Blog

Navigating Generative AI Risks

Written by Maxim Kovalsky | Nov 14, 2025 2:28:32 PM

Introduction
Generative AI is no longer a futuristic concept—it’s here, reshaping how organizations innovate, automate, and deliver value. In cybersecurity, AI plays two distinct roles that frame how we think about its impact: AI for Security acts as a force multiplier, enabling faster decision-making and a more agile, responsive defense posture. It helps security teams scale, automate repetitive tasks, and gain deeper insights from complex data. Security for AI focuses on addressing novel and amplified risks introduced by AI adoption, such as model reliability, data leakage, and identity challenges. It’s about building guardrails and governance to ensure AI systems remain safe, trustworthy, and secure.

The Expanding Risk Landscape
As AI becomes embedded in workflows, it creates new vulnerabilities and amplifies
existing ones. The first challenge is model truthfulness, reliability, and safety. AI
systems can hallucinate, drift from their training data over time, or produce biased
outputs. These failures can lead to poor decisions, reputational harm, or be misused for propadanda. Mitigation requires rigorous pre-deployment testing, continuous monitoring, and human oversight for high-risk decisions. AI models are by their nature interactive, and susceptible to intentional abuse. Attackers exploit AI through prompt injection, jailbreaking, and adversarial inputs designed to override safety controls. Input sanitization, output filtering, and behavioral monitoring can all help prevent malicious manipulation.

Data disclosure is another pressing concern. AI systems can inadvertently expose sensitive information through flawed access controls, misclassified data, or unintended memorization. Strong data governance, privacy-preserving techniques, and secure API design are essential to keep confidential data safe. The rise of AI-generated code accelerates development but introduces unique risks. Poorly structured or insecure logic can slip into production unnoticed. Inline code scanning, dependency validation, and continuous red teaming help ensure that speed does not come at the expense of security.
Finally, third-party integrations and identity risks expand the attack surface. External models, plugins, and autonomous agents require strict governance, dynamic credential management, and least-privilege enforcement to maintain trust and accountability.

AI for Security: A Double-Edged Sword
While AI introduces risks, it also offers powerful tools to strengthen cybersecurity. AI for Security is not just a defensive measure, it’s a force multiplier for security teams struggling with scale and complexity.

What’s Promising Today:
AI promises to make existing workflows faster by accelerating routine processes and improving consistency. It can help humans make better decisions by surfacing the right data at the right time—but there’s a flip side: too much data can overwhelm decision- makers, potentially making them less effective.

  • Threat Detection & Response – AI agents can automate tedious investigation
    steps, enrich alerts with context, and reduce false positives.
  • Vulnerability Management – AI helps prioritize fixes based on exploit
    likelihood and business impact.
  • Application Security – AI accelerates secure development cycles by reducing
    false positives in code scans and suggesting remediation steps in real time.
  • Governance &  Risk Management – AI-driven platforms streamline evidence
    collection, policy mapping, and compliance monitoring.
What’s Still to Be Seen:
The biggest unknown lies in taking actions and making fixes without
explainability—especially when those actions become irreversible. Security
decisions demand transparency and human oversight, yet AI-driven automation
risks turning critical changes into black boxes. Add to this the tension between
consistency and creativity: AI is excellent at automating processes and enforcing
uniformity, which is valuable for compliance and repeatable tasks. But uniformity
creates predictability—and attackers thrive on exploiting predictable patterns.
  • Autonomous Decision-Making – Can AI reliably make security decisions without human oversight?
  • Adaptive Response – Will AI evolve to not only detect threats but also remediate them safely and contextually?
  • Bias and Explainability – AI-driven security recommendations must be transparent and free from bias.
  • Consistency vs. Creativity – AI is excellent at automating processes and enforcing consistency, which is valuable for compliance and repeatable tasks.
But security is a dynamic battlefield. Consistency can become a weakness when facing a creative, resourceful adversary who thrives on unpredictability.

Case Study: Data Theft Through AI Chatbot Integrations
Drift, an AI-powered conversational marketing platform, helps businesses engage
customers through chatbots and real-time messaging. In August 2025, researchers
uncovered a campaign targeting Salesforce instances via compromised integrations with Drift and Salesloft. Attackers exploited weak API governance and misconfigured access controls to siphon sensitive customer data.

What Happened:
  • Threat actors gained access to OAuth tokens used by third-party apps connected to Salesforce.
  • These tokens allowed attackers to query Salesforce data without triggering traditional security alerts.
  • The breach persisted because the integrations were trusted and operated under broad permissions, bypassing least-privilege principles.
Why It Matters for Generative AI:
This incident illustrates how third-party integrations and identity risks can expand the attack surface—one of the key challenges highlighted in this blog. As organizations embed AI into workflows, similar risks emerge: external models, plugins, and autonomous agents often require elevated privileges, making them attractive targets for attackers.

Lessons Learned:
  • Enforce Least Privilege: Limit OAuth scopes and API permissions for all integrations, including AI-driven tools.
  • Continuous Monitoring: Track anomalous behavior across trusted apps and AI agents.
  • Governance First: Establish strict onboarding and review processes for third-party and AI integrations.

Generative AI amplifies these risks because its integrations often involve dynamic credential use and autonomous actions. Without robust governance, the convenience of AI can quickly become a liability.

Solutions That Matter
Responsible AI adoption starts with understanding your risk profile and aligning
mitigation strategies with business priorities. Our AI Security Strategy Workshop helps organizations:

  • Explore current and planned AI initiatives.
  • Identify and prioritize risks across six critical categories.
  • Map technical and governance controls to your risk appetite.
  • Develop a phased roadmap for secure and aligned AI adoption.

Ready to take the next step? Contact us to learn more about our interactive workshop to build a tailored strategy for safe and responsible AI.

 
View full post