New

Backup for AI: Key Strategies

Data backup
Andrew Simmonds photoAS
Andrew Simmonds

Content Writer

Geoff Burke photoGB
Geoff Burke

IT Infrastructure & Data Protection Expert


Introduction 

AI has entered the data center—and with it, a new class of data that demands a new approach to protection. Training datasets, language models, vector databases, experiment logs, and agent-driven automation are now core operational assets in many organizations. But with global ransomware costs projected to exceed $265 billion by 2031,1 and AI also being used by attackers to automate and accelerate multiple stages of the attack chain, are backup strategies keeping pace? 

This guide examines what makes AI data backup different, from what needs to be backed up, to the strategies that provide genuine resilience against threats like ransomware and data poisoning. 

What Makes AI Data Different 

Traditional IT data—databases, file systems, email archives—is largely static between transactions: it changes when a user acts on it. AI data has specific protection needs that set it apart in three important ways. 

First, it is cumulative and expensive to recreate. A language model trained on petabytes of curated data, annotated at significant cost, represents an investment in unique entity that, if it is lost, must usually be rebuilt from the beginning again, repeating much the same process and costs. Training cycles consuming weeks of GPU compute carry real monetary value both in infrastructure cost and the institutional knowledge encoded in the resulting model. 

Second, AI data spans multiple layers that all require protection. These include the training data itself, model artifacts and checkpoints that capture training progress, Retrieval-Augmented Generation (RAG) databases, Machine Learning Operations (MLOps) pipelines that orchestrate the training and deployment workflow, and the code repositories that define how these pipelines run. 

More broadly, AI systems act autonomously and can execute commands rapidly. If that agent hallucinates, is compromised, or operates from bad instructions, it can cause widespread damage to data before any human can respond.  So as well as considering the threat to AI data, we need to consider the potential risks AI introduces to data in other systems within an organization.  

Why AI Backup Strategies Are Essential 

AI systems are no longer experimental infrastructure. They are embedded in customer-facing products, internal workflows, fraud detection, compliance monitoring, and operational decision-making. This means that when an AI system fails, it impacts every business function that depends on that system. Failure can also carry serious regulatory and reputational consequences that extend well beyond the incident itself. On top of that, AI projects represent months of data curation, annotation, fine-tuning, and validation—investment that can be rendered worthless overnight in a successful attack. The only reliable safeguard against that loss is a backup strategy built to match the threat. 

Why AI Projects Are Targets for Data Loss and Cyberattacks 

AI systems are attractive targets for two converging reasons: novelty and scale. In many cases, AI infrastructure is newer than the security frameworks built to defend it. Models interact with external data sources, tools, and APIs in ways that introduce attack surfaces without clear precedents in traditional IT, and training pipelines ingest data from sources that may themselves be compromised. 

At the same time, AI agents operate continuously, execute decisions autonomously, and have access to production systems. An attacker who compromises an AI agent inside an organization can gain access to everything that agent is authorized to touch. But an AI compromise attack does not just unlock attacker access to potential secrets in the way that credential compromise does—it may also co-opt an organization’s own AI to actively assist in extracting, contextualizing or corrupting the most valuable information, or even help to hide its work on behalf of the attackers. It works more quickly and continuously than a human ransomware attacker can, and the compromise may not be comprehensively logged or auditable in the same way a typical credential access is. Threat actors are already deploying AI to carry out intrusions: multiple coordinating agents can scan environments, identify weak points, and execute attacks with minimal human direction, adapting when initial vectors are blocked. But the quiet compromise of an organization’s own AI by attackers represents a new threat on the horizon that combines the worst attributes of insider attacks with the damaging impacts associated with long dwell time by external attackers.    

Why AI Training Data and Models Are High-Value Targets 

A trained model is not just software—it is the output of a process that may have consumed months of compute time, terabytes of curated data, and significant annotation investment. Unlike application code, it cannot be recreated quickly from source. This creates leverage for attackers: not only is the data extremely valuable, encrypting or corrupting a model’s training data puts an organization in a position where paying a ransom may be cheaper than retraining. 

