Enterprise security teams are losing out to AI-enabled attacks – not because security is weak, but because the threat model has changed. As AI agents move into production, attackers are exploiting runtime vulnerabilities where breakout times are measured in seconds, patch windows are in hours, and traditional security has little visibility or control.
CrowdStrike’s 2025 Global Threat Report records breakout times as fast as 51 seconds. Attackers are moving from initial access to lateral movement before most security teams get the first alert. The same report found that 79% of detections were malware-free, with adversaries using hands-on keyboard techniques that bypass traditional endpoint protection entirely.
CISO’s latest challenge is not being reverse-engineered in 72 hours
Mike Reimer, field CISO at Ivanti, has seen AI collapse the window between patch release and weaponization.
"Threat actors are given a reverse engineering patch within 72 hours," Reimer told VentureBeat. "If a customer does not patch within 72 hours of release, they are open to exploitation. The speed has been greatly enhanced by AI."
Most enterprises take weeks or months to patch manually, with firefighting and other urgent priorities often taking priority.
Why are traditional security failing at runtime?
SQL injection usually has a recognizable signature. Security teams are improving their trading skills, and many are stopping them with almost zero false positives. But "ignore previous instructions" Has a payload capacity equivalent to buffer overflow while sharing nothing with known malware. The attack is semantic, not syntactic. Adversarial tradecraft and weaponized AI are being taken to a new level of threat through early injection semantics that hide injection attempts.
Gartner’s research says it clearly: "Businesses will adopt generative AI regardless of security." The firm found that 89% of business technologists would bypass cybersecurity guidance to meet a business objective. Shadow AI is not a risk – it’s a certainty.
"The pace of threat actors using AI as an attack vector has accelerated, and they are far ahead of us as defenders," Reimer told VentureBeat. "We need to join as defenders to start using AI; Not only in deepfake detection, but also in identity management. How can I use AI to determine whether what is coming to me is real or not?"
Carter Rees, vice president of AI at Reputation, outlined the technical difference: "Defense in depth strategies based on deterministic rules and static signatures are fundamentally inadequate against the stochastic, semantic nature of attacks targeting AI models at runtime."
11 attack vectors that bypass every traditional security control
Prompt Injection has been ranked first in the OWASP Top 10 for LLM Applications 2025. But it is just one of eleven vectors that security leaders and AI builders must address. Each needs to understand both attack mechanics and defensive countermeasures.
1. Direct prompt injection: Models trained to follow instructions will prioritize user commands over safety training. Pillar Security’s State of Attacks on GenAI report found that 20% of jailbreaks succeed in an average of 42 seconds, with 90% of successful attacks leaking sensitive data.
protect: Intent classification that recognizes jailbreak patterns before they reach the model, as well as output filtering that catches successful bypasses.
2. Camouflaged Attack: Attackers exploit models’ tendency to follow contextual cues by embedding malicious requests inside benign conversations. palo alto unit 42 "illusory happiness" The research achieved 65% success in 8,000 trials on eight different models in just three interaction turns.
protect: Context-aware analysis evaluates the cumulative intent in a conversation, not individual messages.
3. Multi-Turn Crescendo Attacks: Distributing the payload into separate turns, each of which appears benign in isolation, defeats single-turn protection. The automated crescendo tool achieved 98% success on GPT-4 and 100% success on Gemini-Pro.
protect: Stateful context tracking, maintaining conversation history, and marking escalation patterns.
4. Indirect Accelerated Injection (RAG Toxicity): A zero-click exploit targeting the RAG architecture, this is an attack tactic that is particularly difficult to prevent. PoisonedRAG research achieves 90% attack success by injecting just five malicious texts into a database containing millions of documents.
protect: Wrap the retrieved data in delimiters, instructing the model to treat the content as data only. Strip control tokens from vector database segments before entering the context window.
5. Vague Attacks: Malicious instructions encoded using ASCII art, Base64, or Unicode bypass keyword filters while remaining interpretable for the model. In evaluating how lethal this type of attack is, ArtPrompt research achieved 76.2% success across GPT-4, Gemini, Cloud, and Llama2.
protect: Normalization layers decode all non-standard representations into plain text before semantic analysis. This single step prevents most encoding-based attacks.
