ai · security · skills

Threat to control

Every AI threat, in plain English.One answer each.

Twenty-five threats that matter, each named in plain English and pointed at the one fitted control that answers it. Not an encyclopedia. The threats and the standards they sit under are cited, never reinvented.

25 threats. One answer each.4 of 25
AI tricked into ignoring its rules3 fitted skills

25 threats · 18 with fitted skills · severity illustrative

LLM / AI Attacks: 4 threats in this category — each with an owner and one fitted answer, or the honest "skill in progress".

Start here

Using AI safely at work

The short version, in plain English. A starting point, not your company’s policy.

  • Keep private things private. Don’t paste customer data, personal details, passwords, or anything you wouldn’t email outside the company into an AI tool that isn’t approved for it.
  • Treat answers as a draft, not a fact. AI can sound confident and still be wrong. Check before you act on it or send it on.
  • Watch what you paste in. Text from an email, web page, or document can carry hidden instructions the AI will follow. Don’t feed it untrusted content without a reason.
  • If the AI can do things, slow down. When a tool can send, post, buy, or change records on its own, confirm before it acts.

Not sure if something’s allowed? Ask it in plain English →When in doubt, check with your security team.

Heads up: from 2026, EU rules expect anyone who uses AI at work to have had basic AI training. If you have not, ask for it.

The reference tags on the cards below (like “OWASP LLM01”) are for your security team. You can ignore them.

LLM / AI Attacks

higher

AI tricked into ignoring its rules

Prompt injection

What could go wrong

An attacker hides instructions inside the input — directly or via a document the AI reads — and gets the AI to act against its own policy.

Your part

Be careful pasting text from untrusted emails, web pages, or documents into an AI tool. It can carry hidden instructions the AI will follow.

Owner

Shared — both sides hold a piece

Fitted control

Input + output guardrails: a classifier on the way in, a policy filter on the way out, and an attack-class corpus the guard is fitted to.

OWASP LLM01MITRE ATLAS AML.T0051

Autonomy note · AI-CMM tie

Risk widens as the AI gains tool scopes — a hijacked prompt at L4 (Autonomous) can act on real systems.

LLM / AI Attacks

moderate

AI coaxed into revealing its secret instructions

System-prompt leakage

What could go wrong

The hidden instructions that shape the AI’s behaviour — and any keys, policies, or scopes embedded with them — get exposed to the user.

Your part

Owned by your security team, not a day-to-day habit for you.

Owner

Shared — both sides hold a piece

Fitted control

Extraction detection on outputs + the working assumption that the system prompt will eventually leak (no secrets in it).

OWASP LLM07MITRE ATLAS AML.T0054

LLM / AI Attacks

higher

AI talked past its safety limits

Jailbreak

What could go wrong

Role-play, scenario-build, or character framing convinces the AI to produce content its own safety rules would refuse.

Your part

Owned by your security team, not a day-to-day habit for you.

Owner

Shared — both sides hold a piece

Fitted control

Same guardrail stack as prompt injection — fitted against a corpus of jailbreak attack classes, with regression on a held-out set.

OWASP LLM01

LLM / AI Attacks

higher

AI leaks data it was given

Sensitive information disclosure

What could go wrong

Customer data, code, secrets, or personal information passed into a prompt or surfaced via retrieval ends up in another user’s output.

Your part

Don’t put customer data, secrets, or personal information into an AI tool that isn’t approved for it.

Owner

Shared — both sides hold a piece

Fitted control

Data-loss prevention on inputs + output filtering for PII/secrets + tenant-scope checks on retrieval.

Status

Control defined · skill in progress

OWASP LLM02EU AI Act Art. 10

Data

higher

Training data tampered to corrupt behaviour

Data and model poisoning

What could go wrong

An attacker plants malicious or biased data in the training set — or in the RAG corpus — so the deployed model behaves the way they want.

Your part

Owned by your security team, not a day-to-day habit for you.

Owner

Shared — both sides hold a piece

Fitted control

Data-governance + provenance gate: every dataset has a documented source, integrity check, and acceptance review before it touches a model.

