LETTERMCP
All posts

The New Enterprise Security Perimeter Is AI

The New Enterprise Security Perimeter Is AI

AI is now the perimeter. Not a tool inside it, not a threat beyond it. Business-critical decisions, sensitive data, and core operations run through AI systems. Whatever isn't secured there isn't secured.

The Traditional Perimeter Is Gone

Network-based security ran on one assumption: threats originate outside a defined boundary. That held when data lived on-premises, workers sat in offices, and the attack surface was knowable. Cloud migration dissolved the boundary. Remote work scattered the endpoints. SaaS distributed data across dozens of third parties.

Zero Trust was the practical response, shifting from trusted network to verified identity. It remains necessary. It's also insufficient for what AI introduces, because Zero Trust was built around human and machine identities with predictable, auditable behavior.

AI agents act autonomously, chain tool calls without human review, and execute at machine speed. An AI system authenticates legitimately, then carries out instructions it was manipulated into accepting. The identity-centric model has no clean answer for that. The perimeter didn't disappear. It relocated to wherever AI operates.

Why AI Is a Different Kind of Attack Surface

Enterprise AI adoption is outpacing the security frameworks meant to contain it. LLMs are embedded in productivity suites, code assistants, customer service platforms, and internal knowledge tools. They don't just process requests. They access sensitive internal data, call external APIs, and execute actions.

What makes this surface genuinely novel isn't just scale. It's the nature of the thing.

AI systems are non-deterministic. The same input doesn't guarantee the same output. Auditing behavior that varies by design is structurally harder than auditing rule-based systems, and traditional logging assumptions break against it in ways that aren't obvious until something goes wrong.

The manipulation vector is inputs, not exploits. An attacker doesn't need to breach the model. They craft an input that redirects its behavior. No vulnerability required. No patch fixes it. This is a category shift that most security tooling wasn't built to address, and the fact that it looks simple is part of why it keeps getting underestimated.

AI systems also concentrate what attackers want. Training data contains sensitive enterprise information. Models encode proprietary logic and institutional knowledge. A compromised model doesn't just leak data. It leaks the organization's decision-making architecture. Targeting of AI systems as primary objectives, not incidental ones, is increasing. The pace is not slowing.

The Actual Threat Catalog

Prompt injection is the most immediate and widespread risk. Direct injection embeds malicious instructions in user input. Indirect injection plants them in content the model retrieves: a document, a webpage, a database record, a calendar entry. The model follows injected instructions as though they were legitimate. Real-world consequences include data exfiltration and unauthorized actions. These aren't theoretical; they've been demonstrated against production systems.

Model poisoning targets the training and fine-tuning phase. Backdoors embedded there activate on specific triggers at inference time. Poisoned models behave normally until the trigger appears, which makes post-deployment detection genuinely difficult. Not merely inconvenient.

Model extraction replicates proprietary models through repeated querying. An attacker reconstructs model behavior without ever accessing weights or training data. Whatever competitive advantage lives in a fine-tuned model transfers out the door through what looks, from the logs, like normal usage.

Supply chain attacks target open-source models and datasets, third-party plugins, and integration layers. A malicious model uploaded to a public repository and pulled into an enterprise pipeline bypasses every downstream control. Most organizations aren't applying software composition analysis to AI assets the way they apply it to code libraries. That's a gap, not a philosophical position.

AI-assisted social engineering doesn't attack the model at all. It uses AI offensively: deepfakes, synthetic voice, highly personalized phishing at scale, automated pretexting. The defensive perimeter has to account for AI as an adversarial tool. Organizations that think of AI only as a defensive asset are reasoning from an incomplete picture.

What the Architecture Needs to Look Like

Vet pre-trained models and establish provenance requirements before deployment. An unvetted model is unreviewed third-party code. Treating it as anything else is a choice with consequences. Apply software composition analysis to AI dependencies with the same discipline applied to code libraries.

Harden the pipeline. MLSecOps integrates security into CI/CD for model development. Model signing and provenance tracking ensure what ships to production is what was tested. Pipelines without these controls are open to substitution attacks, and substitution attacks are quiet.

At runtime, validate inputs before they reach models and filter outputs before they leave. Deploy anomaly detection on model behavior and usage patterns. Rate-limit AI endpoints. Behavioral baselines catch drift that static rules miss. Static rules alone are not a monitoring strategy. They're the beginning of one.

Apply data minimization to what models can access. The most common exfiltration vector isn't a dramatic breach. It's the model helpfully including sensitive information in a response because it had access and no reason not to. Monitor outputs for that. The volume is high enough that manual review won't scale, which means automated output monitoring isn't optional.

Extend identity and access management to AI agents and models as principals. Least-privilege access for AI systems follows the same logic as least-privilege for service accounts. An AI agent doesn't need access to every data source because it will eventually need some of them. That reasoning has never held up for service accounts, and it doesn't hold up here.

Build audit trails for AI decisions and interactions. Human-in-the-loop checkpoints at high-risk decision points limit blast radius when models behave unexpectedly. The EU AI Act, NIST AI RMF, SEC disclosure requirements, and a growing list of state-level regulations are accelerating formal AI governance requirements. Organizations building these capabilities now won't be building them under deadline pressure in twelve months, which is the alternative.

Monday Morning

Run an AI asset inventory. Shadow AI is already inside the enterprise. Employees use unsanctioned tools and integrations at scale, and discovery isn't optional because you can't secure what you don't know exists. This comes before everything else.

Extend threat modeling to AI-specific attack vectors. Existing threat models don't account for prompt injection, model poisoning, or extraction attacks. Every AI system in production gets threat-modeled against the full catalog. Not eventually.

Establish an AI security policy covering approved models, data handling requirements, output validation standards, and acceptable use parameters. Without it, nothing downstream is consistent. The policy is the enforcement baseline.

Invest in red-teaming capability, internal or external. Passive monitoring finds known problems. Red-teaming finds the ones that will matter before attackers find them first. The AI security monitoring vendor landscape is building out fast enough to justify a structured evaluation now rather than a wait-and-see posture that mostly serves to delay accountability.

Break the silo. AI security that lives only in the SOC fails. Security, data science, legal, and compliance teams have overlapping stakes in the same systems. Governance decisions made without security input generate risk. Security posture decisions made without data science input miss the technical reality. The org chart problem is a security problem.

Build an AI-specific incident response playbook before the call comes in. A model compromise looks different from a server compromise in ways that matter for containment and recovery. Define what it looks like. Document the procedures. The organizations that discover this mid-incident are the ones that learn it most expensively.

Where Things Stand

Start with visibility: a complete picture of what AI systems exist, what data they access, and what actions they can take. The attack surface is real, active, and expanding faster than most security programs are currently moving. That gap is the variable that determines whether this gets addressed on your terms or someone else's.