Market
The thesis
In October 2025, Anthropic showed that 250 poisoned documents are enough to backdoor a 13-billion-parameter model, and the count stays nearly constant as model size grows. Carlini and Tramèr earlier showed that poisoning 0.01 percent of LAION-400M cost sixty dollars. Backdoors persist across multiple retraining cycles and resist unlearning.
EU AI Act Article 10 makes data integrity a legal obligation for high-risk AI systems, with full enforcement on August 2, 2026. NIST AI RMF and ISO 42001 reinforce the same requirement. The buyer is the ML platform lead who needs a defensible answer for the auditor and the CISO, not an analyst shopping for a SIEM.
Gartner's AI TRiSM Market Guide names four layers. None of them covers training-data ingestion integrity. We are the missing fifth layer, and the only gate that sits on the write path of the training corpus before the gradient update happens.
How we compare
Every other category inspects the data after it has already landed, or the model after it has already trained on it. We are the only gate that sits on the training write path, before the gradient update happens.
One runtime gate. Six concerns unified.
Provenance, statistical drift, adversarial probes, semantic checks, cross-source consensus, and forensic audit — folded into a single inline decision per sample.
Evaluated inline. One verdict — PASS · QUARANTINE · REJECT. Signed. Replayable. Tier-aware.
Every signal feeds every layer. Uncertainty in one escalates scrutiny in the next. Evidence composes into the verdict.
We attack our own gate continuously — mapped to MITRE ATLAS, replayed against the stack, rolled into the rule set.
Every verdict — PASS, QUARANTINE, or REJECT — is a training signal. New attack patterns are encoded in hours, not quarters.
Watch the model in production for drift, latency, and explainability. Some ingest training data as a baseline.
The training data is treated as a statistical baseline, never inspected for poisoned samples or backdoor triggers. By the time a dashboard lights up, the gradient update has already happened.
Scan model artifacts and dataset files for malware, run automated red teams, and ship inference-time AI firewalls. Three of the leading startups in this category (Robust Intelligence, Protect AI, CalypsoAI) were absorbed by Cisco, Palo Alto, and F5 between 2024 and 2025.
File-level scanning, not sample-level behavioral detection. None of these sit on the training write path. A label tampering, sybil cluster, or trust-grooming attack passes a malware scanner without resistance.
Filter prompts and outputs at inference for jailbreaks, PII, and toxicity.
A backdoored model produces valid-looking outputs that sail through every guardrail. Anthropic showed in October 2025 that 250 poisoned documents are enough to backdoor a 13-billion-parameter model. By inference time, the damage is permanent.
Own the data plane and ship lineage, drift profiling, and quality features. Databricks has publicly committed to data trust scoring as a 2026 feature.
Platform-grade hygiene, not adversarial defense. None of them ships sybil-cluster, trust-grooming, or backdoor-trigger detection, and a platform vendor is not positioned to take the regulatory liability of issuing a security verdict on customer data.
Monitor warehouse and pipeline quality. Several have recently extended into LLM and unstructured-data monitoring.
Statistical anomalies, not adversarial ones. A coordinated poisoning attack is engineered to look statistically normal. That is the whole point.
Record where data came from, who touched it, and which contracts apply.
Provenance and access control, not an integrity verdict on the content of a training sample. You can prove the poison's lineage. You still cannot stop it at the door.
Why it's urgent
Production ML pipelines ingest from marketplaces, human labelers, partner APIs, and synthetic sources. Anthropic showed in October 2025 that 250 documents from any of those sources are enough to backdoor a 13-billion-parameter model. Once a poisoned sample makes it into a gradient update, the only economically rational response is a full retrain on a new corpus. Every defense layer downstream of ingestion is auditing a crime scene.
EU AI Act Article 10 makes data integrity a legal obligation for high-risk AI systems, with full enforcement on August 2, 2026. NIST AI RMF and ISO 42001 reinforce the same requirement. The buyer is no longer a security analyst shopping for a SIEM. It is the ML platform lead who has to give the auditor and the CISO a defensible answer about what trained the model.
Gartner published the AI TRiSM Market Guide in February 2025 with four named layers: governance, runtime inspection and enforcement, information governance, and infrastructure. None of them covers training-data ingestion integrity. We are the missing fifth layer. The team that builds it well becomes the default integration every ML stack adds before it trains.