Security Risks of Artificial Intelligence: A Framework Guide

The security risks of artificial intelligence fall into two distinct categories that require different defensive approaches: technical vulnerabilities inherent to AI systems themselves (supply chain attacks, model theft, adversarial manipulation), and governance-level risks created by how organizations deploy and oversee AI (regulation gaps, algorithmic bias, inadequate audit frameworks). Understanding both categories — and the established frameworks that map them — is increasingly a requirement for security professionals, risk officers and compliance teams responsible for AI systems in production.

Technical Security Risks of AI Systems

AI systems introduce attack surfaces that do not exist in traditional software: the model weights, training data, inference API, and the agentic capabilities that allow AI to take real-world actions are all targets that conventional security frameworks were not designed to protect. The OWASP Top 10 for LLM Applications (2025 edition) and MITRE ATLAS provide the most comprehensive public taxonomies of these technical risks.

Supply chain attacks and third-party AI integration risks

Most organizations building AI-powered products do not develop foundation models from scratch — they integrate third-party models, APIs, libraries and pre-trained weights from vendors and public repositories. Each integration point is a potential supply chain entry. Supply chain and third-party compromises have nearly quadrupled since 2020, and the AI supply chain specifically is now a primary attack target: compromising a widely-used AI library, model checkpoint or cloud inference API can cascade across all organizations that depend on it.

The 2025 OWASP Top 10 for LLM Applications explicitly includes Supply Chain Risks as a distinct risk category, covering vulnerabilities in pre-trained models from public repositories, compromised training datasets, insecure ML frameworks and plugins, and vulnerable third-party packages integrated into LLM-based applications. A vulnerability in a vendor’s AI environment can escalate directly to any customer environment that pulls from the same model or API endpoint. MITRE ATLAS’s October 2025 update added 14 new techniques specifically covering agentic AI risks, including exfiltration via tool invocation.

Model theft and inference attacks

Model theft — also called model extraction or model stealing — occurs when an adversary systematically queries a deployed AI model’s API to reconstruct a functionally equivalent copy of the model without authorization. Unlike traditional data theft, model theft does not necessarily involve accessing a system’s storage or logs; the attack surface is the inference API itself. Organizations may not realize their model has been stolen because the attack leaves no obvious breach indicators and the stolen model never physically leaves the victim’s infrastructure.

Model theft risks are particularly acute for organizations that have invested significant resources in fine-tuning proprietary models on confidential data, trained specialized classifiers on non-public training sets or developed AI-based fraud detection systems whose logic an attacker would benefit from understanding. The 2025 infostealer campaigns that exposed over 300,000 ChatGPT credentials illustrate the adjacent risk: compromised AI platform credentials can give attackers access to an organization’s conversation history, fine-tuned assistants and API configurations — a significant intellectual property breach even without direct model extraction.

Adversarial attacks and OWASP LLM Top 10

Adversarial attacks against AI models exploit the statistical nature of machine learning to produce systematically wrong outputs. The 2025 OWASP Top 10 for LLM Applications defines the most critical risk categories for production AI systems:

• Prompt Injection (LLM01): Malicious instructions embedded in input that override system behavior — the primary attack vector for agentic AI.
• Data and Model Poisoning (LLM04): Corrupting training or fine-tuning data to embed backdoors or biases.
• Excessive Agency (LLM06): Granting AI agents too many permissions or capabilities, enabling attackers to take real-world actions through compromised AI.
• System Prompt Leakage (LLM07): Techniques to extract confidential system instructions that reveal business logic, security controls or proprietary processes.
• Unbounded Consumption (LLM10): Resource exhaustion attacks against AI inference infrastructure — the AI equivalent of denial-of-service.

MITRE ATLAS (Adversarial Threat Landscape for AI Systems) provides attack technique mappings that mirror the MITRE ATT&CK framework but for AI-specific adversarial behaviors, giving security teams a structured vocabulary for AI threat modeling compatible with existing SOC workflows.

Governance, Regulatory and Systemic AI Risks

Technical vulnerabilities are only part of the AI security risk landscape. Organizations face equally significant risks from inadequate governance frameworks, regulatory non-compliance and systemic bias — risks that do not require an external attacker and can cause serious harm through the normal operation of poorly-designed or inadequately-governed AI systems.

The AI governance gap and NIST AI RMF

Global AI adoption has outpaced the development of governance standards by a significant margin. Only 37% of organizations have any AI governance policy in place, despite 99% of organizations using AI in some capacity. The primary standard for organizations seeking a structured governance approach is the NIST AI Risk Management Framework (AI RMF), which organizes AI risk governance into four functions: Map (identify AI risks in organizational context), Measure (analyze and track risk), Manage (implement controls and priorities), and Govern (establish culture, oversight and accountability structures).

The governance gap is structural: AI security requires new skills (adversarial ML testing, AI red teaming), new audit processes (model behavior auditing, training data lineage) and cross-functional ownership that spans security, legal, compliance and data science. Traditional IT governance frameworks — ISO 27001, SOC 2, NIST CSF — were not designed to address AI-specific risks and provide insufficient coverage without AI-specific extensions. The EU AI Act, fully in force from August 2026, introduces mandatory conformity assessments, risk classification requirements and prohibited use categories that make AI governance a legal compliance requirement for organizations operating in or selling to European markets.

Algorithmic bias as a security and legal risk

Algorithmic bias — systematic errors in AI outputs that produce unfair outcomes for specific groups — is both an ethical concern and a concrete security and legal risk. When AI systems make decisions about access control, fraud detection, hiring or credit scoring, biased outputs constitute discriminatory treatment that triggers regulatory exposure under anti-discrimination law. Existing AI governance frameworks address bias at a surface level, but research published in 2025 found that many frameworks rely on generalized assumptions about users and environments that fail to capture cultural and contextual dimensions of bias.

From a security perspective, adversarially-induced bias — injecting poisoned training data to cause an AI fraud detection system to systematically fail for a specific transaction pattern — is an underappreciated attack technique. The target is not data exfiltration but behavioral manipulation: causing the AI system to have predictable blind spots that the attacker exploits. Security teams assessing AI risk need to evaluate not just whether the model can be accessed but whether it can be manipulated to perform incorrectly in specific, exploitable ways.

Building an AI security risk assessment program

For organizations beginning AI security risk management, the NIST AI RMF provides the governance structure while OWASP’s LLM Top 10 provides the technical risk inventory. A practical program should include: (1) AI asset inventory — cataloguing all AI models in use, including shadow AI deployments; (2) supply chain due diligence — reviewing the provenance and security posture of all third-party AI dependencies; (3) adversarial testing — red teaming deployed AI systems for prompt injection, jailbreak and data extraction vulnerabilities; and (4) monitoring — logging model inputs and outputs to detect anomalous behavior patterns that may indicate adversarial manipulation or model extraction attempts. The MIT AI Risk Repository provides a structured database of AI risk categories useful for ensuring comprehensive coverage in internal risk assessments.