Alternatively, and more perniciously, an attacker who can silently corrupt a model during training can alter its behavior in deployment—shifting outputs in targeted ways while the organization believes the system is still functioning correctly. RAG databases that extend a deployed model’s knowledge at runtime are a particularly accessible entry point: they are updated more frequently than base models, connected to live data sources, and queried dynamically, which means that corrupting one does not require access to the model’s weights—only access to the data the model trusts. While this is a much more subtle attack, the impact over time can be highly significant if the model plays an important role in an organization’s decision processes, especially if it continues to be trusted while under the attacker’s control. 

Why AI and ML Environments Are Especially Vulnerable 

AI environments often require elevated permissions by design. Training pipelines need read access to large datasets, write access to checkpoints, and execution rights across compute infrastructure, which makes the principle of least privilege genuinely harder to apply than in a standard application environment. 

The integration surface is also broader: AI systems connect to external data sources, model registries, experiment tracking platforms, feature stores, and tool APIs, each a potential entry point. Open-source models and datasets introduce supply chain risk—a model downloaded from a public registry may have been tampered with before it arrives. Damage also travels further in AI environments: corrupted training data affects every model trained on it, every deployment derived from that model, and every downstream decision that model influences. The scope of a single point of corruption is much larger than in traditional IT, and the damage is often not visible until the model is in production. 

Ransomware Threats in AI and ML Environments 

Ransomware remains the primary threat to AI data. Modern ransomware operators no longer simply encrypt production data—they target backup infrastructure first, eliminating the recovery path before the extortion demand lands. Against AI training environments specifically, the leverage is significant: the cost of retraining a compromised model means that for the largest foundation models, paying a ransom may be cheaper than starting over. 

That threat is compounded by a growing subset of attacks that now use AI as the delivery mechanism. Attackers are beginning to use it to parallelize initial intrusions, automate vulnerability scanning, and conceal activity once inside. Agentic AI—systems made up of multiple coordinating agents—can autonomously execute reconnaissance and conduct intrusions with minimal human oversight, making contextual decisions and adapting when initial vectors are blocked. Polymorphic malware powered by AI continuously rewrites its own code to evade signature-based defenses, with some strains remaining dormant inside security sandboxes until they reach a live system. CrowdStrike has reported a 442% increase in voice phishing between the first and second halves of 2024—one indicator of how rapidly AI is amplifying the scale of social engineering alongside technical intrusion.

Not every AI data incident is malicious, however. In July 2025, an AI assistant at Replit misinterpreted a query during a code freeze and deleted the entire production database—records for over 1,200 executives and 1,200 companies. It then attempted to conceal the action and was unable to recover the data. No immutable backups were in place, and the loss was permanent.3 AI agents given administrative access to production or backup systems can cause significant damage through hallucination or instruction misinterpretation—without any attacker involved, and at a speed no human operator could match. 

The Role of Immutable Backups in AI Data Protection 

Immutable backups are write-once, read-many (WORM) data copies that cannot be modified, encrypted, or deleted—regardless of who or what attempts it. They do not rely on detection or containment. They ensure a clean, restorable version of data exists regardless of how an attack unfolds—whether that is a ransomware operator who has eliminated the recovery path, an AI-powered threat that has evaded every detection tool, or an agent that has acted on bad instructions. 

For AI environments specifically, where threats operate at machine speed and agents may hold elevated credentials, the case for immutability is more urgent than in traditional IT. A backup environment that can be reached, modified, or deleted by a compromised training environment offers no protection at all. 

Data Poisoning and Silent Corruption—The Overlooked AI Risk 

Data poisoning is a form of adversarial attack in which malicious actors intentionally corrupt the training data used to build machine learning models. Since AI models rely on the quality and accuracy of their training data, even small manipulations can significantly alter their behavior. The goal is to degrade model performance, introduce bias, or create hidden vulnerabilities that can be exploited later. 

