From prompt injection at 90+ organizations to the fastest breakout time of 27 seconds, the AI threat landscape has moved from research papers to documented compromise. Here is the attack taxonomy and defense playbook.
2025-2026 threat landscape: Adversaries exploited GenAI tools at 90+ organizations via prompt injection (CrowdStrike). eCrime breakout time dropped to 29 minutes, fastest at 27 seconds. AI-related security incidents surged 56.4% (Stanford). Only 29% of organizations felt ready to deploy agentic AI securely (Cisco).
The CrowdStrike 2026 Global Threat Report documented that adversaries exploited legitimate generative AI tools at more than 90 organizations in 2025 by injecting malicious prompts to steal credentials and cryptocurrency. The average eCrime breakout time dropped to 29 minutes, with the fastest observed at 27 seconds. Cisco’s State of AI Security 2026 report found that while 83% of organizations planned to deploy agentic AI, only 29% felt ready to do so securely. These numbers describe a threat landscape that has moved beyond theoretical research into documented, real-world compromise. This article catalogs the attacks U.S. organizations face, explains why conventional security controls are insufficient, and maps the defenses that ISO/IEC 42001 and the NIST AI RMF expect.
Why AI Security Is Fundamentally Different from Traditional Cybersecurity
Traditional cybersecurity protects deterministic code: software that executes the same way every time given the same inputs. Firewalls filter traffic by rules. Endpoint detection scans for signatures. Access controls restrict database access. These assume predictable system behavior and an attack surface of code, configurations, and network pathways.
AI systems break every one of those assumptions. Machine learning models are probabilistic, not deterministic. The attack surface shifts from binary code to human language and intent. An adversary can compromise an AI system with a carefully worded sentence, a modified image, or a strategically placed data point. No firewall detects this. No signature scanner catches it.
OWASP recognized this by publishing dedicated top-10 lists for LLM applications (2024) and agentic AI (2025). ISO/IEC 42001 Annex C risk source C.2.10 addresses security as an AI-specific objective. The NIST AI RMF Measure 2.7 focuses on security and resilience evaluation.
The AI Attack Taxonomy: Eight Threat Categories
1. Prompt Injection
OWASP’s #1 LLM risk. Direct injection embeds override commands (“ignore system prompt”). Indirect injection hides instructions in documents, web pages, or RAG-retrieved content processed without user knowledge. The EchoLeak vulnerability (CVE-2025-32711) in Microsoft 365 Copilot demonstrated how indirect injection could extract enterprise data through a compromised document.
2. Data Poisoning
Corrupts training data to embed hidden behaviors. Research shows poisoning 0.001% of data can degrade reliability fundamentally. The model appears normal on standard tests but behaves maliciously on trigger inputs. In healthcare, this could cause systematic misclassification of conditions invisible during routine validation.
3. Model Extraction and Theft
Replicates proprietary models by systematically querying APIs. In late 2024, OpenAI identified DeepSeek using GPT-3/4 outputs for unauthorized model distillation. For enterprises, this means competitors can clone million-dollar AI investments through a fraction of the API cost.
4. Adversarial Input Attacks (Evasion)
Carefully crafted input modifications that cause misclassification while appearing normal to humans. Changing a few pixels flips image classification. Subtle transaction modifications cause fraud systems to classify fraudulent activity as legitimate. These exploit mathematical vulnerabilities using gradient-based optimization.
5. AI Supply Chain Attacks
CrowdStrike identified supply chain attacks as a defining 2025 tactic. For AI, the supply chain includes pre-trained models, libraries, datasets, and MCP servers. Transfer learning attacks embed backdoors in base models that survive fine-tuning. CrowdStrike documented $1.46 billion stolen through a single supply chain compromise.
6. Model Inversion and Membership Inference
Model inversion reconstructs training data from outputs. Membership inference confirms whether specific records were in training sets. These privacy attacks become security risks when training data contains trade secrets, classified information, or regulated personal data.
7. Prompt Obfuscation and Jailbreaking
Attackers disguise instructions using Base64, hexadecimal, Unicode homoglyphs, or multi-turn conversation strategies. Cisco’s research found open-weight models remain susceptible to jailbreaks especially over longer conversations where accumulated context erodes safety alignment.
8. AI Agent Exploitation
The Gravitee 2026 report found only 47.1% of deployed agents are monitored, with 25.5% capable of creating other agents. Only 14.4% went live with full security approval. Agents can be manipulated to exfiltrate data through legitimate tool calls no firewall can block.
