Enterprise security teams are losing ground to AI attacks – not because defenses are weak, but because the threat model has shifted. As AI agents move into production, attackers are exploiting runtime weaknesses where breakout times are measured in seconds, patch windows are measured in hours, and traditional security has little visibility or control.
CrowdStrike’s Global Threat Report 2025 breakout times for documents as fast as 51 seconds. Attackers move from initial access to lateral movement before most security teams get their first warning. The same report found that 79% of detections were free of malware, with adversaries using practical keyboard techniques that completely bypass traditional endpoint defenses.
The latest challenge for CISOs is not being able to reverse engineer in 72 hours
Mike Riemer, field CISO at Ivantihas seen AI collapse the window between patch release and weaponization.
“Threat actors are reverse engineering patches within 72 hours,” Riemer told VentureBeat. “If a customer doesn’t patch within 72 hours of release, they are open to exploitation. Speed has been greatly improved by AI.”
Most companies take weeks or months to manually patch, with firefighting and other pressing priorities often taking priority.
Why traditional runtime security fails
An SQL injection usually has a recognizable signature. Security teams are improving their craft, and many are blocking them with almost zero false positives. But “ignore previous instructions” has a payload potential equivalent to a buffer overflow, while sharing nothing with known malware. The attack is semantic, not syntactic. Rapid injections take enemy craftsmanship and weaponized AI to a new level of threat through semantics that obscure injection attempts.
Gartner’s research puts it bluntly: “Enterprises will embrace generative AI regardless of security.” The company found that 89% of business technologists would circumvent cybersecurity guidelines to achieve a business objective. Shadow AI is not a risk, it is a certainty.
“Threat actors using AI as an attack vector have accelerated and are so far ahead of us as defenders,” Riemer told VentureBeat. “As defenders, we need to jump on the bandwagon to start using AI, not just in deepfake detection, but also in identity management. How can I use AI to determine whether what is coming my way is real?”
Carter Rees, vice president of AI at Reputationframes the technical divide: “Strategic defense strategies based on deterministic rules and static signatures are fundamentally insufficient against the stochastic, semantic nature of attacks targeting AI models at runtime.”
11 attack vectors that bypass every traditional security control
The OWASP Top 10 for LLM Applications 2025 fast injection comes first. But that’s one of eleven vectors that security leaders and AI builders must address. Each requires an understanding of both the attack mechanisms and defensive countermeasures.
1. Direct injection: Models trained to follow instructions prioritize user commands over safety training. Pillar Security’s State of Attacks on GenAI report found 20% of jailbreaks are successful in an average of 42 seconds, with 90% of successful attacks leak sensitive data.
Defense: Intent classification that recognizes jailbreak patterns before prompts reach the model, plus output filtering that catches successful bypasses.
2. Camouflage attacks: Attackers exploit the model’s tendency to follow contextual cues by embedding malicious requests into benign conversations. Palo Alto Unit 42’s “Deceptive Delight” investigation achieved 65% success on 8,000 tests on eight different models in just three turns of interaction.
Defense: Context-aware analytics that evaluates the cumulative intent of a conversation, not individual messages.
3. Multi-turn Crescendo Attacks: Spreading charges across turns that individually seem benign destroys the protection of one turn. The automated Crescendomation tool achieved 98% success on GPT-4 and 100% on Gemini-Pro.
Defense: Track stateful context, track conversation history, and identify escalation patterns.
4. Indirect rapid injection (RAG poisoning): A zero-click exploit targeting RAG architectures. This is an attack strategy that is extremely difficult to stop. PoisonedRAG investigation achieves 90% attack success by injecting just five malicious texts into databases containing millions of documents.
Defense: Wrap retrieved data in delimiters, which instructs the model to treat content as data only. Remove control tokens from vector database chunks before they enter the context window.
5. Blackout Attacks: Malicious instructions encoded with ASCII art, Base64, or Unicode bypass keyword filters while remaining interpretable by the model. ArtPrompt research achieved up to 76.2% success in GPT-4, Gemini, Claude and Llama2 when evaluating how lethal this type of attack is.
