AI Security: The Complete Guide

A complete guide to AI security — what makes AI systems different, the main categories of AI attacks, defensive practices, and the emerging governance standards.

Share
Editorial science-poster illustration of AI security symbols — a neural-network brain, a shield, a keycard, a data pipeline, a watchful eye, and a hooded silhouette.

Artificial intelligence is no longer confined to research labs. It writes emails, screens résumés, powers customer support, generates code, and helps make security decisions in nearly every large organization. That growing reliance on AI has quietly introduced a new class of security problem: the AI systems themselves are now targets.

AI security is the discipline of protecting AI systems from attack and misuse — and, just as importantly, protecting people, data, and organizations from the failures and manipulation of AI systems. It sits at the intersection of traditional cybersecurity, data science, and safety engineering, and it is one of the fastest-evolving areas of the field.

This guide is a complete introduction to AI security. It explains what makes AI systems different from ordinary software, the major categories of attacks against them, the defensive practices that reduce risk, and the emerging governance frameworks organizations are adopting. Use the links throughout for deeper explainers on specific topics.

What Is AI Security?

AI security is the set of practices, controls, and disciplines used to protect artificial intelligence systems — including the models themselves, the data they are trained on, and the applications built around them — from attack, misuse, and unintended failure. It also includes protecting the humans and systems that interact with AI from the consequences of a compromised or misbehaving model.

AI security is closely related to two neighboring fields: AI safety, which focuses on ensuring AI systems behave as intended even in benign settings, and machine learning operations (MLOps), which focuses on reliable model development and deployment. In practice, the three overlap heavily. A well-run AI security program borrows from all three.

Why AI Security Matters

The consequences of an AI failure are no longer academic. A compromised model that screens loan applications can produce discriminatory decisions at scale. An LLM-powered assistant tricked into leaking system prompts or connected data can expose confidential information. A generative model whose training data has been poisoned can produce dangerous outputs for millions of users. The blast radius of an AI failure is often far larger than a single application because the same model tends to be reused across many products.

Regulators have started to notice. The EU AI Act, U.S. executive orders on AI, and industry frameworks such as NIST's AI Risk Management Framework are pushing organizations to treat AI systems as regulated assets. AI security is no longer optional for anyone deploying models in production.

How AI Systems Are Different from Traditional Software

Traditional software follows explicit rules written by developers. AI systems learn behavior from data, which makes them powerful but also introduces failure modes that traditional security controls do not address.

Behavior is statistical, not deterministic. An AI model produces different outputs for different inputs — including inputs the developers never anticipated. Attackers can craft inputs that fall outside the model's expected distribution to trigger unwanted behavior.

The training data is a security surface. If an attacker can influence what the model learns from, they can influence what it does at runtime. Data pipelines are now attack surfaces.

The model itself is intellectual property that can be stolen. A trained model represents significant investment and is a target for theft, cloning, and reverse-engineering.

Outputs can be attacks in themselves. A model that generates code or takes actions can be manipulated to produce malicious output — and that output can be executed downstream.

The Main Categories of AI Attacks

The AI security community organizes attacks against AI systems into a handful of broad categories based on which part of the system is targeted and when in the lifecycle the attack occurs.

Editorial diagram of the four attack surfaces on an AI system — training data, the model, the application layer, and the model output.
The four attack surfaces on an AI system — training data, the model, the application layer, and the model output.
  • Attacks on model behavior at inference time — crafting inputs that fool a deployed model into producing incorrect or malicious outputs.
  • Attacks on training data — corrupting the data the model learns from so that the trained model behaves in an attacker-controlled way.
  • Attacks on the model itself — stealing, cloning, or extracting sensitive information from a model.
  • Attacks on AI-powered applications — exploiting the software that wraps the model, such as retrieval systems, tool-calling agents, or the pipelines that feed prompts and connected data.

The categories overlap in practice. A single sophisticated attack often combines several techniques — for example, poisoning training data to plant a backdoor that is then triggered by a specific crafted input at inference time.

Attacks on Model Behavior at Inference Time

These are attacks that occur after the model has already been trained and deployed. The attacker cannot change the model, but they can control what they send to it.

Evasion attacks craft inputs designed to make the model produce a wrong answer. Adding imperceptible noise to an image can flip a classifier's decision without a human noticing anything unusual. Rewording a piece of text can bypass a content filter. Evasion attacks are the classic form of adversarial machine learning.

Prompt injection, in the LLM era, is a special case. Instead of subtly perturbing input, the attacker plants instructions in the model's input that hijack its behavior — either directly in the user's prompt or indirectly by planting the instructions in content the model retrieves. Prompt injection has become the defining vulnerability of LLM-powered applications.

Attacks on Training Data

If an attacker can influence what a model learns, they can influence what it does. Attacks on training data — collectively known as data poisoning — take several forms.

Availability poisoning aims to degrade the model's overall accuracy. Enough bad examples in the training set can make a model unreliable across the board.

Targeted (integrity) poisoning aims to change how the model behaves on specific inputs while leaving overall accuracy intact. It is stealthier and harder to detect.

Backdoor attacks plant a hidden trigger. The model behaves normally on most inputs but produces attacker-controlled outputs when a specific pattern appears. Backdoors are especially dangerous because standard evaluation metrics miss them.

