
  "context": "Novel cybersecurity vector, bridging marketing and attack frameworks. Couples with CYB_022 (LiteLLM supply chain), 231_017 (open-weight supply chain attack).",
  "to_year": 2029,
  "conv_cues": "coined term; novel attack-vector category",
  "direction": "HAPPEN",
  "from_year": 2026,
  "timeframe": "2026-2029",
  "conv_level": "HIGH",
  "milestones": [
    {
      "kind": "llm_pre_event",
      "label": "Microsoft Security Blog publishes detailed AI Recommendation Poisoning attack analysis",
      "notes": "HIT - Microsoft formally named and described the attack class validating Finn's recommendation poisoning framing.",
      "source": "Microsoft Security Blog - Manipulating AI memory for profit: The rise of AI Recommendation Poisoning",
      "status": "hit",
      "weight": 0.4,
      "ordinal": -9,
      "source_id": null,
      "confidence": 0.99,
      "source_url": "https://www.microsoft.com/en-us/security/blog/2026/02/10/ai-recommendation-poisoning/",
      "expected_date": "2026-02-10",
      "observed_date": "2026-02-10",
      "research_origin": "deep_research",
      "measurement_criterion": "Microsoft publishes formal blog/whitepaper documenting AI Recommendation Poisoning targeting persistent agent memory layer"
    },
    {
      "kind": "llm_pre_event",
      "label": "Microsoft identifies 31 companies actively poisoning AI memory via Summarize with AI buttons",
      "notes": "HIT - confirms first publicly-disclosed enterprise recommendation-poisoning incident criterion in spirit. NPM packages reduce barrier to entry to near-zero.",
      "source": "Microsoft Security Blog - AI Recommendation Poisoning",
      "status": "hit",
      "weight": 0.4,
      "ordinal": -8,
      "source_id": null,
      "confidence": 0.95,
      "source_url": "https://www.microsoft.com/en-us/security/blog/2026/02/10/ai-recommendation-poisoning/",
      "expected_date": "2026-02-10",
      "observed_date": "2026-02-10",
      "research_origin": "deep_research",
      "measurement_criterion": "Microsoft Security disclosure that 30 or more companies are actively running recommendation-poisoning campaigns against AI agents"
    },
    {
      "kind": "llm_pre_event",
      "label": "Major AI assistant vendor discloses successful e-commerce recommendation-engine manipulation incident",
      "source": "TTMS / Lakera / SNS - Training data poisoning enterprise incident reporting",
      "status": "pending",
      "weight": 0.4,
      "ordinal": -7,
      "source_id": null,
      "confidence": 0.55,
      "source_url": "https://ttms.com/training-data-poisoning-the-invisible-cyber-threat-of-2026/",
      "expected_date": "2026-08-16",
      "research_origin": "deep_research",
      "expected_date_range": {
        "to": "2026-12-31",
        "from": "2026-04-01"
      },
      "measurement_criterion": "OpenAI Anthropic Google Microsoft or major AI agent platform publicly discloses a confirmed enterprise-class recommendation-poisoning breach"
    },
    {
      "kind": "quartile_checkpoint",
      "label": "Q1 window check-in (25%)",
      "status": "pending",
      "weight": 0.05,
      "ordinal": -6,
      "source_id": null,
      "expected_date": "2026-08-29",
      "observed_date": null
    },
    {
      "kind": "llm_pre_event",
      "label": "Standards body publishes formal taxonomy / mitigations for recommendation poisoning",
      "source": "MITRE ATLAS / OWASP LLM Top 10 / NIST AI RMF updates",
      "status": "pending",
      "weight": 0.4,
      "ordinal": -5,
      "source_id": null,
      "confidence": 0.65,
      "expected_date": "2027-03-17",
      "research_origin": "training",
      "expected_date_range": {
        "to": "2027-12-31",
        "from": "2026-06-01"
      },
      "measurement_criterion": "NIST AI Risk Management Framework MITRE ATLAS or OWASP LLM Top 10 publishes named taxonomy entry and mitigation guidance for recommendation-poiso
... (truncated)