In June 2025, a zero-click vulnerability in Microsoft Copilot allowed attackers to exfiltrate data from OneDrive, SharePoint, and Teams without any user interaction. The attack used hidden prompts embedded in emails. No clicks, no attachments, no malware. The CVE scored 9.3 out of 10. A month later, IBM reported that 13% of organizations had experienced breaches of their AI systems, and 97% of those lacked proper access controls. AI security is no longer a theoretical concern. It is an operational one. This guide covers the threats enterprises face today and the specific remediations that work.

The Threat Landscape in Numbers

The scale of the problem is clear. 77% of companies experienced AI system breaches in the past year, according to Lakera's AI Security Trends report. Only 5% feel confident in their AI security posture. 86% report moderate or low confidence in their defenses. Only 6% of organizations have an advanced AI security strategy.

The financial impact is growing. The global average cost of a data breach reached $4.44 million in 2025. US breaches averaged $10.22 million. Shadow AI breaches cost $670,000 more than standard breaches and take 247 days to detect. Microsoft's 2026 Data Security Index found that 32% of data security incidents now involve generative AI.

Meanwhile, AI-driven attacks are accelerating. In November 2025, Chinese state-sponsored threat group GTG-1002 used AI to automate 80-90% of attack operations against 30 technology companies, financial institutions, and government agencies. Only 4-6 human decision points per campaign. Q1 2025 saw $200 million in losses from over 160 deepfake incidents alone.

The Six Threats That Matter Most

1. Prompt Injection

OWASP ranks prompt injection as the number one risk in its 2025 Top 10 for LLM Applications. 35% of real-world AI security incidents in 2025 resulted from simple prompt attacks requiring no special tools.

Two forms exist. Direct injection (jailbreaking) occurs when users craft inputs that override system instructions. When GPT-5 launched in January 2026, red teams jailbroke it within 24 hours.

Indirect injection is more dangerous. Attackers hide malicious instructions inside external content that LLMs process: emails, documents, web pages, database records. The Microsoft Copilot EchoLeak attack (CVE-2025-32711) embedded hidden prompts in emails that caused Copilot to extract sensitive data and exfiltrate it via trusted Microsoft domains. No user action required.

How to remediate

Microsoft's defense-in-depth approach uses three layers. Prevention: the Spotlighting technique with delimiting, datamarking, and encoding modes helps LLMs distinguish instructions from untrusted text. Detection: Microsoft Prompt Shields, a classifier trained on known injection patterns, catches attacks in real time. Impact mitigation: sensitivity labels via Microsoft Purview restrict what data LLMs access, and deterministic blocking prevents known exfiltration methods.

For any LLM deployment, treat all natural language input as untrusted. Apply prompt injection filtering on every external data source before it reaches the model. Validate and sanitize LLM outputs before passing them to downstream systems. Separate credentials and API keys from system prompts. Use structured prompting to reduce ambiguity between instructions and data.

2. Shadow AI

80% of employees use unapproved AI tools at work, including nearly 90% of security professionals. 68% of employees access generative AI through personal accounts, and 57% of those admit to entering sensitive company information. 77% paste data directly into GenAI tools.

The Samsung incident is the canonical example. Engineers leaked source code and internal meeting notes in three separate incidents within weeks of lifting the company's ChatGPT ban. IBM found that 1 in 5 organizations experienced shadow AI breaches. 65% of those breaches compromised PII. 40% compromised intellectual property.

How to remediate

Start with visibility. Deploy a SaaS management or CASB solution that detects unauthorized AI tool usage. Only 34% of organizations audit for unauthorized AI usage today.

Provide sanctioned alternatives. Employees use shadow AI because the official tools are unavailable or too slow to provision. Offer approved AI tools with data loss prevention (DLP) controls, rate-limited API access, and logging. Enforce policies at the network level: block unauthorized AI endpoints or route them through a proxy that strips sensitive data.

Train employees on what data cannot enter AI systems. "Do not paste proprietary code into ChatGPT" is a clearer policy than "use AI responsibly." Make the rules specific and enforceable.

3. Data Poisoning and Model Supply Chain Attacks

Researchers found 100 poisoned models on Hugging Face, each capable of executing arbitrary code on user machines. Pillar Security uncovered "Poisoned GGUF Templates" that embed malicious instructions executing during model inference. Palo Alto Unit 42 documented model namespace reuse attacks where threat actors re-register abandoned namespaces and recreate model paths, targeting automated pipelines that deploy models based on name alone.

The dependency problem compounds the risk. Hugging Face models collectively depend on more than 100 Python libraries. Nearly half use Hydra, creating systemic exposure across the ecosystem. An analysis of 10,000 open-source ML projects on GitHub found over-privileged GITHUB_TOKEN in 42.7% of projects, unsafe triggers running untrusted fork code in 27.2%, and hard-coded or leaked secrets in 22.8%.

How to remediate

Implement model signing and integrity verification. Pin model versions and checksums. Never deploy a model based on name alone. Use curated internal registries for approved models instead of pulling directly from public repositories.

