The 11 Execution Attacks That Break AI Security – and How CISOs Block Them

Enterprise security teams are losing ground to AI-driven attacks, not because defenses are weak, but because the threat model has changed. As AI agents move into production, attackers exploit execution weaknesses where response times are measured in seconds, patch windows in hours, and traditional security has little visibility or control.

CrowdStrike Global Threats Report 2025 documents pause times as fast as 51 seconds. Attackers move from initial access to lateral movement before most security teams receive their first alert. The same report reveals that 79% of detections were malware-free, with adversaries using convenient keyboard techniques that bypass traditional endpoint defenses entirely.

The final challenge for CISOs is not to reverse engineer in 72 hours

Mike Riemer, Field CISO at Ivantisaw AI shrink the window between patch release and weaponization.

"Threat actors get reverse engineered fixes within 72 hours," Riemer told VentureBeat. "If a customer does not update the patch within 72 hours of release, it may be exploited. Speed ​​has been significantly improved by AI."

Most businesses take weeks or even months to manually update patches, with firefighting and other urgent priorities often taking priority.

Why traditional security fails at runtime

An SQL injection generally has a recognizable signature. Security teams are improving their know-how and many are blocking them with a false positive close to zero. But "ignore previous instructions" carries a potential payload equivalent to a buffer overflow while sharing nothing with known malware. The attack is semantic and not syntactic. Rapid injections take adversarial trade and weaponized AI to a new level of threat with semantics that mask injection attempts.

Gartner research says it bluntly: "Businesses will adopt generative AI regardless of security." The company found that 89% of business technologists would circumvent cybersecurity guidelines to achieve a business goal. Shadow AI is not a risk, it’s a certainty.

"Threat actors using AI as an attack vector have been accelerated, and they are so far before us as defenders," Riemer told VentureBeat. "As advocates, we need to jump on the bandwagon to start using AI; not only in deepfake detection, but also in identity management. How can I use AI to determine if what is happening to me is real?"

Carter Rees, vice president of AI at Reputationframes the technical gap: "Defense-in-depth strategies based on deterministic rules and static signatures are fundamentally insufficient against the stochastic and semantic nature of attacks targeting AI models at runtime."

11 Attack Vectors That Bypass All Traditional Security Controls

THE OWASP Top 10 for LLM Applications 2025 places the rapid injection first. But it is one of eleven vectors that security leaders and AI developers must address. Each requires understanding both attack mechanics and defensive countermeasures.

1. Direct and rapid injection: Models trained to follow instructions will prioritize user commands over safety training. Pillar Security GenAI Attack Status Report find 20% of jailbreaks are successful in 42 seconds on average, with 90% of successful attacks result in sensitive data being leaked.

Defense: Intent classification that recognizes jailbreak patterns before prompts hit the pattern, as well as output filtering that detects successful bypasses.

2. Camouflage attacks: Attackers exploit the model’s tendency to follow contextual signals by embedding harmful queries into benign conversations. Palo Alto Unit 42 "Deceptive delight" research achieved 65% success rate over 8,000 tests on eight different models in just three rounds of interaction.

Defense: Contextual analysis assessing cumulative intent over the course of a conversation, not individual messages.

3. Multi-turn crescendo attacks: Distributing payloads across towers that appear harmless in isolation works against single-tower protections. The automated Crescendomation tool achieved 98% success on GPT-4 and 100% on Gemini-Pro.

Defense: Stateful context tracking, conversation history retention, and reporting escalation patterns.

4. Rapid indirect injection (RAG poisoning): A zero-click exploit targeting RAG architectures, this is a particularly difficult attack strategy to stop. PoisonedRAG Research achieves a 90% attack success rate by injecting just five malicious texts into databases containing millions of documents.

Defense: Wrap the retrieved data in delimiters, telling the model to treat the content as data only. Remove control tokens from vector database chunks before they enter the popup.

5. Obfuscation Attacks: Malicious instructions encoded using ASCII, Base64, or Unicode art bypass keyword filters while remaining interpretable by the model. ArtPrompt Search achieved up to 76.2% success on GPT-4, Gemini, Claude and Llama2 when evaluating the lethality of this type of attack.

