In 2024, a dramatic surge in leaked secrets from artificial intelligence systems, reaching 23.77 million – a 25% increase from the previous year – highlights a critical security vulnerability. Incidents involving the popular Ultralytics AI library, malicious Nx packages, and compromised ChatGPT functionality reveal a common thread: organizations with robust traditional security programs still fell victim. Their existing security frameworks, while effective for legacy systems, were simply not equipped to handle the novel threats posed by rapidly evolving AI technologies.
These breaches underscore a fundamental disconnect. Major security frameworks like NIST Cybersecurity Framework, ISO 27001, and CIS Controls, developed for a pre-AI era, lack specific guidance on AI attack vectors. While comprehensive for traditional IT environments, they fail to address the unique attack surfaces and vulnerabilities inherent in AI systems. This gap is prompting a critical re-evaluation of cybersecurity strategies, with a growing demand for specialized AI security expertise.
Where Traditional Frameworks Stop and AI Threats Begin
The foundational principles of established security frameworks, including NIST CSF 2.0 and ISO 27001:2022, were designed to protect against threats prevalent before the widespread adoption of AI. While NIST CSF 2.0 focuses on asset protection and ISO 27001 offers broad information security, neither provides detailed guidance on AI-specific risks. Similarly, CIS Controls v8 excels in endpoint and access security but remains silent on emergent AI attack methods.
Rob Witcher, co-founder of cybersecurity training company Destination Certification, observed, “Security professionals are facing a threat landscape that’s evolved faster than the frameworks designed to protect against it. The controls organizations rely on weren’t built with AI-specific attack vectors in mind.” This sentiment points to a pressing need for security training and certifications that directly address these new challenges.
Consider fundamental security concepts like access control. While these are universally addressed in security frameworks, they do not encompass prompt injection attacks. This technique manipulates AI behavior through natural language inputs, bypassing traditional authentication mechanisms entirely. Similarly, system and information integrity controls, designed to detect malware and prevent unauthorized code execution, are ill-equipped for model poisoning. In these scenarios, attackers corrupt training data during an authorized process, teaching AI systems malicious behaviors without ever breaching system defenses.
Understanding AI-Specific Vulnerabilities
- Prompt Injection: Unlike traditional input validation that targets syntactic patterns (e.g., SQL injection, cross-site scripting), prompt injection exploits semantic understanding. Attackers use natural language to trick AI models into executing unintended actions, such as revealing sensitive information, by instructing the AI to “ignore previous instructions.” Existing controls that look for special characters or known attack signatures are ineffective against this method.
- Model Poisoning: This attack vector infiltrates AI systems through compromised or maliciously contributed training data. Security frameworks often focus on detecting unauthorized system modifications, but model poisoning occurs within a legitimate training workflow. The AI learns malicious behaviors implicitly, making it difficult for traditional integrity controls to identify the security violation.
- AI Supply Chain Risks: Traditional supply chain risk management assesses third-party software and vendor security. However, AI supply chains involve more complex components like pre-trained models, datasets, and machine learning frameworks. Frameworks lack guidance on verifying the integrity of model weights, detecting backdoored models, or assessing poisoned training datasets.
When Compliance Doesn’t Equal Security
The consequences of this security framework gap are not theoretical; they are evident in recent breaches. The December 2024 compromise of the Ultralytics AI library occurred not through a system vulnerability but by injecting malicious code into the build environment *after* code review. Existing software supply chain controls, including dependency scanning and Software Bill of Materials (SBOM) analysis, failed to detect this manipulation within the AI development pipeline, which was not covered by traditional controls.
In November 2024, ChatGPT vulnerabilities allowed attackers to extract user data by crafting malicious prompts. Organizations employing robust network security, endpoint protection, and access controls found these measures insufficient. The vulnerability resided in the AI’s natural language processing capabilities, not in the underlying infrastructure.
More recently, malicious Nx packages exploited AI assistants like Claude Code and Google Gemini CLI in August 2025. These tools are designed to execute code based on natural language commands. The attack weaponized this inherent functionality, demonstrating how AI development tools can be subverted in ways not anticipated by existing controls that primarily focus on preventing unauthorized code execution.
The Scale of the Exposure
IBM’s Cost of a Data Breach Report 2025 indicates that it takes an average of 349 days to identify and contain breaches. For AI-specific attacks, detection times may be even longer due to the lack of established indicators of compromise. Sysdig research highlights a 500% surge in cloud workloads containing AI/ML packages in 2024, vastly expanding the attack surface faster than defensive capabilities can evolve.
Organizations are increasingly deploying AI across various functions, from customer service chatbots to code assistants and data analysis. Many security teams struggle to even inventory the AI systems in their environments, let alone apply the necessary AI-specific security controls that frameworks do not yet mandate.
What Organizations Need Beyond Compliance
To address this escalating threat, organizations must move beyond mere compliance. Waiting for security frameworks to update is not a viable strategy, as AI-specific attacks are occurring now. New technical capabilities are essential, including advanced prompt validation and monitoring to detect malicious semantic content in natural language, and model integrity verification to detect poisoning. Adversarial robustness testing, specifically tailored for AI attack vectors, is also crucial.
The current focus of Data Loss Prevention (DLP) on structured data is insufficient for AI systems. Semantic DLP capabilities are needed to identify sensitive information embedded within unstructured conversations. For instance, when an employee asks an AI to summarize a document containing confidential plans, traditional DLP tools often miss it.
AI supply chain security requires capabilities beyond vendor assessments. Organizations need methods to validate pre-trained models and detect compromised datasets, areas not covered by existing NIST SP 800-53 controls.
The Knowledge and Regulatory Challenge
Building AI security expertise within existing security teams is paramount. The skills acquired for securing traditional systems are valuable but insufficient for AI. This expansion of expertise rather than replacement is key to effective defense.
Regulatory pressure is also increasing. The EU AI Act, effective in 2025, imposes significant penalties for violations. While NIST’s AI Risk Management Framework offers guidance, it’s not yet integrated into primary organizational security frameworks. Organizations that delay adopting AI-specific security measures risk facing breaches rather than preventing them.
Practical steps are critical. Organizations should conduct AI-specific risk assessments, inventory their AI systems, and implement AI security controls proactively. Updating incident response plans to include AI-specific scenarios, such as prompt injection or model poisoning, is essential, as current playbooks may not be effective.
The proactive window for addressing AI security is closing. Traditional security frameworks are not flawed but incomplete concerning AI threats. Organizations that fully adhered to NIST CSF, ISO 27001, and CIS Controls in 2024 and 2025 still experienced breaches because these frameworks do not cover AI-specific attack vectors. Compliance has not translated to comprehensive protection.
Security teams must close this gap immediately. This includes implementing AI-specific controls, fostering specialized knowledge within teams, and advocating for updated industry standards. The threat landscape has fundamentally shifted, requiring security approaches to evolve beyond the anticipated scope of current frameworks. Organizations that integrate AI security into their existing programs will succeed, while those waiting for explicit framework mandates risk becoming victims of future breaches.