Specific attack methods include: 

  • Label flipping: changing correct labels to incorrect ones, causing misclassification. 

  • Data injection: adding fabricated or misleading data points to steer model behavior in a specific direction. 

  • Backdoor attacks: embedding hidden triggers that cause the model to behave maliciously only under certain conditions. 

  • Clean-label attacks: modifications that appear entirely legitimate, making them difficult to detect with standard validation tools. 

Research has demonstrated that altering as little as 0.1% of training data can cause targeted misclassification in specific contexts while the model continues performing normally in all others. Poisoning that occurred weeks or months before discovery cannot be remediated without rolling back to a clean dataset and retraining from that point. 

How Immutable Systems Help 

Because poisoned data can go undetected for extended periods, the ability to roll back to a verified clean state is the only reliable remediation path. Immutable backups of training data, taken at each stage of the training process, preserve that clean state regardless of when the poisoning is discovered. Retention policies must extend far enough back to predate any corruption that may have gone undetected—and retained versions must themselves be immutable, so that historical copies cannot be deleted or overwritten to eliminate evidence of an attack. 

What Needs to Be Backed Up in AI Projects 

AI environments span a broader range of data types than traditional IT infrastructure. A complete backup strategy must address each of the following categories: 

  • AI Model Training Datasets (Raw and Processed): both raw source data and cleaned, labeled, processed versions. Raw data provides provenance; processed data contains annotation work. Loss of either can require months of rework. Backups should be taken at each processing stage to enable rollback to the point immediately before any poisoning or corruption occurred. 

  • Model Artifacts and Checkpoints: incremental snapshots of model weights saved during training, serving as recovery points if training is interrupted or a model must be rolled back. Final trained artifacts—weights, architecture definitions, and configuration files—must also be backed up and protected from tampering. 

  • RAG Databases and Vector Stores: external knowledge bases attached to deployed models, which may contain proprietary documentation or domain knowledge encoded as vector embeddings. Backups must capture the database at regular intervals with enough version history to roll back to a clean state. 

  • Feature Stores and Metadata: pre-processed ML-ready feature representations and the data lineage records, versioning information, and transformation logs that provide the audit trail for compliance and debugging. Loss of either can make model failures impossible to diagnose. 

  • Experiment Logs and Lineage Data: hyperparameter configurations, training run metrics, evaluation results, and lineage records mapping datasets to model versions. Loss of lineage data can make it impossible to determine whether a production model was trained on compromised data. 

  • MLOps Pipelines and Automation Scripts: the code and configuration that orchestrates the ML workflow. Loss of pipeline definitions can make it impossible to reproduce a training run even when the underlying data is intact. 

  • Downstream Systems Touched by AI Agents: where AI agents have operational access to databases, document stores, or backup management interfaces, backup coverage must extend to everything within the agent’s operational perimeter, not just the AI infrastructure itself. 

Backup Strategies for AI Project Data 

While the standard principles of enterprise backup still apply to AI environments, the stakes are higher, the data volumes are larger, and the threat surface is broader. The following strategies address the organisational and operational decisions that sit with the team responsible for AI data protection. Requirements for the backup storage solution itself are addressed in the next section. 

  1. Comprehensive Versioning of Data and Models: every significant dataset revision, model checkpoint, and RAG database update should be versioned and retained. For RAG systems, this includes versioning document indices, embedding models, and chunking configurations. Version retention policies should extend far enough back to predate any data poisoning that may have gone undetected for an extended period. 
  2. Incremental Backups for Large AI Datasets: full backups of petabyte-scale training datasets are impractical on a frequent basis. Incremental backup approaches capture only changed data, reducing backup windows and storage overhead while maintaining recovery granularity. Delta compression and deduplication can reduce storage requirements significantly. 
  3. Automated Data Lineage Tracking: lineage tracking, maintained as part of the MLOps workflow, creates an auditable record of where data came from, what transformations were applied, and which model versions were trained on it—enabling identification of exactly when and where corruption was introduced. 
  4. Defined RPO and RTO for AI Workloads: Recovery Point Objective (RPO) and Recovery Time Objective (RTO) should be defined specifically for AI workloads, accounting for retraining costs. A RAG database serving a production system may require a much shorter RPO than an offline training dataset. RTO targets should account for the time required to validate that a restored model has not been silently corrupted before returning it to production. 

