The 11 runtime attacks breaking AI security — and how CISOs are stopping them
Enterprise security teams are losing ground to AI-enabled attacks — not because defenses are weak, but because the threat model has shifted. As AI agents move into production, attackers are exploiting runtime weaknesses where breakout times are measured in seconds, patch windows in hours, and traditional security has little visibility or control.
CrowdStrike's 2025 Global Threat Report documents breakout times as fast as 51 seconds. Attackers are moving from initial access to lateral movement before most security teams get their first alert. The same report found 79% of detections were malware-free, with adversaries using hands-on keyboard techniques that bypass traditional endpoint defenses entirely.
CISOs’ latest challenge is not getting reverse-engineered in 72 hours
Mike Riemer, field CISO at Ivanti, has watched AI collapse the window between patch release and weaponization.
"Threat actors are reverse engineering patches within 72 hours," Riemer told VentureBeat. "If a customer doesn't patch within 72 hours of release, they're open to exploit. The speed has been enhanced greatly by AI."
Most enterprises take weeks or months to manually patch, with firefighting and other urgent priorities often taking precedence.
Why traditional security is failing at runtime
An SQL injection typically has a recognizable signature. Security teams are improving their tradecraft, and many are blocking them with near-zero false positives. But "ignore previous instructions" carries payload potential equivalent to a buffer overflow while sharing nothing with known malware. The attack is semantic, not syntactic. Prompt injections are taking adversarial tradecraft and weaponized AI to a new level of threat through semantics that cloak injection attempts.
Gartner's research puts it bluntly: "Businesses will embrace generative AI, regardless of security." The firm found 89% of business technologists would bypass cybersecurity guidance to meet a business objective. Shadow AI isn't a risk — it's a certainty.
"Threat actors using AI as an attack vector has been accelerated, and they are so far in front of us as defenders," Riemer told VentureBeat. "We need to get on a bandwagon as defenders to start utilizing AI; not just in deepfake detection, but in identity management. How can I use AI to determine if what's coming at me is real?"
Carter Rees, VP of AI at Reputation, frames the technical gap: "Defense-in-depth strategies predicated on deterministic rules and static signatures are fundamentally insufficient against the stochastic, semantic nature of attacks targeting AI models at runtime."
11 attack vectors that bypass every traditional security control
The OWASP Top 10 for LLM Applications 2025 ranks prompt injection first. But that’s one of eleven vectors security leaders and AI builders must address. Each requires understanding both attack mechanics and defensive countermeasures.
1. Direct prompt injection: Models trained to follow instructions will prioritize user commands over safety training. Pillar Security's State of Attacks on GenAI report found 20% of jailbreaks succeed in an average of 42 seconds, with 90% of successful attacks leaking sensitive data.
Defense: Intent classification that recognizes jailbreak patterns before prompts reach the model, plus output filtering that catches successful bypasses.
2. Camouflage attacks: Attackers exploit the model's tendency to follow contextual cues by embedding harmful requests inside benign conversations. Palo Alto Unit 42's "Deceptive Delight" research achieved 65% success across 8,000 tests on eight different models in just three interaction turns.
Defense: Context-aware analysis evaluating cumulative intent across a conversation, not individual messages.
3. Multi-turn crescendo attacks: Distributing payloads across turns that each appear benign in isolation defeats single-turn protections. The automated Crescendomation tool achieved 98% success on GPT-4 and 100% on Gemini-Pro.
Defense: Stateful context tracking, maintaining conversation history, and flagging escalation patterns.
4. Indirect prompt injection (RAG poisoning): A zero-click exploit targeting RAG architectures, this is an attack strategy providing especially difficult to stop. PoisonedRAG research achieves 90% attack success by injecting just five malicious texts into databases containing millions of documents.
Defense: Wrap retrieved data in delimiters, instructing the model to treat content as data only. Strip control tokens from vector database chunks before they enter the context window.
5. Obfuscation attacks: Malicious instructions encoded using ASCII art, Base64, or Unicode bypass keyword filters while remaining interpretable to the model. ArtPrompt research achieved up to 76.2% success across GPT-4, Gemini, Claude, and Llama2 in evaluating how lethal this type of attack is.
