White Paper Excerpt

AI Security Challenges & Associated Risks – No. 3

How to Manage the Risks when AI Adoption & Evolution Outpace Network Security

Primary Vulnerabilities: Shadow AI, Supply Chain Risks, Data Leakage

Introduction

The pace of AI deployment has overtaken the development of AI security creating serious network vulnerabilities. At the same time, a rising demand for sovereign technology and the proliferation of edge computing are expanding attack surfaces. Risks are suddenly everywhere all the time and it has become a significant challenge to monitor and manage them. This is placing huge pressure on cybersecurity vendors and enterprise SOCs, who need to respond rapidly in a constantly evolving environment.

The following excerpt is from Enea’s white paper “Understanding & Managing AI in Network Security“. It looks at the prime risks generated by the speed of AI adoption and evolution, and where the security focus needs to be to effectively address them.

The Pace of AI Deployment Has Eclipsed the Development of AI Security

AI’s highly accessible natural language interface, affordability (open source and penetration-based loss pricing), miniaturization (run a model on your phone!), and easy integration (a web link or API will do!) all mean AI is being deployed everywhere – and definitely at a pace that has eclipsed the development of AI security.

This means cybersecurity vendors have to mitigate – or eliminate – AI risks coming from everywhere all at once: from the Internet, from cloud SaaS and IaaS services, in commercial and bespoke company apps, and on all kinds of managed and unmanaged devices.

AI Diffusion Report - Adoption Rate for AIAI Diffusion Report; sources New York Times & Our World in Data

And the scale of the challenge mounts daily, with the adoption rate for AI forming a near-vertical line. In fact, the recent AI Diffusion Report from Microsoft’s AI Economy Institute proclaims GenAI to be the “fastest-spreading technology in human history,” with more than 1.2 billion people reporting using GenAI tools since the technology was introduced and 9.8 trillion downloads of AI software libraries in 2025. This represents an adoption rate faster than the personal computer, the Internet, and the smartphone.

AI Coding Tools for Professional Developers, Vibe Coding Tools for Amateurs, Free (or Cheap) Tools for Personal Use – there’s Something for Everyone!

Whether one wants to create and monetize a GenAI application by vibe coding with prompts, or just download AI tools and widgets for ad hoc personal tasks, there’s an app for that! And yes, that most definitely does include tools for hackers.

And with AI miniaturization in models and compute resources (making tools usable on low end servers, personal computers and even mobile and IoT devices), and the broad penetration of personal devices in work environments, and the integration of free or low cost add-ons of AI features and tools into seemingly every business app, you can be sure CISOs are not sleeping well.

And this is before taking a step back and looking at the meta-level way in which geopolitics are shaping AI as an overall threat vector. First, nations are viewing the multi-trillion-dollar development of AI as something akin to an arms race in which there can be only one winner.

The result is intense AI competition that is putting significant stress on governments to ease AI safety and security regulations, and places pressure on businesses to ‘move fast and break things’ lest they fall behind competitors. Both conditions exacerbate already significant, inherent AI security risks. At the same time, geopolitically-motivated demand for sovereign technology and the proliferation of edge computing are significantly expanding attack surfaces.

The Prime Risks Created by Unbounded AI Adoption

What are the prime risks this unbounded adoption creates? One is Shadow AI, another is Supply Chain Risks, and the third is Data Leakage.

  • Shadow AI
    Like the Shadow IT and Bring-Your-Own-Device (BYOD) practices that preceded them, Shadow AI refers to the unauthorized and unmanaged use of AI tools and applications by enterprise users (both human and machine). The use of Shadow AI greatly expands the attack surface of an organization, and opens up the potential for violations of IT safety and security best practices.

    Beyond Shadow AI, the rapid pace of adoption of even officially approved commercial products can make it difficult for security to effectively monitor and manage risks. In addition, even though they are using sanctioned tools, users can still fall prey to scams, and will always seek the path of least resistance in IT, disabling or circumventing what they may consider ‘annoying’ security controls when and where possible.

    So, to be most effective, security should focus less on controlling tools and behaviors and more on enabling users to do what they are going to do anyway as safely as possible, and to focus on AI security as AI use is following a vertical curve.

  • Data Leakage (OWASP LLM02:2025 Sensitive Information Disclosure):
    This risk is covered in more detail in the white paper excerpt “GenAI’s Non-Deterministic Nature“, but it merits attention here as well as it is closely linked with Shadow AI. Organizations face huge risks from users uploading organizational data into public AI tools not realizing this data will be integrated back into models where it may be exposed by privacy leakage flaws or attacks, or that many such free or cheap tools are simply bait malicious actors have created to steal data (data exfiltration). The situation is better for apps and tools from large, established companies, but many still require configuring security rules and parameters, which in turn requires that security teams are aware these tools are being used.
  • Supply Chain (OWASP LLM03:2025 Supply Chain):
    Supply Chain risks arise when vulnerable, tampered, outdated, or malicious third party models, datasets, components, or fine tuning artifacts compromise LLM and/or GenAI application integrity and security. For more details see the previous excerpt from the white paper “AI’s Scale and Complexity Increases Security Risks“.

Wi-Fi marketing
Risk Pop Quiz!

Question: Which of the risks above poses the most immediate and pressing challenge to cybersecurity?

Answer: The trophy goes to Shadow AI. Like prompt injection and supply chain exploits, there are potentially legions of vulnerabilities in BYOAI, including the risky behavior with public tools described under data leakage above.

And there are many activities employees don’t even consider to be BYOAI, like interacting with a public chatbot, or downloading and sharing a funny AI meme or video at work. And to be honest, we didn’t even succeed in training employees to spot phishing emails in the before-times, so we urgently need to shine a spotlight on shadow AI in the enterprise.

And now let’s part with two golden rules for dealing with AI’s runaway success:

Takeaway Security Principles

  • Whenever and wherever possible, don’t prohibit AI use; make its use safe.
  • Visibility into Shadow AI is everything; you can’t secure what you can’t see.

###

To discover more about AI and the challenges it brings to network security, download the full white paper below.