This study addresses the security threats posed by maliciously embedded backdoors—commonly referred to as AI Trojans—in artificial intelligence systems. The authors systematically characterize the threat landscape of AI Trojans and propose an interpretable detection framework based on model weight analysis and trigger inversion. Through red-team/blue-team adversarial testing and large-scale model evaluation, they establish a comprehensive detection and validation pipeline, uncovering the phenomenon of “natural Trojans” and empirically demonstrating the limitations of existing defense mechanisms. Furthermore, the work introduces the first benchmark for AI Trojan detection and evaluation, offering a foundational methodology and clear directions for future research in AI security.

The Intelligence Advanced Research Projects Activity (IARPA) launched the TrojAI program to confront an emerging vulnerability in modern artificial intelligence: the threat of AI Trojans. These AI trojans are malicious, hidden backdoors intentionally embedded within an AI model that can cause a system to fail in unexpected ways, or allow a malicious actor to hijack the AI model at will. This multi-year initiative helped to map out the complex nature of the threat, pioneered foundational detection methods, and identified unsolved challenges that require ongoing attention by the burgeoning AI security field. This report synthesizes the program's key findings, including methodologies for detection through weight analysis and trigger inversion, as well as approaches for mitigating Trojan risks in deployed models. Comprehensive test and evaluation results highlight detector performance, sensitivity, and the prevalence of"natural"Trojans. The report concludes with lessons learned and recommendations for advancing AI security research.