Choosing a Backup Solution for AI and ML Data 

Not every backup solution is suited to the specific demands of AI environments. The following capabilities are essential for any solution evaluated for AI workload protection. 

Absolute Immutability 

Many vendors claim to offer immutable backup storage, but what they typically provide is policy-based immutability—a configuration setting that can still be changed, bypassed, or disabled by administrators or attackers with elevated privileges. 

Absolute Immutability is different. It means Zero Access to destructive actions. Nobody—even the most privileged admin or attacker with access to backup storage—can modify or delete data.  

Practical implementation of Absolute Immutability requires adherence to three core principles:  

  • S3 Object Storage: A fully documented, open standard with native built-in  immutability that enables independent penetration testing and verification.  

  • Zero Time to Immutability: Backup data must be immutable the moment it is written.  

  • Target Storage Appliance: A dedicated target storage appliance securely segments storage from backup software, and removes the risks associated with DIY self-managed backup storage during operations—particularly during setup, updates and maintenance.  It requires little-to-no security expertise from a customer and shifts full responsibility to a vendor. 

Claims of immutability are not enough: all the pillars of Absolute Immutability must be independently verified through third-party security testing. 

For AI environments specifically, Absolute Immutability is essential. AI agents can hold elevated credentials that give them access to sensitive data. If compromised, the resulting data poisoning may go undetected for months. A solution that offers immutability in name but not in practice will fail precisely when the stakes are highest. 

Scale and Performance 

Backup storage for AI workloads must scale to match data volumes without becoming a bottleneck to backup or recovery. S3-native object storage provides an architectural foundation that AI tooling integrates with easily, handling high-throughput ingest during backup and fast recovery when it matters most. As AI workloads grow, that architecture scales with the business without requiring re-architecture or additional complexity. 

Zero Trust Architecture 

Backup storage should be built on a Zero Trust architecture: no implicit trust, continuous verification, and the assumption that breach has already occurred. In practice, this means backup infrastructure operates in network isolation, accessible only through tightly controlled interfaces and unreachable from the environments it protects. A compromised or misbehaving AI agent should have no pathway into backup infrastructure regardless of the access it holds elsewhere. “Assume Breach” is not a contingency—it is the design principle. Resilience must be built in, not bolted on. 

Simplicity and Security by Default 

Complexity in security tooling is itself a risk. A solution that requires deep Linux expertise, ongoing manual configuration, or specialist security knowledge to operate correctly will introduce inconsistency and error over time. The right backup storage solution should be secure by default from the moment it is deployed—simple enough that protection is automatic and immutable from day one, without depending on the expertise of whoever happens to be administering it. Third-party tested and verified security provides assurance that the protection holds independently of the vendor's own claims. 

Why Object First? 

Higher data volumes, longer retention requirements, and an expanded attack surface that includes everything from models to pipelines and agents all demand strategies that account for how corruption spreads, how long it can go undetected, and how much a recovery can cost—and backup storage that ensures data is absolutely immutable throughout its entire lifecycle. 

When—not if—ransomware strikes, the future of your business hangs in the balance. In that moment, recovery matters most—getting back up and running as fast as possible, without unwanted complexity.   

We make cyber resilience simple with backup storage that’s absolutely immutable and purpose-built for Veeam. It’s your ultimate defense against ransomware.   

Object First is built on Zero Trust best practices and is third-party tested and verified to be secure.  It’s simple to deploy and manage with no security expertise required, and is powerful enough for lightning-fast backups and supercharged Instant Recovery to scale with your business. 

 

When backup storage is this secure, simple, and powerful, you and your organization are Simply Resilient.