6. Model Extraction: Systematic API queries reconstruct proprietary capabilities through distillation. Model leaching research extracted 73% similarity to ChatGPT-3.5-Turbo for $50 in API cost in 48 hours.
protect: Behavioral fingerprinting, distribution analysis pattern detection, truly evasive watermarking, and rate limiting, analyzing query patterns beyond simple request counts.
7. Resource depletion (sponge attack). The quadratic complexity of the tailored input transformer’s attention exploits tedious estimation budgets or abusive service. IEEE EuroS&P research on Sponge instances demonstrated a 30× latency increase over the language model. One attack pushed Microsoft Azure Translator from 1ms to 6 seconds. 6,000× decline.
protect: Per-user token budgeting, accelerated complexity analysis rejects recurring patterns, and semantic caching provides heavy hints repeatedly without the inference cost.
8. Synthetic identity fraud. AI-generated individuals combining real and fabricated data to bypass identity verification is one of the biggest AI-generated risks to retailing and financial services. The Federal Reserve’s research on synthetic identity fraud shows that 85-95% of synthetic applicants avoid traditional fraud models. Signicat’s 2024 report found that AI-powered fraud now accounts for 42.5% of all fraud attempts detected in the financial sector.
protect: Multi-factor verification incorporates behavioral signals beyond static detection characteristics, as well as anomaly detection trained on synthetic detection patterns.
9. Deepfake-enabled fraud. AI-generated audio and video impersonate officials to authorize transactions, often in an attempt to defraud organizations. Onfido’s 2024 Identity Fraud Report notes a 3,000% increase in deepfake attempts in 2023. Arup lost $25 million through a single video call with AI-generated participants impersonating the CFO and colleagues.
protect: Out-of-band verification for high-value transactions, liveness detection for video authentication, and policies requiring secondary confirmation regardless of apparent seniority.
10. Data infiltration through careless insiders. Employees paste proprietary code and strategy documents into public LLMs. That’s exactly what Samsung engineers did by leaking source code and internal meeting notes in three separate incidents within just a few weeks of the ChatGPAT ban being lifted. Gartner estimates that by 2026, 80% of unauthorized AI transactions will originate from internal policy violations rather than malicious attacks.
protect: Editing personally identifiable information (PII) allows safe AI tool use while preventing sensitive data from reaching external models. Make safe use the path of least resistance.
11. Hallucination exploitation. Counterfactual signaling forces models to agree with fabrications, increasing false outputs. Research on LLM-based agents suggests that hallucinations accumulate and increase in multi-step processes. This becomes dangerous when AI outputs feed automated workflows without human review.
protect: Grounding modules compare responses against the retrieved reference for reliability, as well as confidence scoring, flagging potential hallucinations before propagation.
What CISOs need to do now
Gartner estimates that by 2028, 25% of enterprise breaches will be traced to AI agent misuse. The window to build security is now.
Chris Betz, CISO at AWS, prepared this at RSA 2024: "Companies forget about the security of applications in their rush to use Generative AI. The places where we’re first seeing security vulnerabilities are really at the application level. People are rushing to find solutions and making mistakes."
Five deployment priorities emerge:
- Automated patch deployment. The 72-hour window demands autonomous patching associated with cloud management.
-
Deploy normalization layers first. Decode Base64, ASCII art, and Unicode before semantic analysis.
-
Implement stateful context tracking. Multi-turn crescendo attacks defeat single-request inspection.
-
Implement RAG instruction hierarchy. Wrap the retrieved data in delimiters, treating the contents as data only.
-
Promote identity in signs. Inject user metadata for authorization context.
"When you put your security on your network, you are inviting the whole world," Reimer said. "Until I find out what it is and I know who is on the other side of the keyboard, I will not communicate with him. That is zero trust; Not as a buzzword, but as an operating principle."
Microsoft’s exposure remained unknown for three years. Samsung leaked code for weeks. The question for CISOs is not whether to deploy predictive protection, but whether they can close the gap before the next alert is created.
<a href