The three new attack surfaces AI creates

Every CISO understands the traditional attack surface: networks, endpoints, applications, people. AI adds three new attack surfaces that most security programs have not systematically addressed, and that traditional security controls are not designed to detect or prevent.

The training data pipeline is the first. AI models learn from data — and that data can be poisoned. Data poisoning attacks introduce malicious data into the training pipeline to manipulate the model's behaviour in ways that are difficult to detect after the fact. A credit model trained on poisoned data might systematically approve fraudulent applications. A fraud detection model might systematically miss a specific type of fraud. These attacks require security controls at the data collection, processing, and ingestion stages — controls that most data pipelines do not have.

The model itself is the second attack surface. Models can be stolen, inverted, or extracted — techniques that allow an attacker to reconstruct a model (and therefore the sensitive training data it was trained on) by querying it repeatedly. For organisations that have trained models on sensitive customer data, model extraction represents a data breach that bypasses traditional data security controls entirely. The model can also be manipulated through prompt injection in generative AI systems — inputs designed to override the model's instructions and make it behave in unintended ways.

The AI inference infrastructure — the systems that run AI models in production — is the third. This includes the GPUs, APIs, and orchestration infrastructure that AI systems depend on. Compromise of this infrastructure can allow an attacker to manipulate AI outputs in real time without attacking the model or training data directly.

NIS 2 and AI: the cybersecurity compliance dimension

The NIS 2 Directive, effective across the EU from October 2024, creates significant cybersecurity obligations for essential and important entities — and their supply chains. If your organisation operates in a critical sector (energy, transport, banking, financial market infrastructure, healthcare, digital infrastructure), and uses AI systems in those operations, NIS 2 cybersecurity obligations apply to those AI systems and their vendors. This is not a future development — it is current law with enforcement teeth: fines up to €10 million or 2% of global turnover for essential entities.