AI Attack Types at a Glance
| Attack Type | Target | Example | Framework Reference |
|---|---|---|---|
| Prompt Injection | LLM inputs/instructions | EchoLeak (CVE-2025-32711) | OWASP LLM Top 10 #1 |
| Data Poisoning | Training data integrity | 0.001% poison degrades reliability | ISO 42001 C.3.4, NIST Map 1.5 |
| Model Extraction | Model IP / architecture | DeepSeek/OpenAI distillation | ISO 42001 A.10, NIST Manage 2.3 |
| Adversarial Inputs | Model predictions | Pixel perturbation flips classification | NIST Measure 2.7, MITRE ATLAS |
| Supply Chain | Pre-trained models, libraries | Backdoored base model survives fine-tuning | ISO 42001 Clause 8.1, NIST Govern 1.6 |
| Model Inversion | Training data privacy | Reconstructing patient records | ISO 42001 C.2.8, NIST Measure 2.10 |
| Jailbreaking | Safety alignment | Multi-turn erosion of guardrails | OWASP LLM Top 10 |
| Agent Exploitation | Autonomous tool execution | Data exfil via legitimate tool calls | OWASP Agentic AI Top 10 |
Why Traditional Security Controls Are Insufficient for AI
Firewalls and network security cannot distinguish a legitimate query from an adversarial prompt. Both arrive through the same channel.
Signature-based detection matches known patterns. Adversarial inputs are specifically crafted to be undetectable by pattern matching. Each example is unique.
Access controls restrict who interacts with a system, not what an authorized user says. Prompt injection comes from authenticated users through normal channels.
Static code analysis examines source code. AI behavior exists in statistical weights, not code a scanner could flag.
Traditional DLP monitors known exfiltration channels. An AI agent exfiltrating data through a legitimate email or database update operates within authorized channels DLP cannot distinguish.
ISO/IEC 42001 alignment: Annex C objective C.2.10 addresses AI security. Annex A Control A.10 covers operation and monitoring. Clause 8.2 requires ongoing risk assessments including current security threats. NIST AI RMF Measure 2.7 evaluates security and resilience. MITRE ATLAS provides the AI-specific threat taxonomy. OWASP delivers focused catalogs for LLM and agentic AI risks.
Building an AI Security Program: Defenses That Work
- Conduct comprehensive AI asset inventory. Catalog every AI system including third-party APIs, embedded features, open-source models, and shadow AI. Document model type, data sources, integration points, and dependencies. ISO 42001 Clause 4.3 and NIST Govern 1.6 require this.
- Implement AI-specific red teaming. Test LLMs against prompt injection and jailbreaking. Test ML models against adversarial inputs and poisoning. NIST recommends adversarial testing as a core practice. ISACA notes that finding weaknesses only after attack is already too late.
- Deploy input/output filtering for LLM systems. Pre-prompt scanning blocks injection patterns and encoding obfuscation. Output filtering catches data leakage and instruction disclosure. These operate as application-layer firewalls for natural language.
- Secure the AI supply chain. Verify pre-trained models and libraries before integration. Maintain an AI Bill of Materials. Sandbox-scan third-party content. Quarantine suspicious updates. SANS recommends AIBOM as foundational.
- Implement AI-specific access controls. Zero-trust for AI systems. Least privilege for APIs. Monitor for extraction patterns (high volume, systematic variation). Rate-limit access. MFA for model management.
- Deploy continuous behavioral monitoring. Real-time anomaly detection on inputs, outputs, and performance. AI Security Posture Management provides integrated visibility. Extend SIEM/SOC with AI-specific detection rules.
- Establish AI-specific incident response. Model rollback procedures, contaminated data isolation, prompt injection containment, stakeholder communication templates. Test through AI-specific tabletop exercises.
- Formalize through ISO/IEC 42001 certification. Security controls (A.10), risk assessment (6.1.2), monitoring (9.1), and improvement (10) create an auditable framework integrating with ISO 27001.
Common Mistakes in AI Security
Assuming traditional cybersecurity covers AI. A SOC monitoring networks and endpoints but not model behavior, prompt patterns, and training data integrity has a structural blind spot.
Treating red teaming as one-time. Models change through retraining. New attacks emerge continuously. Red teaming must be recurring.
Ignoring the supply chain. Rigorous testing on your own code means nothing if you deploy unverified pre-trained models. CrowdStrike documented $1.46B stolen through one supply chain compromise.
Deploying agents without identity governance. 45.6% use shared API keys for agent authentication. Single compromise cascades across the entire agent infrastructure.
Securing the model but not the data pipeline. A protected model is still vulnerable if the feeding pipeline is unmonitored for poisoning or unauthorized modification.
AI Security Is Now a Board-Level Concern
AI security has moved from research labs to boardrooms. CrowdStrike documents real-world AI compromise at scale. Cisco reveals a gap between deployment ambition and security readiness. Gartner projects governance spending exceeding $1 billion by 2030. For U.S. organizations, the question is whether defenses have evolved to match a fundamentally different attack surface.
The clearest first step: an honest inventory of how many AI systems your organization operates, including the ones nobody formally approved. From that inventory, every security decision becomes evidence-based.
GAICC offers ISO/IEC 42001 Lead Implementer training that covers AI security risk management, adversarial testing requirements, and the governance structures needed to protect AI systems throughout their lifecycle. Explore the program to build your organization’s defenses.
