AI Risk and Governance

Can 13 Words Poison What AI Says About Your Company? Reportedly, Yes.

Cornell Tech researchers report as few as 13 words on the open web can skew what AI tools say about a topic. Your AI reputation is now an attack surface.

By Leon Soliman · 2026-06-20 · 2 min read

What is data poisoning in AI search?

Data poisoning is planting a small amount of text on the open web to change what an AI system reports about a topic. Cornell Tech researchers, in a 2026 paper, found that a short poisoned passage on the order of 13 words, placed in ordinary user-generated content such as a forum comment, can steer what a deep-research AI agent says. Not 13 pages. Not a campaign. Roughly 13 words. The finding was demonstrated end to end against open-source research agents and observed through citation behavior on the closed commercial ones, which is a narrower but real signal.

Why does this matter more than it sounds?

Because AI search collapses your whole reputation into one confident sentence and hides the sources behind it. For most of the internet era your reputation was a results page you could see and judge for yourself. Now a model reads the web, weights what it finds, and repeats it in a calm, trustworthy voice that gives no hint of how thin the underlying evidence is. When that summary has been poisoned, the reader has no way to tell and no instinct to doubt it. Servola advises on AI risk and governance, and this is the gap we see most owners miss.

Does a clean Google result protect me?

No. You can hold a spotless search results page and a poisoned AI answer at the same time, because they are now two different surfaces and almost no one is watching the second one. Classic reputation work, monitoring the press and pushing the bad link down the page, assumes a human is doing the reading. It does nothing about an AI assistant that has quietly absorbed a false claim and now repeats it to everyone who asks, with full confidence and no visible footnote.

What should a company actually do?

Three moves. First, know what the machines say: regularly ask the major assistants about you, your company, and your key people, and treat their answers as live public statements you are responsible for. Second, own your own facts, because a deep, consistent, well-structured body of accurate first-party information is the strongest defense; models lean on what is clear and corroborated and exploit what is vague. Third, treat your AI reputation as an attack surface. You would not leave a building unlocked because no one has tried the door yet, and 13 words is a very low bar for anyone who wants to try.

Frequently asked questions

How many words can poison an AI search result?

Cornell Tech researchers reported that a short poisoned passage on the order of 13 well-placed words, embedded in user-generated web content, can measurably steer what an AI research agent reports about a topic.

Is data poisoning illegal?

It sits in a grey area and is often a reputation and security problem before it is a legal one, which is why monitoring and a strong first-party record matter more than waiting for enforcement.

How do I check what AI says about my company?

Ask the major assistants such as ChatGPT, Claude, Gemini, and Perplexity directly and on a regular schedule, and treat their answers as public statements you are accountable for.

We spent a decade learning to manage what Google says about us. That skill is now necessary but no longer sufficient, because the narrator changed and the new one is faster, more trusted, and easier to manipulate. Watch what the machines say about you, long before your clients do.

AI Cybersecurity Reputation Data Poisoning AI Risk and Governance

More from the Servola Journal

AI Risk and Governance

If Apple Decided It Could Not Build Its Own AI, Why Do You Think You Can?

2026-06-21 · 3 min read

Read the article →

AI Risk and Governance

Your AI Vendor Just Became Your Competitor. What Now?

2026-06-21 · 3 min read

Read the article →

AI Risk and Governance

AI Labs Are Racing to Go Public Because Private Capital Can No Longer Carry the Compute Bill

2026-06-20 · 3 min read

Read the article →

Servola

If this is a risk you are weighing, it is exactly what we advise on, quietly, with one accountable owner. Request a private introduction at servola.de/contact/.

Request a private introduction About Servola →

Servola is technology counsel for a small number of families and offices. When a decision cannot be delegated, we sit on your side of the table.

Servola Systems GmbH · Ludwigshafen, Germany · [email protected]

← All articles