Status

Control defined · skill in progress

OWASP LLM04MITRE ATLAS AML.T0010NIST MAP-2

Data

higher

A poisoned component enters your build

Supply chain (OSS model / dependency)

What could go wrong

A model, library, or dataset pulled from a public registry ships with a vulnerability or hidden backdoor that lands in your app at build time.

Your part

Owned by your security team, not a day-to-day habit for you.

Owner

Deployer — yours to own end-to-end

Fitted control

Software-composition analysis on every dependency + an AI-BOM extending SBOM to models, datasets, prompts, and tools.

OWASP LLM03

Data

higher

AI invents a package name an attacker registers

Slopsquatting (hallucinated dependencies)

What could go wrong

An AI coding assistant emits an `import` of a package that doesn’t exist — an attacker registers that exact name and ships a malicious payload.

Your part

Owned by your security team, not a day-to-day habit for you.

Owner

Deployer — yours to own end-to-end

Fitted control

Hallucinated-dependency gate in CI: every new package is verified to exist with adequate age, downloads, and reputation before it’s allowed into the lockfile.

OWASP LLM03

Autonomy note · AI-CMM tie

Risk scales with AI authoring volume — an L3 copilot writes hundreds of imports per week.

Data

moderate

Garbage in, confident garbage out

Data quality / inaccurate modeling

What could go wrong

The training or RAG data is wrong, stale, or unrepresentative — the model speaks fluently and is just confidently wrong.

Your part

Owned by your security team, not a day-to-day habit for you.

Owner

Deployer — yours to own end-to-end

Fitted control

Data-quality controls: source-of-truth definition, freshness SLA, representativeness audit, and a feedback loop from production back to the corpus.

Status

Control defined · skill in progress

NIST MAP-2NIST MEASURE-2.11

Operations

higher

An AI agent does more than it should

Excessive agency

What could go wrong

An AI agent given a tool, an API key, or a deployment scope takes actions outside its intent — sends emails, modifies data, calls paid APIs at scale.

Your part

If a tool can act on its own (send, post, buy, or change records), confirm before you let it.

Owner

Deployer — yours to own end-to-end

Fitted control

Least-privilege tool scopes + approval gates on irreversible actions + a kill switch the SOC can flip without a redeploy.

OWASP LLM06NIST MANAGE-2.4

Autonomy note · AI-CMM tie

This IS the autonomy frontier. Each AI-CMM rung up means a narrower scope per action and a louder attestation trail.

Operations

moderate

Runaway cost, denial of wallet

Unbounded consumption

What could go wrong

A loop, a prompt-injection-driven cascade, or a malicious user runs the inference bill into the ground before anyone notices.

Your part

Owned by your security team, not a day-to-day habit for you.

Owner

Deployer — yours to own end-to-end

Fitted control

Rate + cost guardrails on every model endpoint, alerting on cost-anomaly, and a hard ceiling per tenant per window.

Status

Control defined · skill in progress

OWASP LLM10

Operations

moderate

Humans stop checking the AI

Over-dependency on AI output

What could go wrong

Operators trust the AI’s output reflexively — a wrong recommendation, an unsafe action, or a fabricated fact ships because the human in the loop has stopped being one.

Your part

Keep checking the AI’s work. Treat answers as a draft, and don’t let it make important calls unchecked.

Owner

Deployer — yours to own end-to-end

Fitted control

Human-oversight design: review thresholds tiered by risk, mandatory rationale on approvals, anti-rubber-stamp UI patterns.

Status

Control defined · skill in progress

EU AI Act Art. 14NIST MANAGE-2.3

Agentic AI

higher

An agent’s own goal gets hijacked mid-task

Goal / instruction manipulation via injection

What could go wrong

Attacker-controlled content reaches the agent’s planning loop, not just a single response, so the agent re-plans toward the attacker’s objective across several tool calls before anyone notices.

Your part

Owned by your security team, not a day-to-day habit for you.

Owner

Shared — both sides hold a piece

Fitted control

Input validation + prompt differentiation on every planning step, not only the first turn, so a manipulated instruction can’t ride along inside a later observation.