Attacks on the Model Itself

The trained model is an asset in its own right, and attackers have developed techniques to steal from it or through it.

Model extraction — also called model stealing — uses many queries to a target model to train a substitute that mimics its behavior. Once extracted, the substitute can be used to craft more effective evasion attacks or simply to bypass paid API access.

Membership inference attacks try to determine whether a specific data point was in the training set. This is a privacy attack — a successful membership inference against a medical model, for example, can reveal that a specific individual's records were used to train it.

Model inversion attempts to reconstruct training data from the model itself, which can leak sensitive information the model was trained on.

Attacks on AI-Powered Applications

Increasingly, AI models sit inside larger applications — retrieval-augmented generation, tool-calling agents, code-writing assistants — and the application layer is where many practical attacks happen.

Retrieval poisoning plants malicious content in the documents an AI system retrieves at runtime, so the model reads and follows attacker-controlled instructions without the user's knowledge.

Tool and plugin abuse tricks an AI agent into invoking connected tools — sending email, executing code, making purchases — in ways the user did not intend.

Insecure output handling occurs when downstream systems execute or render model output without treating it as untrusted, opening classic vulnerabilities such as cross-site scripting, SQL injection, or command injection through generated content.

Defending AI Systems

Defending an AI system means applying controls across the whole lifecycle — data, training, model, application, and monitoring — not just at the endpoint.

Editorial concentric-ring diagram of the five layered defenses around an AI system — data, training, model, application, and monitoring.
The five layered defenses around an AI system — data, training, model, application, and monitoring.
  • Secure the data pipeline. Track data provenance, sign trusted sources, and detect anomalies in training data. Assume adversarial contribution and validate accordingly.
  • Harden training. Apply techniques such as robust training, differential privacy, and anomaly detection during training to reduce the impact of poisoned examples.
  • Test the deployed model. Evaluate models against adversarial inputs, jailbreak attempts, and prompt injection before release. Continue testing in production.
  • Isolate model outputs. Treat everything a model produces as untrusted input to downstream systems. Sanitize, validate, and constrain execution.
  • Guard the application layer. Rate-limit queries, monitor for extraction patterns, restrict tool access, and require confirmation for sensitive actions.
  • Log and monitor continuously. AI systems drift; attacks evolve. Continuous logging of prompts, retrievals, tool calls, and outputs is the foundation of detection.

AI Governance and Emerging Standards

Technical defenses are only half the picture. Organizations that deploy AI at scale increasingly need AI governance — the policies, processes, and roles that decide which models are approved, how they are evaluated, and who is accountable when something goes wrong.

Several frameworks have become influential:

  • The NIST AI Risk Management Framework lays out a structured process for identifying and managing AI-related risks.
  • The OWASP Top 10 for Large Language Model Applications catalogs the most impactful vulnerabilities in LLM-powered systems.
  • The EU AI Act introduces regulatory requirements for high-risk AI systems.
  • MITRE ATLAS extends the ATT&CK model to adversarial machine learning, giving defenders a shared vocabulary for AI attacks.

Organizations rarely need to adopt all of these at once. Choosing one framework as the anchor and building program maturity against it is more effective than trying to cover everything shallowly.

Conclusion

AI security is a new discipline built on old foundations. Many of the underlying principles — protecting data, testing systems, containing failures, monitoring behavior, holding people accountable — are familiar to any experienced security team. The novelty is in the specific attack surfaces that AI systems introduce: models that learn, data pipelines that shape behavior, and applications that act on model output.

Organizations that deploy AI without securing it will discover the failure modes the hard way. The ones that get ahead of it treat AI systems as first-class production assets from day one — with the same care around data, testing, monitoring, and governance that any other high-impact system deserves.


Frequently Asked Questions (FAQ)

What is AI security?

AI security is the practice of protecting AI systems — including models, training data, and the applications built around them — from attack, misuse, and unintended failure, and protecting people and organizations from the consequences of compromised AI behavior.

What is the difference between AI security and AI safety?

AI security focuses on protecting AI systems from adversarial attack and misuse. AI safety focuses on ensuring AI systems behave as intended, including in benign settings. The two overlap and complement each other in practice.

What are the main types of attacks against AI systems?

The main categories are attacks on model behavior at inference time (such as evasion and prompt injection), attacks on training data (data poisoning), attacks on the model itself (model extraction, membership inference), and attacks on AI-powered applications (retrieval poisoning, insecure tool use, insecure output handling).

What is prompt injection?

Prompt injection is an attack that plants instructions inside the input an LLM processes so that the model's behavior is hijacked. It can be direct (in the user's prompt) or indirect (in content the model retrieves), and it is the defining vulnerability of LLM-powered applications.

What is MITRE ATLAS?

MITRE ATLAS is a knowledge base of adversarial machine learning tactics and techniques, modeled on MITRE ATT&CK. It gives defenders a shared vocabulary for describing attacks against AI systems.

Does my organization need an AI security program?

If your organization builds, deploys, or heavily uses AI systems in production, yes. Even organizations that only consume AI services through vendors need a policy for evaluating and monitoring those systems. Regulators are increasingly requiring it.