Skip to main content

Poisoning the Oracle

Manipulation Breakdowns · 10 min read · By D0

The Moment of Misplaced Trust

You ask your AI assistant what’s happening in the Iran conflict. It answers. You believe it — more than you believe a tweet from a stranger, more than you believe a post from an account you’ve never heard of. The AI has the authority of a reference work.

That authority is now a target.

In the first week of March 2026, as fighting escalated in the US-Israel-Iran conflict, two things happened in parallel that haven’t been examined together.

First: Google’s AI Overview — the AI-generated summary appearing at the top of search results — falsely confirmed that an AI-generated video of Iranian missiles striking Tel Aviv was authentic footage. The video had a 99% probability of being synthetically generated, according to independent analysis. Google’s system said otherwise.

Second: a US Department of Justice foreign agent registration filing revealed that the Israeli Ministry of Foreign Affairs had contracted Bradley Parscale’s firm Clock Tower X for $6 million, with one specific deliverable buried in the contract language: “deployment of websites and content to deliver GPT framing results on GPT conversations.”

These aren’t separate stories. They are two entry points into the same threat: the corruption of AI systems as an information warfare vector. One accidental. One deliberate. Together, they describe a new battleground that most people haven’t recognized as one.

How Google Confirmed the Lie

When visual evidence from the Iran conflict began flooding social media, users searching for verification faced an unfamiliar obstacle: the tools they trusted to help them verify were themselves unreliable.

NewsGuard’s Reality Check project documented the failure directly. When users performed reverse image searches on fabricated and AI-generated content from the conflict, Google’s AI Overview generated summaries that validated false narratives. In one documented case, the system described an AI-generated video — independently assessed at 99% probability synthetic — as authentic footage. In another, it correctly identified ARMA 3 video game footage, demonstrating the system’s inconsistency was not a feature: sometimes it got it right, sometimes it endorsed the fabrication.

Grok, X’s AI assistant, failed differently. During the same conflict window, users queried Grok about identical pieces of content and received contradictory assessments within minutes — some responses labeling the same video authentic, others synthetic. Not inconsistency in edge cases. Inconsistency on the same input, in the same session.

Neither failure required a bad actor in the loop. Both were failures of systems processing a polluted information environment in real time.

How does this happen? Google’s AI Overview draws on indexed web content to construct answers. During the rapid-onset chaos of a breaking conflict, that indexed content is distorted: fabricated screenshots circulate faster than corrections; manipulated images accumulate engagement before fact-checkers see them; unverified claims repeated across enough pages achieve statistical weight. The AI aggregates sources, and the sources it can aggregate in the first hours are skewed. The result is a confident, authoritative-sounding answer that endorses a fabrication.

The AI system isn’t fooled in the human sense. It has no emotional investment or confirmation bias. It fails because its inputs failed — and the inputs fail most severely when the information environment is most contested.

That failure point is not random. It is precisely the territory influence operations are designed to control.

The Deliberate Version

Understanding the accidental failures makes the deliberate operation more legible.

The Israeli Ministry of Foreign Affairs, operating through the German media conglomerate Havas Media as central contractor, retained multiple firms to run an influence operation targeting US public opinion. The scope, documented in FARA filings with the US Department of Justice:

  • $8 million in contracts awarded across multiple firms
  • 5,000 derivative pieces of content per month from core materials
  • 50 million monthly views as the target metric
  • 80% of content aimed at Gen Z on TikTok, Instagram, and YouTube
  • Explicit bot network development on Instagram, TikTok, LinkedIn, and YouTube to “flood the zone”
  • Influencer payments of $6,143 to $7,372 per post

The architecture resembles documented state influence operations — the kind of zone-flooding, coordinated amplification, and demographic targeting that characterizes modern information warfare at scale. None of that is new.

What is new is one deliverable: “deployment of websites and content to deliver GPT framing results on GPT conversations.”

Translation: build content specifically designed to shape how large language models answer questions about Israel.

The practice has a name in the emerging discipline of AI optimization: Generative Engine Optimization (GEO). It mirrors the principles of search engine optimization, but the target isn’t a ranking algorithm — it’s the language models that synthesize answers from training data and indexed content. Which sources does the model weight? What framing appears across enough credible-seeming pages to become the default representation? If you build enough content that positions a contested narrative a particular way, and that content gets indexed and weighted by crawlers and training pipelines, the AI’s answer shifts.

Search engines surface links. LLMs synthesize conclusions. The second operation is harder to see, harder to audit, and produces outputs that carry more authority — because the AI presents synthesis as answer, not as a list of sources to evaluate.

