Artificial intelligence security risks fall into two categories that require different defenses. The first category is risks to AI systems themselves — prompt injection, data poisoning, adversarial examples, and model theft that compromise the security tools and business applications organizations have built on top of LLMs and ML models. The second is AI as a weapon used against human targets — deepfakes, voice cloning, AI-powered phishing — where the AI capability is on the attacker’s side. AI-enabled fraud surged 1,210% in 2025, according to data aggregated across enterprise security reports, and financial losses from deepfake-enabled fraud exceeded $200 million in the first quarter of 2025 alone. Understanding which category of risk applies to which decision — AI system architecture versus employee security awareness — is the first step in addressing either one.
- Prompt injection is the OWASP LLM Top 10 #1 risk — adversaries exploited generative AI via injected prompts at 90+ organizations in 2025 (CrowdStrike Global Threat Report)
- AI-enabled fraud surged 1,210% in 2025 — projected losses growing from $12.3B (2023) to $40B by 2027 at 32% CAGR (Experian/Fortune)
- Deepfake-enabled fraud losses exceeded $200M in Q1 2025; average enterprise deepfake incident costs ~$500K
- Human detection rate for high-quality video deepfakes: 24.5% — meaning 3 in 4 deepfake impersonations go undetected by human reviewers
- 83% of organizations plan to deploy agentic AI; only 29% feel ready to do so securely (Cisco State of AI Security 2026)
Risks to AI Systems: Prompt Injection, Data Poisoning, and Adversarial Attacks
Prompt Injection — The Top LLM Vulnerability
Prompt injection is ranked #1 in the OWASP LLM Top 10 for 2025-2026. The attack works by embedding adversarial instructions inside content the AI model processes — not in the user’s direct input, but in data the model retrieves or reasons over. Indirect prompt injection is now the dominant vector: a malicious actor plants instructions in a web page, document, or email that an LLM-based agent reads as part of a legitimate task, redirecting the agent’s actions without the user or operator seeing the injected content. The CrowdStrike 2026 Global Threat Report documented that adversaries exploited generative AI tools via injected prompts at more than 90 organizations in 2025. Research on attack success rates shows certain prompt injection techniques achieving 88% effectiveness across tested models.
For organizations deploying AI agents — systems that can take actions (send emails, query databases, execute code) based on LLM reasoning — prompt injection moves from a nuisance to a critical security control failure. An agent that can be redirected through injected content in the data it reads can exfiltrate information, impersonate users, or take destructive actions with the permissions the agent already has. The governance gap is measurable: Cisco’s State of AI Security 2026 found that 83% of organizations planned to deploy agentic AI, but only 29% felt ready to do so securely. That 54-point gap between adoption intention and security readiness is where most prompt injection risk lives. The broader AI security concerns framework covering governance, policy design, and liability for AI-driven decisions connects to this same readiness gap.
Data Poisoning and Adversarial Examples
Data poisoning attacks target the training process rather than the deployed model. By injecting malicious samples into the training data, an attacker can cause the model to learn incorrect associations — behaving normally on standard inputs but producing specific wrong outputs when it encounters a trigger pattern. Research demonstrates that poisoning as little as 0.001% of training data can degrade model reliability while the poisoned model passes standard accuracy evaluations. The attack is difficult to detect because the poisoned behavior only surfaces on specific trigger inputs that normal testing doesn’t exercise.
Adversarial examples attack deployed models, not training pipelines. Small, human-imperceptible perturbations to input data — pixel noise in images, subtle character substitutions in text — can cause ML classifiers to misclassify inputs with high confidence. Security ML models used for malware detection and network traffic classification are susceptible: an adversary who knows the model architecture can craft inputs that the classifier treats as benign while they contain malicious functionality. The AI in computer security context shows how these adversarial vulnerabilities affect the defensive ML tools organizations have deployed — creating a recursive security problem where the AI defenses have their own vulnerabilities. Model theft — using repeated API queries to reconstruct a proprietary model’s decision boundaries — is a related risk for organizations that expose ML models as commercial APIs, where a competitor or attacker can clone the model’s functionality without access to training data.
Agentic AI Attack Surface
Agentic AI systems — LLM-based agents that can browse the web, read files, execute code, and call external APIs — create an attack surface that traditional application security models weren’t built to address. An agent operating with user-level or service-level permissions can be manipulated to perform privilege escalation (convincing itself it has permissions it doesn’t), data exfiltration (sending retrieved data to attacker-controlled endpoints), or supply chain compromise (downloading and executing malicious packages). The attack surface expands with the agent’s capability set: an agent that can only read text is low risk; an agent that can execute shell commands and access production databases is a critical risk if its reasoning can be redirected through injected content. The enterprise threat intelligence layer that identifies active exploitation of agentic AI patterns is still developing — most threat intel frameworks predate widespread agentic deployment.