Defense: Normalization layers decode all non-standard representations to plain text before semantic analysis. This single step blocks most encoding-based attacks.
6. Model extraction: Systematic API queries reconstruct proprietary capabilities via distillation. Model Leeching research extracted 73% similarity from ChatGPT-3.5-Turbo for $50 in API costs over 48 hours.
Defense: Behavioral fingerprinting, detecting distribution analysis patterns, watermarking proving theft post-facto, and rate limiting, analyzing query patterns beyond simple request counts.
7. Resource exhaustion (sponge attacks). Crafted inputs exploit Transformer attention's quadratic complexity, exhausting inference budgets or degrading service. IEEE EuroS&P research on sponge examples demonstrated 30× latency increases on language models. One attack pushed Microsoft Azure Translator from 1ms to 6 seconds. A 6,000× degradation.
Defense: Token budgeting per user, prompt complexity analysis rejecting recursive patterns, and semantic caching serving repeated heavy prompts without incurring inference costs.
8. Synthetic identity fraud. AI-generated personas combining real and fabricated data to bypass identity verification is one of retailing and financial services’ greatest AI-generated risks. The Federal Reserve's research on synthetic identity fraud notes 85-95% of synthetic applicants evade traditional fraud models. Signicat's 2024 report found AI-driven fraud now constitutes 42.5% of all detected fraud attempts in the financial sector.
Defense: Multi-factor verification incorporating behavioral signals beyond static identity attributes, plus anomaly detection trained on synthetic identity patterns.
9. Deepfake-enabled fraud. AI-generated audio and video impersonate executives to authorize transactions, often attempting to defraud organizations. Onfido's 2024 Identity Fraud Report documented a 3,000% increase in deepfake attempts in 2023. Arup lost $25 million through a single video call with AI-generated participants impersonating the CFO and colleagues.
Defense: Out-of-band verification for high-value transactions, liveness detection for video authentication, and policies requiring secondary confirmation regardless of apparent seniority.
10. Data exfiltration via negligent insiders. Employees paste proprietary code and strategy documents into public LLMs. That is exactly what Samsung engineers did within weeks of lifting their ChatGPT ban, leaking source code and internal meeting notes in three separate incidents. Gartner predicts 80% of unauthorized AI transactions through 2026 will stem from internal policy violations rather than malicious attacks.
Defense: Personally identifiable information (PII) redaction allows safe AI tool usage while preventing sensitive data from reaching external models. Make secure usage the path of least resistance.
11. Hallucination exploitation. Counterfactual prompting forces models to agree with fabrications, amplifying false outputs. Research on LLM-based agents shows that hallucinations accumulate and amplify over multi-step processes. This becomes dangerous when AI outputs feed automated workflows without human review.
Defense: Grounding modules compare responses against retrieved context for faithfulness, plus confidence scoring, flagging potential hallucinations before propagation.
What CISOs need to do now
Gartner predicts 25% of enterprise breaches will trace to AI agent abuse by 2028. The window to build defenses is now.
Chris Betz, CISO at AWS, framed it at RSA 2024: "Companies forget about the security of the application in their rush to use generative AI. The places where we're seeing the security gaps first are actually at the application layer. People are racing to get solutions out, and they are making mistakes."
Five deployment priorities emerge:
Automate patch deployment. The 72-hour window demands autonomous patching tied to cloud management.
Deploy normalization layers first. Decode Base64, ASCII art, and Unicode before semantic analysis.
Implement stateful context tracking. Multi-turn Crescendo attacks defeat single-request inspection.
Enforce RAG instruction hierarchy. Wrap retrieved data in delimiters, treating content as data only.
Propagate identity into prompts. Inject user metadata for the authorization context.
"When you put your security at the edge of your network, you're inviting the entire world in," Riemer said. "Until I know what it is and I know who is on the other side of the keyboard, I'm not going to communicate with it. That's zero trust; not as a buzzword, but as an operational principle."
Microsoft's exposure went undetected for three years. Samsung leaked code for weeks. The question for CISOs isn't whether to deploy inference security, it's whether they can close the gap before becoming the next cautionary tale.