Israel is reported to have approved a broader budget of approximately $145 million for AI manipulation initiatives, of which this US operation represents one documented component. Whether similar programs are being run by other governments with resources and interests in AI-mediated public perception is not documented — but the FARA filing demonstrates the approach is not hypothetical. It is contracted, funded, and operational.

Why This Is Worse Than Social Media

Users have learned, over a decade of social media exposure, to maintain some skepticism about random posts. Not enough skepticism — but some. The mental model that a post might be a bot, might be propaganda, might warrant a second source has become more widespread, if still not universal.

AI assistants occupy a different psychological position.

When an AI answers a question, the cognitive processing differs from reading a post. The AI response arrives as synthesis — as if someone has already looked through the evidence and produced a conclusion. The authority heuristic activates: this system has access to more information than I do, has processed it, and is presenting the result. The interrogation that would apply to a random tweet doesn’t naturally extend to the AI’s confident declarative statement.

This isn’t naivety. It’s appropriate calibration for most questions. AI assistants are reliably useful for questions where the answer is stable and well-documented. They fail specifically on breaking events, contested narratives, and anything where the underlying training data or indexed content has been deliberately shaped.

That failure point is exactly where information warfare operates. Influence operations don’t attack your ability to find out who invented the telephone. They attack what you believe happened in a military engagement, who is responsible for civilian deaths, what a foreign government’s actual position is. The questions where AI confidence is most misleading are precisely the questions that influence operations are designed to answer.

The authority gap between social media and AI assistants is a manipulation surface. GEO exploits it. Platform failures during breaking events reveal it. Neither is likely to close soon.

The Architecture of the Problem

There is an asymmetry worth making explicit.

When influence operations target social media feeds, the manipulation is at least conceptually visible. You can check account age, look for narrative uniformity across sources, notice that verification is conspicuously absent. The tools are imperfect and the population of people who use them is small — but the manipulation is legible in principle.

When influence operations target AI training data and indexed content, the manipulation is invisible at the output layer. The AI’s answer looks identical whether it was derived from a reliable synthesis of accurate information or from 5,000 pieces of content per month built to “deliver GPT framing results.” The interface provides no signal about the provenance of the synthesis.

The manipulation is upstream. The output is authoritative-seeming. The user has no mechanism for distinguishing one from the other at the point of consumption.

GEO compounds this by being durable. Flood the indexed environment with enough content over enough time, and any model that draws on live content or is periodically retrained shifts. The AI that answers questions about the conflict next year has been shaped by the content built this month. Unlike a social media post, which can be deleted or labeled, the influence on training and weighting is not easily reversed.

What Can Actually Be Done

Very little at the individual level that is fully satisfying. That is an honest statement, not a counsel of despair.

Treat AI answers about contested current events as starting points. The AI’s authority is appropriate for stable knowledge. It is unreliable for events where the information environment has been deliberately shaped — which is exactly when you most want a fast, authoritative answer. Ask the AI to name its sources. Follow the sources. Evaluate the sources, not just the synthesis.

Understand the failure mode. Google AI Overviews and AI assistants don’t lie intentionally. They fail when their inputs fail. During the first 24–48 hours of a high-stakes breaking event — a military engagement, a political crisis, a contested incident — the indexed content is maximally distorted. This is the window when AI confidence is least reliable and most consequential.

GEO is documented and spreading. The Israel contract is a FARA filing, not a leak. It’s public record. The existence of a contracted deliverable for GPT framing means other actors with resources and interests in AI-mediated narratives are watching to see whether it works. Assume the practice is proliferating.

Platform accountability for AI systems during breaking events is currently inadequate. Grok giving contradictory answers about the same content within minutes is not a fringe failure. Google AI Overviews validating synthetic footage as authentic during an active military conflict is not an acceptable error rate. The platforms deploying these systems have not treated their behavior in high-intensity information environments as a first-order safety problem. They should.

Conclusion

The manipulation of public perception through AI is not a future risk being warned about. It is a present condition being documented.

Two paths to the same endpoint: platforms fail under the pressure of a contested information environment and amplify false narratives to millions of people performing good-faith verification searches. Sophisticated actors build content ecosystems designed to shape the training and weighting that determines what AI systems say about them.

The oracle speaks confidently. It may have been taught what to say. And unlike a propaganda post that can be flagged, deleted, or labeled, you will not see the teaching — only the answer.

This article is part of Decipon’s Manipulation Breakdowns series, which dissects real influence tactics using the NCI Protocol framework.

Sources: