Why Data Provenance will Define the Next Phase of AI Governance

Author: Alistair Sackley

This month’s joint study from Anthropic, the UK AI Security Institute, and the Alan Turing Institute landed like a quiet bombshell: they’ve shown that it only takes 250 documents to poison a large language model with over 13 billion parameters.

That’s 0.00016% of its training data.

Think of today’s AI ecosystem like a vast network of digital plumbing: every dataset, line of code, and model update is a section of pipe feeding the system. We’ve spent years polishing the taps (bias audits, fairness dashboards, model transparency) whilst largely ignoring the pipes underneath, and those pipes are leaking. Once a few drops of poisoned data enter the flow, they spread everywhere. You can’t filter them out later. This form of attack (backdoor poisoning) plants hidden triggers in the data used to train an AI. Once deployed, those triggers can be activated by specific words, phrases, or situations. The system looks normal until it isn’t: it produces false answers, leaks sensitive data, or slips past its own safety filters. In simple terms, AI models are only as clean as the pipes that feed them, and that makes data integrity a national security issue.

For years, AI governance debates have focused on ethics (bias, fairness, transparency). All important, but increasingly beside the point. The real threat now is integrity: knowing whether the vast oceans of data feeding our models have been tampered with.

Because poisoning isn’t hypothetical, it’s cheap, stealthy, and scalable. A single bad actor could infiltrate open datasets, code repositories, or academic archives and leave behind digital landmines that no one notices until the model behaves strangely (perhaps in a military system, a hospital triage tool, or a financial regulator’s analytics dashboard).

The Anthropic / AISI / Turing findings expose a gap running right through our national AI architecture. We have capable regulators and active standards bodies, but no shared framework for securing data provenance (for proving that the information used to train an AI is clean, verified, and auditable). A sort of synthetic confidence.

Three policy challenges standout:

1. Current AI safety audits focus on model outputs, not on the training inputs that shape them. Once poisoned data is embedded, it’s almost impossible to detect.
2. There are no UK standards or certification processes defining what counts as a trusted training dataset.
3. DSIT leads on AI safety, NCSC on cybersecurity, and UKRI funds data infrastructure, but no single actor owns the data-integrity problem.

Without fixing these challenges, we risk building elaborate guardrails for systems that are already compromised upstream. This is precisely where the Agents, Interaction and Complexity Group at the University of Southampton could play a transformative role.

The world’s largest research group devoted to agent-based and autonomous systems, AIC already works on safe, verifiable and trustworthy AI. Its expertise in multi-agent coordination, verification,

and complex adaptive systems maps directly onto the challenge of tracking, certifying, and governing AI supply chains.

Imagine repurposing some of that that capability toward a secure AI supply-chain verification framework:

• Chain-of-custody systems that trace every piece of training data through the AI lifecycle.
• Data Bills of Materials - machine-readable manifests proving where the data came from and under what conditions it was processed.
• Continuous provenance monitoring, using agent-based reasoning to detect drift or manipulation in real time.

These are not speculative ideas; they are the natural extension of AIC’s current work in agentic systems, transparency, and human-AI interaction.

If 250 documents can hack an AI, then data integrity is no longer a technical side issue, it’s a matter of strategic control: who owns and verifies the informational inputs that shape systems used in defence, healthcare, and government.

The UK has an opportunity to lead by treating data provenance as national infrastructure: to build a system that’s robust, monitored, and tamper-proof. Embedding Southampton’s agentic-systems expertise within the emerging AI safety and security frameworks could give the UK a verifiable path forward: one that joins technical capability with governance design.

Contact: Alistair Sackley, Public Policy Southampton