OWASP LLM01CSA AICM AIS-09CSA AICM AIS-15

Autonomy note · AI-CMM tie

The gate exists for exactly this: as autonomy climbs past L2 (Assisted), a manipulated goal has more steps to compound before a human sees it.

Agentic AI

higher

An agent’s memory or knowledge base gets tampered with

Memory / knowledge-base poisoning

What could go wrong

An attacker plants false or malicious content in the store an agent treats as ground truth, so future decisions build on a poisoned foundation instead of a single bad output.

Your part

Owned by your security team, not a day-to-day habit for you.

Owner

Shared — both sides hold a piece

Fitted control

Poisoning detection + integrity checks on the memory/RAG store, with behavioral baselining to catch the drift once poisoned content starts steering actions.

CSA AICM DSP-21CSA AICM DSP-23

Autonomy note · AI-CMM tie

A persistent memory store is itself a feature of higher autonomy; the gate ties memory-write access to the same tier review as a tool scope.

Agentic AI

higher

An agent takes an unauthorized, destructive action

Excessive permission / unauthorized destructive actions

What could go wrong

An agent holding a broad tool scope deletes, overwrites, or transfers something outside its intended task, and no approval gate catches it before the action lands.

Your part

If an AI agent asks to act on your behalf (send, post, buy, delete), confirm before it does. Don’t approve a blanket “always allow.”

Owner

Deployer — yours to own end-to-end

Fitted control

Least-privilege scopes + a policy-enforcement point on every tool call + human approval on anything irreversible, re-checked continuously rather than granted once.

OWASP LLM06CSA AICM AIS-11CSA AICM IAM-05

Autonomy note · AI-CMM tie

This IS the gate: autonomy tier and tool scope must move together, or a wider scope silently ships with the next capability upgrade.

Agentic AI

higher

An agent hides or misrepresents what it did

Deceptive behavior: log manipulation, control bypass

What could go wrong

An agent — or an attacker steering it — alters, deletes, or omits the log entries that would reveal an unauthorized action, or routes around a control it knows is being watched.

Your part

Owned by your security team, not a day-to-day habit for you.

Owner

Shared — both sides hold a piece

Fitted control

Tamper-evident logging with alerting on gaps or edits + mutual authentication between agents so a spoofed peer can’t feed a false audit trail.

CSA AICM LOG-03CSA AICM LOG-05

Autonomy note · AI-CMM tie

Detection depends on trusting the log; the gate requires the logging layer to sit outside the agent’s own write scope.

Agentic AI

moderate

An agent runs the compute or cost bill into the ground

Resource exhaustion / model denial of service

What could go wrong

A looping agent, a runaway sub-agent spawn, or an attacker-triggered cascade consumes compute, API budget, or rate limit until the system degrades for everyone else.

Your part

Owned by your security team, not a day-to-day habit for you.

Owner

Deployer — yours to own end-to-end

Fitted control

Capacity and resource planning with hard per-agent ceilings + behavioral baselining that quarantines an agent the moment its consumption pattern breaks from normal.

OWASP LLM10CSA AICM I&S-02

Autonomy note · AI-CMM tie

Cost and capacity ceilings should tighten, not loosen, with autonomy tier until the gate confirms the agent’s consumption pattern is understood.

Trust

higher

AI treats groups unfairly

Bias and discrimination

What could go wrong

The model performs differently for different groups defined by protected attributes — denying access, mispricing risk, or scoring outcomes unevenly.

Your part

Don’t rely on AI alone for decisions about people, like hiring, credit, or access. A human should review.

Owner

Deployer — yours to own end-to-end

Fitted control

Fairness metric selection + disparate-impact tests + training-data representation audit; intersectional checks, not just single-axis.

NIST MEASURE-2.11EU AI Act Art. 10

Trust

moderate

No one can explain the decision

Opacity / lack of explainability

What could go wrong

A model affects a person and neither the operator nor the affected person can say why — a regulator, a court, or the press asks and there is no answer.