AI as a Weapon: Deepfakes, Voice Cloning, and AI-Powered Social Engineering
Deepfake Fraud — Financial Impact and Detection Failure
Deepfake-enabled fraud has moved from theoretical to quantified enterprise risk. Financial losses from deepfake incidents exceeded $200 million in Q1 2025 alone. The average cost to an enterprise from a single deepfake incident runs approximately $500,000, with large enterprise incidents reaching $680,000. The scale of the problem: deepfake fraud attempts have increased 2,137% over the past three years, now appearing in roughly 1 in 15 detected fraud cases. The human detection rate for high-quality video deepfakes is 24.5% — meaning three out of four sophisticated deepfake impersonations go undetected when humans are the primary control. Experian’s 2026 fraud forecast projects AI-facilitated fraud losses growing from $12.3 billion in 2023 to $40 billion by 2027 — a 32% compound annual growth rate driven by the democratization of deepfake generation tools.
The primary attack vectors are video impersonation (deepfake calls where an executive’s face and voice are cloned to authorize fraudulent transactions) and voice cloning (audio-only impersonation in phone-based fraud). Voice cloning is currently considered the highest-risk AI fraud vector because audio-only fakes require less computational resource to produce and less perceptual scrutiny to detect. Business Email Compromise has been upgraded by AI: AI-generated emails now match the target’s writing style, reference accurate organizational context, and produce zero spelling errors — eliminating the tell-tale signs that trained employees previously used to identify phishing attempts. The AI security tools addressing this problem on the defensive side include deepfake detection platforms (Reality Defender, GetReal Security) that analyze audio and video for AI generation artifacts.
AI-Powered Phishing and Social Engineering at Scale
The structural change AI brings to phishing is scale without quality degradation. Traditional spear-phishing required manual research — understanding the target’s role, relationships, and recent activity — limiting high-quality attacks to high-value targets. AI tools now automate that research step: scraping LinkedIn, analyzing publicly available communications, and generating personalized phishing emails at volume. The result is that spear-phishing quality, previously reserved for nation-state actors targeting specific individuals, is now available to commodity cybercriminal groups targeting thousands of employees simultaneously. ML models achieve greater than 97% accuracy identifying phishing emails on the defensive side — but that leaves a meaningful false-negative rate when the phishing itself is AI-crafted to evade ML-based detection by mimicking legitimate email patterns. The AI cybersecurity market is investing in social engineering detection specifically because the scale of AI-powered phishing is outpacing human-based awareness training as a primary control.
Frequently Asked Questions
What are the main artificial intelligence security risks?
AI security risks fall into two categories. Risks to AI systems: prompt injection (ranked #1 by OWASP), data poisoning of training data, adversarial examples that fool deployed ML classifiers, model theft via API querying, and agentic AI privilege escalation. Risks from AI used as a weapon: deepfake video and voice impersonation fraud, AI-generated phishing emails at scale, and AI-assisted reconnaissance that enables faster targeted attacks. Both categories require different defenses — architectural controls for AI systems, detection and verification for AI-enabled social engineering.
What is prompt injection and why is it the top LLM risk?
Prompt injection embeds adversarial instructions inside content that an AI model processes, redirecting the model’s behavior without visible instruction from the user. Indirect prompt injection — planting malicious instructions in web pages, documents, or emails that an AI agent reads — is the dominant vector. OWASP rates it #1 in the LLM Top 10 because it affects any LLM-based agent with access to external data. CrowdStrike documented prompt injection attacks at 90+ organizations in 2025. Success rates for specific techniques exceed 88% across tested models.
How large are deepfake fraud losses in 2025-2026?
Deepfake-enabled fraud exceeded $200 million in Q1 2025 alone. The average enterprise cost per deepfake incident is approximately $500,000; large enterprise incidents average $680,000. AI-facilitated fraud losses overall are projected to grow from $12.3 billion in 2023 to $40 billion by 2027 (Experian, 2026). Deepfake fraud attempts have increased 2,137% over three years. Human detection rates for high-quality video deepfakes are only 24.5%, making technical detection controls necessary.
What is data poisoning in AI security?
Data poisoning injects malicious samples into an AI model’s training data to cause the model to learn incorrect associations. The poisoned model behaves normally on standard test inputs but produces specific wrong outputs on trigger inputs the attacker controls. Poisoning as little as 0.001% of training data can degrade model reliability without triggering standard accuracy evaluations. For security-relevant ML models — malware classifiers, fraud detection models, network anomaly detectors — poisoning can cause them to systematically misclassify attacker-controlled inputs.
How ready are organizations to secure agentic AI?
Cisco’s State of AI Security 2026 found that 83% of organizations planned to deploy agentic AI, but only 29% felt ready to do so securely — a 54-point gap. Agentic AI systems face attack surfaces including prompt injection through retrieved content, privilege escalation through manipulated reasoning, and data exfiltration through agent actions. Most existing security frameworks were designed before widespread agentic AI deployment, and threat intelligence coverage of active agentic AI exploitation is still developing.
