Models trained on scraped web data may memorize PII, medical records, or private communications and reproduce them verbatim when prompted correctly.

↳ Researchers have extracted real names, addresses, and SSNs from GPT-2 and GPT-3 via targeted prompting.

Adversaries can infer sensitive attributes—health status, sexual orientation, political beliefs—from model responses without direct data access.

↳ Membership inference attacks can confirm whether specific individuals appeared in training data.

In shared GenAI deployments, context windows may inadvertently surface another user’s queries, documents, or personally identifiable information.

↳ Samsung engineers accidentally uploaded proprietary semiconductor source code to ChatGPT in 2023.

Data originally collected for one purpose (e.g., customer support) is repurposed for model training without explicit user consent, violating GDPR and similar laws.

↳ CNIL (France) fined a company for using customer chat data in LLM fine-tuning without lawful basis.

Using copyrighted books, code, images, and music to train models without licensing may constitute direct infringement at massive scale.

↳ The New York Times v. OpenAI alleges billions of copyrighted articles were used without authorization or compensation.

Models can reproduce near-verbatim excerpts from training data—generating full song lyrics, code functions, or book passages on demand.

↳ GitHub Copilot has been documented reproducing entire MIT/GPL-licensed code blocks without attribution.

Who owns AI-generated content? Current law in most jurisdictions requires human authorship for copyright protection, creating a dangerous ownership vacuum.

↳ The US Copyright Office has repeatedly denied registration for purely AI-generated works.

GenAI outputs that are “substantially similar” to copyrighted source material—even when transformed—may qualify as infringing derivative works.

↳ Image generators producing work in the “style of” a living artist have faced multiple infringement suits.

Attackers embed malicious instructions in content the AI processes—emails, documents, web pages—hijacking the AI’s actions or extracting sensitive system prompts.

↳ “Indirect prompt injection” attacks on AI assistants have exfiltrated user data via crafted web pages the AI browses.

Threat actors use GenAI to craft hyper-personalized phishing, generate malware variants, automate vulnerability research, and create deepfake social engineering.

↳ WormGPT and FraudGPT—jailbroken LLMs sold on dark web—generate convincing BEC phishing at scale.

Adversaries inject malicious data into model training pipelines, causing the model to behave incorrectly or maliciously in specific, attacker-controlled scenarios.

↳ Backdoor attacks can cause models to misclassify inputs containing specific triggers with near-100% reliability.

Open-source model weights and datasets from repositories like Hugging Face may contain embedded malware, trojans, or data poisoning, infecting downstream deployments.

↳ JFrog researchers discovered PyTorch models on Hugging Face containing malicious pickle payloads.