AI Attack Surface

Overview

AI systems introduce a fundamentally new attack surface on top of traditional application security. The model itself, its training pipeline, its data sources, and its inference API are all targets.

Attack Surface Map

┌─────────────────────────────────────────────────────────┐
│                    AI APPLICATION                        │
│                                                         │
│  ┌──────────┐  ┌──────────┐  ┌──────────┐  ┌────────┐ │
│  │ Training  │→ │  Model   │→ │Inference │→ │ Output │ │
│  │   Data    │  │ Weights  │  │   API    │  │        │ │
│  └──────────┘  └──────────┘  └──────────┘  └────────┘ │
│       ▲              ▲             ▲            ▲       │
│  Poisoning     Extraction    Injection    Exfiltration  │
│  Backdoors     Adversarial   Jailbreak    Hallucination │
│  Supply Chain  examples      DoS          Data leak     │
└─────────────────────────────────────────────────────────┘

Mapping AI Attacks to Traditional Security

AI AttackTraditional EquivalentRoot Cause
Prompt InjectionSQL InjectionMixing control plane and data plane
JailbreakingPrivilege EscalationSoft policy enforcement
Data PoisoningSupply Chain CompromiseUntrusted inputs in build pipeline
Model ExtractionReverse EngineeringInsufficient access control on outputs
Adversarial ExamplesWAF EvasionInput validation gaps
Training Data ExtractionData ExfiltrationModel memorization, no DLP
Supply Chain (models)Dependency ConfusionUnverified third-party artifacts

Feasibility Matrix

AttackAccess NeededDifficultyImpact
Prompt InjectionApp userLowHigh
JailbreakingChat accessLow-MediumMedium
Supply ChainPublic repoMediumHigh
Training Data ExtractionAPI accessMediumHigh
Model ExtractionAPI + computeMediumMedium
Adversarial ExamplesModel weights idealMedium-HardHigh
Data PoisoningTraining pipelineHardCritical

Key Principle

The attacks easiest to execute (prompt injection, jailbreaking) target the runtime layer and require nothing more than typing. The attacks with highest impact (data poisoning, backdoors) require deep pipeline access. Same tradeoff as traditional security — easy attacks hit the perimeter, devastating attacks require insider access.