Defense: Normalization layers decode all non-standard representations into plain text before semantic analysis. This single step blocks most encryption-based attacks.
6. Model Extraction: Systematic API queries reconstruct native capabilities through distillation. Model leaching study got 73% similarity from ChatGPT-3.5-Turbo for $50 in API fees for 48 hours.
Defense: Behavioral fingerprinting, detecting distribution analysis patterns, watermarking that proves theft after the fact, and rate limiting, analyzing demand patterns beyond just the number of requests.
7. Resource depletion (sponge attacks). Processed input exploits the quadratic complexity of Transformer Attention, exhausting inference budgets or degrading service. IEEE EuroS&P research on sponge examples demonstrated a 30x increase in latency on language models. One attack caused Microsoft Azure Translator to go from 1 ms to 6 seconds. A degradation of 6,000×.
Defense: Per-user token budgeting, prompt complexity analysis that rejects recursive patterns, and semantic caching that serves repeated heavy prompts without inference costs.
8. Synthetic identity fraud. AI-generated personas that combine real and made-up data to bypass identity verification are one of the biggest AI-generated risks in retail and financial services. The Federal Reserve’s investigation into synthetic identity fraud notes 85-95% of synthetic applicants bypass traditional fraud models. Signicat’s 2024 report The AI-driven fraud found now makes up 42.5% of all detected fraud attempts in the financial sector.
Defense: Multi-factor authentication that integrates behavioral signals beyond static identity attributes, plus anomaly detection trained on synthetic identity patterns.
9. Fraud with deepfake support. AI-generated audio and video pose as executives to approve transactions, often attempting to defraud organizations. Onfido’s 2024 Identity Fraud Report documented a 3,000% increase in deepfake attempts by 2023. Arup lost $25 million on one video call where AI-generated participants pose as the CFO and colleagues.
Defense: Out-of-band authentication for high-value transactions, liveness detection for video authentication, and policies that require secondary confirmation regardless of apparent seniority.
10. Data exfiltration via negligent insiders. Employees paste proprietary code and strategy documents into public LLMs. That’s exactly what Samsung engineers did this within weeks of lifting their ChatGPT banleaking source code and internal meeting notes in three separate incidents. Gartner predicts 80% of unauthorized AI transactions by 2026 will result from internal policy violations rather than malicious attacks.
Defense: Redacting personally identifiable information (PII) enables safe use of AI tools and prevents sensitive data from reaching external models. Make safe use the path of least resistance.
11. Exploitation of hallucinations. Counterfactual incentives force models to agree with fabrications, reinforcing false outcomes. Research on LLM-based agents shows that hallucinations accumulate and intensify during multi-step processes. This becomes dangerous when AI outputs fuel automated workflows without human review.
Defense: Grounding modules compare responses to the retrieved context for reliability, plus confidence scores, flagging potential hallucinations before they spread.
What CISOs need to do now
Gartner predicts By 2028, 25% of enterprise breaches will be due to the misuse of AI agents. The time to build defense mechanisms is now.
Chris Betz, CISO at AWS, framed on RSA 2024: “Enterprises are forgetting about application security in their rush to adopt generative AI. The places where we see security gaps first are actually at the application layer. People rush to find solutions, and they make mistakes.”
Five implementation priorities emerge:
-
Automate patch deployment. The 72-hour window requires autonomous patching coupled with cloud management.
-
Implement normalization layers first. Decode Base64, ASCII art and Unicode before semantic analysis.
-
Implement stateful context tracking. Multi-turn Crescendo attacks beat inspection with one request.
-
Enforce RAG instruction hierarchy. Enclose retrieved data in separators and treat the contents only as data.
-
Spread identity in prompts. Inject user metadata for the authorization context.
“When you put your security at the edge of your network, you invite the whole world,” says Riemer. “Until I know what it is and I know who’s on the other side of the keyboard, I’m not going to interact with it. That’s zero trust; not as a buzzword, but as an operating principle.”
Microsoft’s exposure went unnoticed for three years. Samsung had been leaking code for weeks. The question for CISOs is not whether they should deploy inference security, but whether they can close the gap before they become the next cautionary tale.
