ai · security · skills

Threat to control

Every AI threat, in plain English.One answer each.

Twenty-five threats that matter, each named in plain English and pointed at the one fitted control that answers it. Not an encyclopedia. The threats and the standards they sit under are cited, never reinvented.

25 threats. One answer each.4 of 25
AI tricked into ignoring its rules3 fitted skills

25 threats · 18 with fitted skills · severity illustrative

LLM / AI Attacks: 4 threats in this category — each with an owner and one fitted answer, or the honest "skill in progress".

Start here

Using AI safely at work

The short version, in plain English. A starting point, not your company’s policy.

  • Keep private things private. Don’t paste customer data, personal details, passwords, or anything you wouldn’t email outside the company into an AI tool that isn’t approved for it.
  • Treat answers as a draft, not a fact. AI can sound confident and still be wrong. Check before you act on it or send it on.
  • Watch what you paste in. Text from an email, web page, or document can carry hidden instructions the AI will follow. Don’t feed it untrusted content without a reason.
  • If the AI can do things, slow down. When a tool can send, post, buy, or change records on its own, confirm before it acts.

Not sure if something’s allowed? Ask it in plain English →When in doubt, check with your security team.

Heads up: from 2026, EU rules expect anyone who uses AI at work to have had basic AI training. If you have not, ask for it.

The reference tags on the cards below (like “OWASP LLM01”) are for your security team. You can ignore them.

Agentic AI

higher

An agent’s own goal gets hijacked mid-task

Goal / instruction manipulation via injection

What could go wrong

Attacker-controlled content reaches the agent’s planning loop, not just a single response, so the agent re-plans toward the attacker’s objective across several tool calls before anyone notices.

Your part

Owned by your security team, not a day-to-day habit for you.

Owner

Shared — both sides hold a piece

Fitted control

Input validation + prompt differentiation on every planning step, not only the first turn, so a manipulated instruction can’t ride along inside a later observation.

OWASP LLM01CSA AICM AIS-09CSA AICM AIS-15

Autonomy note · AI-CMM tie

The gate exists for exactly this: as autonomy climbs past L2 (Assisted), a manipulated goal has more steps to compound before a human sees it.

Agentic AI

higher

An agent’s memory or knowledge base gets tampered with

Memory / knowledge-base poisoning

What could go wrong

An attacker plants false or malicious content in the store an agent treats as ground truth, so future decisions build on a poisoned foundation instead of a single bad output.

Your part

Owned by your security team, not a day-to-day habit for you.

Owner

Shared — both sides hold a piece

Fitted control

Poisoning detection + integrity checks on the memory/RAG store, with behavioral baselining to catch the drift once poisoned content starts steering actions.

CSA AICM DSP-21CSA AICM DSP-23

Autonomy note · AI-CMM tie

A persistent memory store is itself a feature of higher autonomy; the gate ties memory-write access to the same tier review as a tool scope.

Agentic AI

higher

An agent takes an unauthorized, destructive action

Excessive permission / unauthorized destructive actions

What could go wrong

An agent holding a broad tool scope deletes, overwrites, or transfers something outside its intended task, and no approval gate catches it before the action lands.

Your part

If an AI agent asks to act on your behalf (send, post, buy, delete), confirm before it does. Don’t approve a blanket “always allow.”

Owner

Deployer — yours to own end-to-end

Fitted control

Least-privilege scopes + a policy-enforcement point on every tool call + human approval on anything irreversible, re-checked continuously rather than granted once.

OWASP LLM06CSA AICM AIS-11CSA AICM IAM-05

Autonomy note · AI-CMM tie

This IS the gate: autonomy tier and tool scope must move together, or a wider scope silently ships with the next capability upgrade.

Agentic AI

higher

An agent hides or misrepresents what it did

Deceptive behavior: log manipulation, control bypass

What could go wrong

An agent — or an attacker steering it — alters, deletes, or omits the log entries that would reveal an unauthorized action, or routes around a control it knows is being watched.

Your part

Owned by your security team, not a day-to-day habit for you.

Owner

Shared — both sides hold a piece

Fitted control

Tamper-evident logging with alerting on gaps or edits + mutual authentication between agents so a spoofed peer can’t feed a false audit trail.

CSA AICM LOG-03CSA AICM LOG-05

Autonomy note · AI-CMM tie

Detection depends on trusting the log; the gate requires the logging layer to sit outside the agent’s own write scope.

Agentic AI

moderate

An agent runs the compute or cost bill into the ground

Resource exhaustion / model denial of service

What could go wrong

A looping agent, a runaway sub-agent spawn, or an attacker-triggered cascade consumes compute, API budget, or rate limit until the system degrades for everyone else.

Your part

Owned by your security team, not a day-to-day habit for you.

Owner

Deployer — yours to own end-to-end

Fitted control

Capacity and resource planning with hard per-agent ceilings + behavioral baselining that quarantines an agent the moment its consumption pattern breaks from normal.

OWASP LLM10CSA AICM I&S-02

Autonomy note · AI-CMM tie

Cost and capacity ceilings should tighten, not loosen, with autonomy tier until the gate confirms the agent’s consumption pattern is understood.