Sandbox model loading and execution. Run untrusted models in isolated environments with restricted network access and filesystem permissions. Scan model files for embedded code before loading. Audit dependencies: lock Python library versions, review transitive dependencies, and monitor for known vulnerabilities.

For CI/CD pipelines, restrict GITHUB_TOKEN permissions to the minimum required. Disable automatic workflows on forks. Store secrets in vault systems, not in code or environment variables.

4. Sensitive Information Disclosure

OWASP lists this as the second-highest risk (LLM02:2025). LLMs can leak training data, system prompts, proprietary logic, and user PII through their responses. Blue Shield California leaked protected health information of 4.7 million members through a tracking pixel misconfiguration. McDonald's McHire AI hiring platform exposed 64 million job applications.

The risk intensifies with RAG systems. When an LLM retrieves documents to answer queries, insufficient access controls let users access information they should not see. A user asks about "company revenue forecasts" and the RAG system retrieves board-level financial documents the user has no authorization to view.

How to remediate

Implement document-level access controls in your RAG pipeline. Filter retrieved documents based on the requesting user's permissions before passing them to the LLM. Apply output filtering to detect and redact PII, credentials, and sensitive business data in model responses.

Use data classification and sensitivity labels. Tag documents with access levels before they enter the vector store. Log all retrieval queries and responses for audit. Test your RAG system with users at different permission levels to verify access boundaries hold.

5. Agentic AI Risks

48% of security professionals believe agentic AI will represent the top attack vector by end of 2026. OWASP published a dedicated Top 10 for Agentic Applications in December 2025, covering risks from agent goal hijacking to cascading failures.

The core problems: agents act autonomously with tool access. If an agent has database write permissions and gets tricked through prompt injection, it can corrupt or delete data. If it has email access, it can exfiltrate information. Barracuda Security identified 43 agent framework components with embedded vulnerabilities introduced through supply chain compromise.

Key agentic risks include tool misuse (agents tricked into calling tools with destructive parameters), excessive agency (agents provisioned with unnecessary permissions), memory poisoning (attackers corrupting RAG databases and embeddings to influence future decisions), and cascading failures (small errors propagating across planning, execution, and downstream systems).

How to remediate

Apply the principle of least agency. Grant agents only the minimum tools and permissions needed for their specific task. Use short-lived credentials with task-scoped permissions rather than persistent service accounts.

Require human approval for high-impact actions: database modifications, file deletions, external communications, financial transactions. Implement behavioral monitoring with kill switches for compromised agents. If an agent deviates from its expected action pattern, halt execution and alert operators.

Validate agent outputs at every step. Do not pass raw LLM output to tools or APIs without sanitization. Use deterministic validators for structured operations (SQL queries, API calls, file operations) to ensure the agent's output conforms to expected formats and value ranges.

6. Deepfakes and AI-Generated Impersonation

A single deepfake video call cost Arup $25 million. AI-generated participants impersonated the company's CFO convincingly enough to authorize wire transfers. A voice clone of the Italian Defense Minister extracted nearly 1 million euros. Human detection accuracy for high-quality deepfakes has fallen to 24.5%.

How to remediate

Implement out-of-band verification for any financial authorization received via video or voice call. A callback to a known phone number or a confirmation through a separate authenticated channel defeats deepfake attacks regardless of quality.

Deploy deepfake detection tools at communication endpoints. Train employees on deepfake indicators and establish escalation procedures for suspicious communications. Set financial authorization thresholds that require multi-party approval for transfers above a defined amount.

The Security Frameworks You Need

OWASP Top 10 for LLM Applications (2025)

The most actionable framework for teams building with LLMs. Covers ten risks with specific mitigations:

  1. Prompt Injection
  2. Sensitive Information Disclosure
  3. Supply Chain Vulnerabilities
  4. Data and Model Poisoning
  5. Insecure Output Handling
  6. Excessive Agency
  7. System Prompt Leakage
  8. Vector and Embedding Weaknesses
  9. Misinformation
  10. Unbounded Consumption

Start here. Map your LLM deployments against each risk. Identify which ones apply and implement the corresponding mitigations.

OWASP Top 10 for Agentic Applications (2026)

Published December 2025 for AI agents with tool access. Covers agent goal hijacking, tool misuse and exploitation, identity and privilege abuse, agentic supply chain vulnerabilities, unexpected code execution, memory and context poisoning, insecure inter-agent communication, cascading failures, human-agent trust exploitation, and rogue agents. The core principle: least agency.

MITRE ATLAS

The Adversarial Threat Landscape for AI Systems. Maps real-world tactics, techniques, and procedures (TTPs) used against AI systems. Contains 32 mitigation strategies and 42 documented case studies. Use ATLAS for threat modeling: identify which attack techniques apply to your system and verify your defenses against each one.

NIST AI Risk Management Framework

Focuses on governance, risk assessment, and lifecycle management. Emphasizes role-based access controls, continuous monitoring, adversarial testing, and lifecycle logging. NIST has introduced profiles for generative AI and continues expanding coverage. Use NIST AI RMF for organizational governance: policies, roles, accountability structures, and audit processes.

