AI Attacks: How Enterprises Are Losing Ground & 11 Runtime Security Risks

The AI Security Arms Race: How Attackers Are Winning at Runtime

Enterprise security is facing a fundamental shift. It’s no longer about preventing initial access; it’s about surviving the seconds after an attacker breaches defenses. The rise of AI-powered attacks is collapsing the time between patch release and exploitation, leaving organizations scrambling to keep up. Traditional security measures, built for a slower pace, are proving inadequate against this new reality.

The Speed of Modern Attacks: 51 Seconds to Lateral Movement

CrowdStrike’s 2025 Global Threat Report paints a stark picture: attackers are achieving breakout times as fast as 51 seconds. This means they’re moving laterally within a network – escalating privileges and seeking valuable data – before most security teams even receive their first alert. A staggering 79% of detections are now malware-free, indicating a shift towards “hands-on-keyboard” techniques that bypass traditional endpoint defenses. This isn’t a future threat; it’s happening now.

Mike Riemer, Field CISO at Ivanti, highlights the urgency: “Threat actors are reverse engineering patches within 72 hours. If a customer doesn’t patch within that timeframe, they’re exposed.” The challenge isn’t just technical; it’s operational. Most enterprises struggle to patch systems within that critical window due to competing priorities and manual processes.

Why Traditional Security Fails at Runtime: The Semantic Shift

Historically, security relied on identifying and blocking known malicious patterns – a syntactic approach. An SQL injection, for example, has a recognizable signature. But AI-driven attacks are increasingly semantic. Instructions like “ignore previous instructions” can carry the same destructive potential as a buffer overflow, yet evade detection because they don’t resemble known malware. Prompt injections, exploiting vulnerabilities in Large Language Models (LLMs), are weaponizing this semantic ambiguity.

Gartner research underscores this point: 89% of business technologists will bypass cybersecurity guidance to achieve business objectives. This “Shadow AI” – the use of unapproved AI tools – isn’t a risk to be mitigated; it’s a certainty that security teams must account for. Carter Rees, VP of AI at Reputation, explains: “Defense-in-depth strategies predicated on deterministic rules are fundamentally insufficient against the stochastic, semantic nature of attacks targeting AI models at runtime.”

11 Attack Vectors Exploiting AI Vulnerabilities

The OWASP Top 10 for LLM Applications 2025 identifies prompt injection as the most critical vulnerability, but it’s just one piece of the puzzle. Here’s a breakdown of eleven key attack vectors:

1. Direct Prompt Injection: Exploiting LLMs’ tendency to prioritize user commands. (Success rate: 20% in 42 seconds, 90% data leakage – Pillar Security) Defense: Intent classification and output filtering.
2. Camouflage Attacks: Embedding malicious requests within benign conversations. (Success rate: 65% in 3 turns – Palo Alto Unit 42) Defense: Context-aware analysis.
3. Multi-Turn Crescendo Attacks: Distributing payloads across multiple turns. (Success rate: 98% on GPT-4, 100% on Gemini-Pro) Defense: Stateful context tracking.
4. Indirect Prompt Injection (RAG Poisoning): Injecting malicious data into Retrieval-Augmented Generation (RAG) databases. (Success rate: 90% with just 5 malicious texts – PoisonedRAG research) Defense: Data delimiters and token stripping.
5. Obfuscation Attacks: Encoding malicious instructions using ASCII art or Base64. (Success rate: up to 76.2% – ArtPrompt research) Defense: Normalization layers.
6. Model Extraction: Reconstructing proprietary capabilities through API queries. (73% similarity extracted from ChatGPT-3.5-Turbo for $50 – Model Leeching research) Defense: Behavioral fingerprinting and rate limiting.
7. Resource Exhaustion (Sponge Attacks): Exploiting Transformer attention complexity. (Up to 6,000x latency increase – IEEE EuroS&P research) Defense: Token budgeting and prompt complexity analysis.
8. Synthetic Identity Fraud: AI-generated personas bypassing identity verification. (85-95% of synthetic applicants evade traditional models – Federal Reserve) Defense: Multi-factor verification and anomaly detection.
9. Deepfake-Enabled Fraud: AI-generated audio/video impersonating executives. (3,000% increase in deepfake attempts in 2023 – Onfido) Defense: Out-of-band verification and liveness detection.
10. Data Exfiltration via Negligent Insiders: Employees pasting sensitive data into public LLMs. (80% of unauthorized AI transactions will stem from internal policy violations by 2026 – Gartner) Defense: PII redaction.
11. Hallucination Exploitation: Exploiting LLM’s tendency to generate false information. Defense: Grounding modules and confidence scoring.

The Future of AI Security: A Proactive Approach

Gartner predicts that 25% of enterprise breaches will involve AI agent abuse by 2028. The time to act is now. Chris Betz, CISO at AWS, emphasizes the need to secure the application layer: “Companies forget about the security of the application in their rush to use generative AI… People are racing to get solutions out, and they are making mistakes.”

Five critical deployment priorities:

1. Automate Patch Deployment: Essential for addressing the 72-hour window.
2. Deploy Normalization Layers First: A foundational step for blocking encoding-based attacks.
3. Implement Stateful Context Tracking: Crucial for defending against multi-turn attacks.
4. Enforce RAG Instruction Hierarchy: Protecting RAG architectures from poisoning.
5. Propagate Identity into Prompts: Enabling authorization context for AI interactions.

As Mike Riemer succinctly puts it: “Until I know what it is and I know who is on the other side of the keyboard, I’m not going to communicate with it. That’s zero trust; not as a buzzword, but as an operational principle.”

Did you know? Samsung experienced code leaks for weeks after lifting its ChatGPT ban, highlighting the risk of data exfiltration through seemingly harmless AI interactions.

FAQ: AI Security in a Rapidly Changing Landscape

• Q: What is prompt injection?
  A: A technique where attackers manipulate LLMs by crafting malicious prompts that override safety protocols.
• Q: What is RAG poisoning?
  A: Injecting malicious data into the knowledge base used by Retrieval-Augmented Generation (RAG) systems.
• Q: How can I protect against deepfake fraud?
  A: Implement out-of-band verification and liveness detection for high-value transactions.
• Q: Is Shadow AI a major threat?
  A: Yes, Gartner estimates 89% of business technologists will bypass security guidance to achieve objectives, making Shadow AI a certainty.

Pro Tip: Prioritize PII redaction to allow safe AI tool usage while preventing sensitive data from leaving your organization.

Explore our other articles on cybersecurity best practices and AI risk management to stay ahead of the evolving threat landscape. Subscribe to our newsletter for the latest insights and actionable advice.