Defense: Normalization layers decode any non-standard representations into plain text before semantic analysis. This step alone blocks most encoding-based attacks.

6. Extraction of the model: Systematic API queries rebuild proprietary capabilities via distillation. Research on model leeches extracted 73% similarity from ChatGPT-3.5-Turbo for $50 API costs over 48 hours.

Defense: Behavioral fingerprinting, distribution analysis pattern detection, post-theft watermarking, and rate limiting, query pattern analysis beyond simple query counting.

7. Resource exhaustion (sponge attacks). Specially crafted inputs exploit the quadratic complexity of transformer attention, exhausting inference budgets or degrading service. IEEE EuroS&P research on sponge examples demonstrated a 30-fold increase in latency on language models. An attack reduced Microsoft Azure Translator from 1 ms to 6 seconds. A degradation of 6,000×.

Defense: Per-user token budgeting, prompt complexity analysis rejecting recursive patterns, and semantic caching serving heavy, repeated prompts without incurring inference costs.

8. Synthetic identity fraud. One of the biggest AI-generated risks for retail and financial services is AI-generated personas combining real and fabricated data to bypass identity verification. Federal Reserve Research on Synthetic Identity Fraud Remarks 85-95% of synthetic candidates escape traditional fraud models. Signicat 2024 report found that AI-based fraud now constitutes 42.5% of all fraud attempts detected in the financial sector.

Defense: Multi-factor verification integrating behavioral signals beyond static identity attributes, as well as anomaly detection based on synthetic identity models.

9. Deepfake-enabled fraud. AI-generated audio and video impersonate executives to authorize transactions, often attempting to defraud organizations. Onfido Identity Fraud Report 2024 documented a 3,000% increase in deepfake attempts in 2023. Arup lost $25 million on a single video call with AI-generated participants posing as the CFO and his colleagues.

Defense: Out-of-band verification for high-value transactions, activity detection for video authentication, and policies requiring secondary confirmation regardless of apparent age.

10. Data exfiltration via careless insiders. Employees paste proprietary code and strategy documents into public LLMs. This is exactly what Samsung engineers did this a few weeks after lifting their ban on ChatGPTLeaked source code and internal meeting notes in three separate incidents. Gartner predicts 80% of unauthorized AI transactions through 2026 will come from internal policy violations rather than malicious attacks.

Defense: Redacting personally identifiable information (PII) enables secure use of AI tools while preventing sensitive data from reaching external models. Make safe use the path of least resistance.

11. Exploitation of hallucinations. Counterfactual incentives force models to agree with fabrications, thus amplifying false conclusions. LLM-Based Agent Research shows that hallucinations accumulate and amplify through multi-step processes. This becomes dangerous when AI results feed into automated workflows without human review.

Defense: Grounding modules compare responses to the retrieved context for fidelity, as well as assessing confidence, flagging potential hallucinations before propagation.

What CISOs need to do now

Gartner predicts By 2028, 25% of enterprise breaches will be due to AI agent abuse. Now is the time to build defenses.

Chris Betz, CISO at AWS, supervised him at RSA 2024: "Companies are forgetting about application security in their rush to use generative AI. The places where we first see security vulnerabilities are actually at the application layer. People rush to find solutions and make mistakes."

Five emerging deployment priorities:

1. Automate patch deployment. The 72-hour window requires standalone patching related to cloud management.

2. Deploy the normalization layers first. Decode Base64, ASCII and Unicode art before semantic analysis.

3. Implement stateful context tracking. Multi-round Crescendo attacks fail single-request inspection.

4. Apply the RAG instruction hierarchy. Wrap the retrieved data in delimiters, treating the content as data only.

5. Propagate identity in prompts. Inject user metadata for authorization context.

"When you place your security at the edge of your network, you invite the world in," Riemer said. "Until I know what it is and know who is on the other side of the keyboard, I’m not going to communicate with it. This is zero trust; not as a buzzword, but as an operational principle."

Microsoft’s exposure went unnoticed for three years. Samsung has been leaking code for weeks. The question for CISOs is not whether they should deploy security by inference, but rather whether they can close the gap before they become the next caveat.

Source link