The Toolbox: Open Source and Commercial

Open-Source Tools

  • LlamaFirewall (Meta). Modular security framework with three components: PromptGuard 2 for jailbreak detection, Agent Alignment Checks for chain-of-thought auditing, and CodeShield for static analysis of generated code.
  • NVIDIA NeMo Guardrails. Programmable guardrails for topic control, PII detection, RAG grounding verification, jailbreak prevention, and multimodal content safety. Integrates with existing LLM pipelines.
  • Garak. Open-source LLM vulnerability scanner. Automates red-teaming for prompt injection, jailbreaks, and data leakage. Run Garak against your models before and after deployment on a recurring schedule.

Commercial Platforms

  • Akamai Firewall for AI. Real-time prevention of prompt injections and jailbreaks with configurable guardrails at the network edge.
  • Robust Intelligence (Cisco). AI Validation for pre-deployment testing and AI Firewall for runtime guardrail enforcement.
  • Pillar. Lifecycle security for LLMs and agents: model fingerprinting, automated red-teaming, and enforceable runtime guardrails.
  • Mindgard. Automated red teaming combined with real-time threat monitoring. Useful for continuous security assessment.
  • Microsoft Prompt Shields. Classifier-based injection detection available through the Azure AI Content Safety API.

The Regulatory Reality

EU AI Act

Prohibition of banned AI practices and AI literacy obligations took effect February 2, 2025. The penalty regime became active August 2, 2025: up to 35 million euros or 7% of global annual turnover for violations. Full applicability for high-risk AI systems arrives August 2, 2026. Each EU member state must establish at least one AI regulatory sandbox by that date.

United States

A December 2025 executive order established a "minimally burdensome national policy framework" and directed the Attorney General to create an AI Litigation Task Force to challenge state AI laws deemed inconsistent with federal policy. At the state level, over 1,000 AI-related bills were introduced in 2025. 38 states adopted around 100 AI-related measures. California's Transparency in Frontier AI Act and the Texas Responsible AI Governance Act both took effect January 2026. Colorado's AI Act obligations were delayed from February to June 2026.

What This Means for Enterprises

You face a patchwork of requirements that differ by jurisdiction. The EU AI Act mandates specific security controls for high-risk AI systems. US state laws add disclosure and governance requirements. Build your AI security program to the highest common denominator. Start with the NIST AI RMF governance structure and layer OWASP technical controls on top. This approach satisfies most regulatory requirements while creating a defensible compliance posture.

A Practical AI Security Checklist

Prioritize these actions based on your current exposure.

Immediate (This Quarter)

  • Inventory all AI systems in production, including shadow AI usage
  • Implement role-based access controls for every LLM endpoint
  • Deploy prompt injection filtering on all external inputs to LLMs
  • Validate and sanitize all LLM outputs before they reach downstream systems
  • Separate credentials and API keys from system prompts
  • Block or proxy unauthorized AI tool endpoints at the network level

Near-Term (Next Two Quarters)

  • Run automated red-teaming (Garak or equivalent) against all deployed models
  • Implement document-level access controls in RAG pipelines
  • Establish a curated internal model registry with integrity verification
  • Deploy runtime guardrails (NeMo Guardrails, LlamaFirewall, or commercial equivalent)
  • Set up AI-specific monitoring: track model inputs, outputs, and anomalous behavior patterns
  • Create an AI incident response playbook

Strategic (This Year)

  • Map deployments against OWASP Top 10 for LLMs and Agentic Applications
  • Conduct threat modeling using MITRE ATLAS for each AI system
  • Build an AI governance program using NIST AI RMF
  • Implement least-agency controls for all AI agents with tool access
  • Establish recurring red-team cadence (pre-deployment and post-deployment)
  • Prepare compliance documentation for EU AI Act high-risk requirements

"97% of organizations that experienced AI breaches reported lacking proper AI access controls. The number one remediation is also the simplest: control who and what can access your AI systems."

IBM Cost of a Data Breach Report, 2025

Key Takeaways

  • 77% of companies experienced AI security breaches in the past year, with only 6% having an advanced security strategy
  • Prompt injection is the top attack vector. The Microsoft Copilot EchoLeak (CVE-2025-32711, CVSS 9.3) demonstrated zero-click data exfiltration through hidden email prompts
  • Shadow AI affects 80% of workforces. Breaches from unauthorized AI use cost $670,000 more than standard breaches and take 247 days to detect
  • 100 poisoned models were found on Hugging Face. 42.7% of open-source ML projects have over-privileged CI/CD tokens
  • Agentic AI introduces new risks: tool misuse, excessive agency, memory poisoning, and cascading failures. OWASP published a dedicated Top 10 for Agentic Applications in December 2025
  • Open-source tools (LlamaFirewall, NeMo Guardrails, Garak) provide production-ready defenses at no cost
  • The EU AI Act penalty regime is active now (up to 35 million euros or 7% of global turnover). Full high-risk requirements arrive August 2026
  • Start with access controls and input validation. 97% of breached organizations lacked proper AI access controls

Topics

AI Security Prompt Injection LLM Security OWASP Enterprise Risk Agentic AI

References