10 Oct 2025
AI systems, including chatbots and internal applications, are highly vulnerable to sophisticated attacks that extend beyond simple jailbreaking, posing significant risks to sensitive data. A multi-layered defense-in-depth strategy is crucial for securing AI, addressing vulnerabilities at the web, AI, and data/tools layers.
Companies are susceptible to hacking through their AI, potentially leading to the theft of sensitive data like customer lists and trade secrets. This vulnerability extends to chatbots, AI-enabled APIs, and internal employee applications, not just public-facing models. The current state of AI security is likened to the early days of web hacking due to widespread vulnerabilities.
AI Red Teaming traditionally focuses on making models generate harmful or inappropriate content, such as telling users how to create drugs. In contrast, AI Pen Testing, as developed by Jason Haddock and his team, offers a holistic security assessment, covering a broader range of attack vectors to identify systemic weaknesses in AI-enabled applications.
A comprehensive AI pen test involves six repeatable segments: identifying system inputs, attacking the surrounding ecosystem, performing AI red teaming on the model itself (e.g., tricking it into granting discounts), attacking prompt engineering, attacking the data, attacking the application, and pivoting to other systems.
Prompt injection is identified as the core vehicle driving most AI attacks, allowing manipulation of AI using its own logic against itself. This technique often requires only clever natural language prompting, not advanced technical skills, and is considered a problem that may remain unsolvable for a long time, as noted by OpenAI's CEO Sam Altman.
A detailed taxonomy classifies prompt injection into intents (goals like obtaining business information or leaking system prompts), techniques (methods to achieve intent, such as narrative injection evasion), evasions (ways to hide attacks, like leetspeak or emoji smuggling), and utilities, creating trillions of possible attack combinations.
Practical examples of advanced prompt injection include emoji smuggling, where instructions are hidden within emoji metadata to bypass guardrails, and link smuggling, which turns AI into a data exfiltration tool by embedding sensitive data into URLs that point to a hacker's server, then instructing the AI to attempt to download the non-existent image. Additionally, a syntactic anti-classifier tool uses creative phrasing to bypass image generator restrictions.
A vibrant underground community, notably Piney's Group (Bossy Group) and various subreddits, actively researches and shares prompt injection and jailbreaking techniques. While specific exploits are often patched, the underlying methods are continually adapted and reused in new forms by these communities.
Practical case studies reveal companies unknowingly configure AI systems to send sensitive data, such as Salesforce records, to external AI services due to communication breakdowns and lack of security involvement. Sales bots in Slack are also found to have over-scoped API calls, enabling attackers to inject malicious code or actions into integrated systems like Salesforce.
Despite its utility in abstracting API calls for AI, the Model Context Protocol (MCP) introduces significant security concerns. Vulnerabilities exist across its components, including tools, external resource calls, and server configurations, often lacking role-based access control and allowing arbitrary file access or server backdooring.
Autonomous AI agents are becoming proficient at finding common web vulnerabilities and are already excelling in bug bounty programs, indicating a shift towards AI-powered offensive security. On the defensive side, AI-driven automation using agentic frameworks can streamline complex cybersecurity workflows, such as vulnerability management.
The very tools used to automate AI processes, such as Lang Graph and Lang Chain, also possess their own inherent vulnerabilities and are subject to security testing and potential exploitation.
Securing AI requires a comprehensive defense-in-depth approach spanning multiple layers. This includes applying fundamental IT security at the web layer (input/output validation, output encoding), implementing an AI firewall (classifiers or guardrails) at the AI layer to filter prompts, and enforcing the principle of least privilege for APIs at the data and tools layer.
Securing agentic systems, where multiple AIs operate in concert, presents increased complexity. Protecting each AI individually introduces potential latency and trade-offs, making robust security infinitely harder to achieve.
The system prompt for GPT-4 was accidentally leaked by getting the model to generate a magic card and then asking it to include its system prompt as flavor text, which it then dumped as code. This revealed instructions for the model to 'emulate their vibe' and 'always be happy,' explaining its agreeable personality at the time.
Building secure AI isn't just about finding the right tool; it's a deep multilayered strategy, which is not unlike security in general.
| Category | Insight | Description |
|---|---|---|
| AI Attack Vector | Prompt Injection | Manipulating AI through clever natural language to trick it into unintended actions or reveal sensitive data, serving as the primary weapon for AI hackers. |
| Prompt Injection Technique | Emoji Smuggling | Hiding malicious instructions or encoded messages within the Unicode metadata of emojis to bypass AI guardrails and execute commands. |
| Prompt Injection Technique | Link Smuggling | Using AI to exfiltrate data by encoding sensitive information into URLs (e.g., Base64) that point to a hacker's server, then instructing the AI to attempt a download. |
| AI Defense Layer | Web Layer Security | Implementing fundamental IT security practices, including rigorous input and output validation and output encoding, to protect the web interfaces AI interacts with. |
| AI Defense Layer | AI Firewall (Model Guardrails) | Deploying classifiers or guardrails for AI models to filter incoming and outgoing prompts, preventing prompt injection and other malicious inputs/outputs. |
| AI Defense Layer | Least Privilege for APIs | Scoping API keys used by AI agents to only the necessary read or write permissions, minimizing potential damage from a compromised agent. |
| Vulnerable Standard | Model Context Protocol (MCP) | Despite abstracting API calls for AI, MCP has inherent security flaws like lack of role-based access control and server vulnerabilities, enabling file system traversal and backdooring. |
| AI Security Tool | Syntactic Anti-Classifier | A tool that uses synonyms, metaphors, and creative phrasing to generate prompts that bypass guardrails of image generation AI, enabling creation of otherwise restricted content. |
