Six Immediate AI Security Gaps for CISOs to Address

Technology has always evolved faster than people adapt to it, especially AI, and in turn, AI security. We’ve gone AI pilots and experimentation to AI being embedded at the core of business operations. It’s a lot for teams to keep up with, but it’s also created enormous value to leaders, delivering measurable business value. Unfortunately, it’s also led to a significantly expanded attack surface that must be addressed.

CISOs have been reporting concerns about AI use within their organizations, with nearly 40% saying they lacked AI governance, with 49% expecting security incidents from shadow AI use.¹ In agentic AI situations, 37% named securing AI agents as the priority.² The industry consensus is clear: AI security is a requirement for every team that deploys AI.

AI Security Is Different from Everything That Came Before

Cybersecurity veterans built security protocols around a predictable notion: the system does what it was programmed to do, and we can have set standards that protect it. For example, a firewall blocks or allows traffic and a database returns or rejects queries based on specific rules.

AI doesn’t work that way. A large language model (LLM) is not a program in the classical sense with simple “if A, then B” outputs that are simple to secure using traditional approaches. It’s a probabilistic system whose behavior is shaped by training data, fine-tuning, prompting, and access to other tools, and it can be manipulated. AI systems drift and hallucinate, and AI agents are set up to make real-world decisions without human approval. So, it’s no surprise that security controls designed for traditional applications don’t work well for AI.

The Six AI Pitfalls

There are six AI security gaps that you can address today to tighten your AI security processes.

1. Shadow AI has become one of the most common organizational security exposures. Employees and development teams routinely deploy AI tools, use personal LLM accounts with company data, and integrate third-party models without any authorizations or security reviews. The adage that you can’t govern what you can’t see is spot on, and security teams are often running blind to what AI systems are running, what data users access, or who owns the tools. A practical step is AI asset discovery.
2. Prompt injection and adversarial manipulation represent the most immediate technical threat. A malicious instruction embedded in a document, email, web page, or API response can override an AI system’s intended behavior entirely. Unlike traditional attacks, prompt injection requires no special tooling and leaves few fingerprints for conventional detection systems to uncover. Academic research shows that jailbreaking publicly released LLMs is easier than teams assume.³
3. Sensitive data leakage is among the most common compliance risks. Check Point’s 2025 research found that one in every 80 GenAI prompts poses a high risk of sensitive data exposure, and roughly 7.5% of all prompts contain potentially sensitive information.⁴ Employees may upload Personally Identifiable Information (PII), intellectual property, financial records, and source code into external models without realizing the data can be retained, used for training, or intercepted. More often than not, legal exposure under General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA), and emerging AI-specific regulations is significant and largely uninsured.
4. Agentic AI and unchecked real-world actions represent the newest and most dangerous category. Unlike copilots that assist, agents execute. They browse the web, write and run code, send communications, modify databases without human approval. In fact, that’s what they are programmed to do, yet a single compromised or misbehaving agent can exfiltrate data, trigger downstream failures, or cause operational damage at a speed that outpaces any manual response. An ISACA (a global organization with 185,000 members who work in digital trust fields such as information security, governance, assurance, risk, privacy, and quality) analysis of 2025 AI incidents confirmed that threat actors have already used AI to autonomously gather intelligence on targets and generate code to exploit vulnerabilities.⁵
5. Training data poisoning and AI data supply chain attacks are difficulty threats to detect and remediate. An attacker doesn’t need to breach your infrastructure or rewrite your codebase. They only need to currupt a fraction of an LLM’s training data. According to one study, by poisoning as few as 250 pages, bad actors can exploit standard AI training pipelines and plant a persistent, hidden vulnerability they can use in the future. In 2024, a Russian disinformation network generated 3.6 million articles specifically that manipulated AI chatbot responses roughly 33% of the time.⁷
6. Governance gaps and unclear ownership allow these risks to persist at scale. The ISACA review we previously cited found a consistent pattern in that the AI security failures were organizational, and included weak controls, unclear ownership, and overreliance in systems that were never designed to be trusted unconditionally.⁸

Act to Protect Your Business and Your Reputation

The World Economic Forum’s 2025 AI and Cybersecurity report frames the stakes plainly: AI system compromise can have serious business impacts, and organizations that fail to adjust their approach to AI adoption risk losing the ability to benefit from it at all.⁹

Regulatory accountability is now a given. The EU AI Act, evolving National Institute of Standards and Technology (NIST) guidance, and US state-level AI liability frameworks all mandate assigned accountability for AI-related failures.

CISOs should approach AI security as a cross-functional capability spanning discovery, technical controls, operational monitoring, and governance. The window to act and defend effectively is closing. Address these six AI security gaps today to strengthen visibility and data protection and maintain business continuity.

1. What is AI security? AI security covers the AI tools, which means making sure that the models aren’t manipulated, poisoned, exploited, or used without authorization. And it also includes securing everything that AI touches: the data it ingests, the systems it connects to, and the outputs it produces.
2. How do I let my team use generative AI without taking unnecessary risks? Guardrails are a good first step. Define what data is off-limits (proprietary data, Personal Identifiable Information (PII), financials, source code with IP, for example). Then approve a list of vetted tools and block any that aren’t approved.
3. Who takes responsibility when AI is wrong? Today, the organization using the AI. AI vendors disclaim liability in their terms of service, which means that the individual or team deploying and using the AI tool owns the consequences. Those can stem from poor decisions, compliance violations, or harm from leaked data. That is slowly changing as national and local regulations are set. Common best practice is to have a human in the decision chain for all critical business and data output.

1. Proofpoint, The State of AI Security 2025, May 2026
2. Team8, AI, Risk, and the Road Ahead: Key Findings from the 2025 CISO Village Survey, Jul 17, 2025
3. Andy Zou et al., Universal and Transferable Adversarial Attacks on Aligned Language Models. Cornell University, Dec 2023
4. Check Point. AI Security Report 2025: Understanding threats and building smarter defenses, Apr 30, 2025
5. Mary Carmichael, Avoiding AI Pitfalls in 2026: Lessons Learned from Top 2025 Incidents, ISACA, Dec 15, 2025
6. Anthropic, A small number of samples can poison LLMs of any size, Oct 9, 2025
7. Check Point, AI Security Report 2025: Understanding threats and building smarter defenses, Apr 30, 2025
8. Mary Carmichael, Avoiding AI Pitfalls in 2026: Lessons Learned from Top 2025 Incidents, ISACA, Dec 15, 2025
9. World Economic Forum, Artificial Intelligence and Cybersecurity: Balancing Risks and Rewards, Jan 2025