AI Runtime Attacks: The New Security Crisis Enterprises Face

Enterprise security is losing ground to AI-enabled attacks at an alarming rate. The shift isn’t due to weak defenses, but a fundamental change in the threat model. Attackers now exploit runtime weaknesses where breakout times are measured in seconds, while traditional security struggles to keep pace. The speed of these attacks has increased dramatically as adversaries leverage AI to bypass conventional protections.

The Speed of Exploitation

CrowdStrike’s 2025 Global Threat Report highlights breakout times as fast as 51 seconds. Attackers move from initial access to lateral movement before most security teams even receive their first alert. A staggering 79% of detections are malware-free, with adversaries using hands-on keyboard techniques that bypass endpoint defenses entirely. This means traditional signature-based systems are increasingly ineffective against semantic attacks.

The Patching Paradox

The window between patch release and weaponization is collapsing. Field CISO Mike Riemer of Ivanti notes that threat actors reverse engineer patches within 72 hours. If an enterprise doesn’t patch within that timeframe, they remain vulnerable. Yet, most organizations take weeks or months to apply updates, often due to competing priorities. This creates a critical exposure window that attackers exploit.

Why Traditional Security Fails at Runtime

Traditional security relies on deterministic rules and static signatures, which are insufficient against the stochastic, semantic nature of AI-targeted attacks. Semantic attacks, such as prompt injections, are difficult to detect because they cloak malicious intent within seemingly benign language. Gartner research confirms this, stating that 89% of business technologists would bypass cybersecurity guidance to meet business objectives. Shadow AI isn’t a risk; it’s an inevitability.

Eleven Attack Vectors Bypassing Conventional Controls

The OWASP Top 10 for LLM Applications 2025 ranks prompt injection as the most critical vulnerability. However, this is just one of eleven attack vectors security leaders must address. Each requires understanding both the mechanics of the attack and the necessary defensive countermeasures.

1. Direct Prompt Injection : Models prioritize user commands over safety training, allowing jailbreaks to succeed in an average of 42 seconds, leaking sensitive data in 20% of cases.
2. Camouflage Attacks : Embedding malicious requests within benign conversations achieves a 65% success rate across eight models in just three turns.
3. Multi-Turn Crescendo Attacks : Distributing payloads across multiple turns bypasses single-request protections, achieving 98% success on GPT-4 and 100% on Gemini-Pro.
4. Indirect Prompt Injection (RAG Poisoning) : Injecting just five malicious texts into databases containing millions of documents results in a 90% attack success rate.
5. Obfuscation Attacks : Encoding malicious instructions using ASCII art or Unicode bypasses keyword filters, achieving up to 76.2% success across major LLMs.
6. Model Extraction : Reconstructing proprietary capabilities via API queries can extract 73% similarity from ChatGPT-3.5-Turbo for as little as $50 in API costs.
7. Resource Exhaustion (Sponge Attacks) : Exploiting Transformer attention complexity can degrade service, increasing latency by up to 6,000× in some cases.
8. Synthetic Identity Fraud : AI-generated personas evade traditional fraud models, accounting for 85-95% of synthetic applicants.
9. Deepfake-Enabled Fraud : AI-generated audio and video impersonate executives, resulting in losses of $25 million in single incidents, like the Arup case.
10. Data Exfiltration via Negligent Insiders : Employees leaking proprietary data into public LLMs will constitute 80% of unauthorized AI transactions by 2026.
11. Hallucination Exploitation : Counterfactual prompting forces models to amplify false outputs, which becomes dangerous when integrated into automated workflows.

The Path Forward: Five Deployment Priorities

The situation demands immediate action. Gartner predicts that 25% of enterprise breaches will trace to AI agent abuse by 2028. CISO Chris Betz of AWS emphasizes that companies often overlook the security of the application itself in their rush to deploy generative AI.

To close the gap, organizations must prioritize:

• Automate Patch Deployment : Implement autonomous patching tied to cloud management to address the 72-hour window.
• Deploy Normalization Layers First : Decode Base64, ASCII art, and Unicode before semantic analysis.
• Implement Stateful Context Tracking : Detect multi-turn attacks by tracking conversation history.
• Enforce RAG Instruction Hierarchy : Treat retrieved data as data only, preventing malicious code execution.
• Propagate Identity into Prompts : Inject user metadata for proper authorization context.

As Mike Riemer puts it, “Until I know what it is and I know who is on the other side of the keyboard, I’m not going to communicate with it.” This zero-trust approach is no longer a buzzword but an operational necessity.

The window to build defenses is closing. Microsoft went undetected for three years, and Samsung leaked code for weeks. The question isn’t whether to deploy inference security but whether organizations can close the gap before becoming the next cautionary tale.