Your part

Owned by your security team, not a day-to-day habit for you.

Owner

Deployer — yours to own end-to-end

Fitted control

Explainability instrumentation (SHAP / LIME for the model type) + a versioned model card + a user-facing explanation path.

EU AI Act Art. 13NIST MEASURE-2.8

Trust

higher

AI states falsehoods confidently

Hallucination / misinformation

What could go wrong

The model invents a citation, a name, a number, or a fact — and presents it with the same tone as something it actually retrieved.

Your part

AI can state false things confidently. Verify facts before you act on them or pass them on.

Owner

Shared — both sides hold a piece

Fitted control

Retrieval grounding on high-impact paths + a faithfulness check that scores each claim against the cited source.

OWASP LLM09NIST MEASURE-2.7

Trust

higher

AI nudges people harmfully

Manipulation / undue influence

What could go wrong

A persuasive AI persona steers a vulnerable user toward a financial, emotional, or political decision they would not have made on their own.

Your part

Owned by your security team, not a day-to-day habit for you.

Owner

Deployer — yours to own end-to-end

Fitted control

Human-oversight design for vulnerable-user contexts + a contestation and appeal mechanism that actually reverses decisions when warranted.

Status

Control defined · skill in progress

EU AI Act Art. 5NIST AI 100-1 (Harm to People)

Compliance

higher

Personal data mishandled by AI

Privacy / PII exposure

What could go wrong

Personal data is collected, used for training, retained, or revealed in a way that breaks the lawful basis or the data-minimisation expectation.

Your part

Don’t put people’s personal data into AI tools that aren’t approved to handle it.

Owner

Deployer — yours to own end-to-end

Fitted control

DPIA scoped to the ML pipeline + data-minimisation at every stage + a retention regime that survives the model lifecycle.

GDPR Art. 35DPDP Act 2023EU AI Act Art. 26

Compliance

higher

You inherited a black box you must answer for

Vendor / third-party AI risk

What could go wrong

An embedded AI feature inside a SaaS tool — or a model API from a third party — handles your data, your decisions, or your customers, and the regulator still asks you, not them.

Your part

Owned by your security team, not a day-to-day habit for you.

Owner

Deployer — yours to own end-to-end

Fitted control

Vendor due diligence (Art. 28 DPA + AI-CAIQ) + cert acceptance with explicit gap notes + an inventory + toggle of every embedded AI feature.

EU AI Act Art. 25CSA AICM (SSRM)

Compliance

moderate

AI use breaks an evolving law

Regulatory non-compliance

What could go wrong

The law moves under you — EU AI Act, ISO 42001, sector rules — and last quarter’s posture no longer satisfies this quarter’s audit.

Your part

When you’re unsure whether an AI use is allowed, ask before you do it.

Owner

Deployer — yours to own end-to-end

Fitted control

Framework crosswalk maintained as living documentation + an assurance cadence that produces evidence on demand, not in a pre-audit scramble.

EU AI ActISO/IEC 42001

Development

moderate

Staff use unsanctioned AI; nobody’s trained

Shadow AI / AI-literacy gap

What could go wrong

Employees adopt consumer AI tools at speed; sensitive content flows into them daily; the org has no inventory, no policy, and no training plan.

Your part

Use the AI tools your company has approved, and ask before bringing in a new one.

Owner

Deployer — yours to own end-to-end

Fitted control

Discovery of embedded + adopted AI features + a literacy programme (EU AI Act Art. 4 obligation) + an IDE / DLP control on the assistant traffic itself.

EU AI Act Art. 4

Development

moderate

AI’s energy and footprint cost

Environmental impact

What could go wrong

Large-model training and high-volume inference carry a real carbon, water, and resource cost — at scale, it is a sustainability obligation on the deployer, not only on the provider.

Your part

Owned by your security team, not a day-to-day habit for you.

Owner

Shared — both sides hold a piece

Fitted control

Sustainability assessment per system: model-size + inference-volume justification, region selection, and a sunset rule for unused models.

Status

Control defined · skill in progress

NIST AI 100-1 (Harm to Ecosystem)