Security Global Forum

Security Global Forum

Our mission is to provide clients with an online user community of industry peers and IBM experts, to exchange tips and tricks, best practices, and product knowledge. We hope the information you find here helps you maximize the value of your IBM Security solutions.

 View Only

Passing Audits Won't Protect You From AI Attacks

By Filip Piletic posted Thu January 29, 2026 07:56 AM

  

IBM's 2025 Cost of a Data Breach Report revealed a striking finding: among organizations that suffered an AI-related security incident, 97% lacked proper AI access controls. Even more telling, 63% had no AI governance policies in place at all.

These weren't organizations cutting corners on security. They had mature programs, dedicated teams, and compliance certifications to prove it. The problem is that NIST CSF, ISO 27001, and CIS Controls—the frameworks these organizations relied on—were never designed to address threats like prompt injection, model poisoning, or AI supply chain attacks.

The result is a dangerous gap. Organizations can implement every control their frameworks require, pass every audit, and still remain fundamentally exposed to an entire category of threats that didn't exist when those frameworks were written.

Where the Frameworks Fall Short

Access control requirements appear in every major framework, defining who can access systems and what actions they can perform. But access controls don't address prompt injection attacks, where malicious actors manipulate AI behavior through carefully crafted natural language input, bypassing authentication entirely.

Traditional input validation controls (like SI-10 in NIST SP 800-53) were designed to catch malicious structured input: SQL injection, cross-site scripting, command injection. These controls look for syntax patterns, special characters, and known attack signatures. Prompt injection uses valid natural language. There are no special characters to filter, no SQL syntax to block, no obvious attack signatures. The malicious intent is semantic, not syntactic.

System integrity controls focus on detecting unauthorized modifications. But model poisoning happens during the authorized training process. Attackers corrupt training data through legitimate channels—compromised data sources, malicious contributions to open datasets—and the AI learns malicious behavior as part of normal operation. Integrity controls aren't looking for this because nothing unauthorized occurred.

Supply chain risk management presents similar challenges. The SR control family in NIST SP 800-53 addresses vendor assessments, contract requirements, and software bill of materials. These help organizations understand what code they're running. But AI supply chains include pre-trained models, datasets, and ML frameworks that these controls weren't designed to evaluate. How does an organization validate the integrity of model weights? How does it detect if a pre-trained model has been backdoored?

In December 2024, the Ultralytics AI library was compromised when attackers injected malicious code after the code review process but before publication. Organizations with comprehensive dependency scanning still installed the compromised packages because their tools couldn't detect this type of manipulation.

The Scale of the Problem

IBM's research, based on 600 organizations globally, reveals how unprepared most enterprises are.

Shadow AI—employees using AI tools without IT approval—contributed to 20% of breaches and added $670,000 to average breach costs. Yet only 37% of organizations have policies to detect it. Among those with AI governance policies, just 34% conduct regular audits for unsanctioned AI usage.

13% of organizations reported breaches involving AI models or applications directly. Another 8% didn't know whether they'd been compromised this way—a blind spot arguably more concerning than confirmed breaches.

When AI-related incidents did occur, 60% resulted in data compromise and 31% caused operational disruption: halted sales processing, degraded customer service, supply chain interruptions.

The overall breach lifecycle has improved—241 days to identify and contain, a nine-year low driven largely by AI-powered security tools. But faster detection doesn't help when the AI systems themselves are what's being attacked.

"The future of AI depends on how well we secure it today," notes Suja Viswesan, IBM's Vice President of Security and Runtime Products. "Embedding security from the start is essential to protecting data, supporting compliance obligations, and building lasting trust."

The Cost of Waiting

Organizations extensively using AI in their security operations saved an average of $1.9 million in breach costs and reduced the breach lifecycle by 80 days, according to IBM's research. AI can help organizations defend better—but ungoverned AI systems are more likely to be breached and more costly when they are.

The regulatory environment isn't waiting. The EU AI Act, which took effect in 2025, imposes penalties up to €35 million or 7% of global revenue for serious violations. U.S. agencies issued 59 AI regulations in 2024—more than double the previous year. IBM found that 32% of breached organizations paid regulatory fines, with 48% of those fines exceeding $100,000.

What Organizations Need to Do

Waiting for framework updates isn't a strategy. The attacks are happening now.

Start with an AI-specific risk assessment. This should be separate from traditional security assessments. Most organizations can't inventory the AI systems actually running in their environment—that's the first blind spot to fix.

Implement AI-specific security controls even though frameworks don't require them yet. Prompt validation and monitoring that detects malicious semantic content, not just structured input patterns. Model integrity verification that validates model weights and detects poisoning. Adversarial robustness testing through red teaming focused specifically on AI attack vectors.

Address shadow AI directly. If only 37% of organizations have policies to detect unsanctioned AI usage, unauthorized AI is almost certainly running in most enterprise environments right now. Governance policies, approval workflows, and detection capabilities address the risk.

Update incident response plans. Current playbooks won't work when investigating prompt injection or model poisoning. Security teams need to understand how AI systems fail differently than traditional applications.

Build AI security expertise within existing security teams. The skills that made security professionals effective at securing networks, applications, and data remain valuable—but they're not sufficient for AI systems. This isn't about replacing expertise; it's about extending it to cover new attack surfaces.

For teams looking to formalize this knowledge, AAISM online bootcamp programs have emerged specifically to address this gap, providing structured training on AI-specific attack vectors, governance frameworks, and security controls.

The Path Forward

Traditional security frameworks aren't wrong—they're incomplete. The 97% statistic from IBM's research isn't about organizations that ignored security. It's about organizations that followed the playbook they had. That playbook wasn't written for AI.

Organizations treating AI security as an extension of their existing programs—implementing controls based on actual risk rather than waiting for framework mandates—will be positioned to defend effectively. Those waiting for explicit requirements will respond to incidents rather than prevent them.

The threat landscape has changed. Security programs need to change with it.

0 comments
4 views

Permalink

https://community.ibm.com/community/user/blogs/filip-piletic/2026/01/29/passing-audits-wont-protect-you-from-ai-attacks