Artificial intelligence is quickly becoming a core layer of enterprise infrastructure, yet its security posture is far behind its adoption curve. According to the AI and Adversarial Testing Benchmark Report 2026 by Pentera, most Chief Information Security Officers (CISOs) are trying to protect AI systems with legacy tools and methods that were never designed for AI‑driven environments.
Limited Visibility into Enterprise AI Usage
Modern AI solutions almost never operate in isolation. They are tightly integrated with cloud platforms, identity and access management (IAM), business applications, data pipelines, and analytics stacks. Ownership is split across engineering, data, operations, and security teams, which quickly erodes centralized oversight.
In Pentera’s survey of 300 CISOs and senior cybersecurity leaders in the United States, 67% admitted they have only limited visibility into how AI is actually used in their organization. Not a single respondent reported full transparency. Nearly all acknowledged the presence of “shadow AI” — unapproved or weakly governed use of AI tools by business units.
Without a reliable inventory of AI assets, risk management becomes guesswork. Fundamental questions remain unanswered: which accounts and tokens AI services use, what data they can access, how they behave when controls fail, and who owns updates and monitoring. Formal AI security policies may exist on paper, but large portions of real‑world AI usage remain outside their scope.
Skills Gap, Not Budget, Is the Main AI Security Constraint
Despite strong board‑level interest, budget is not the primary barrier to AI security. Only 17% of CISOs cited insufficient funding as their main challenge. Far more frequently, leaders pointed to a lack of skilled professionals and mature, AI‑specific risk assessment methodologies.
AI introduces new behaviors and attack surfaces that do not fit neatly into traditional security models. Key challenges include:
- autonomous decision‑making and execution of actions on behalf of users or services;
- indirect data access via complex integration chains, plugins, and tools;
- high‑privilege interactions, such as LLM agents with access to source code and internal repositories;
- AI‑specific threats like data poisoning, model theft (model exfiltration), and prompt injection attacks.
Many organizations are only starting to embed AI security into the software development lifecycle (SDLC): architecture reviews focused on AI, AI red teaming, and systematic adversarial testing. Frameworks such as the NIST AI Risk Management Framework (AI RMF) and emerging standards like ISO/IEC 42001 offer guidance, but they are far from universally adopted.
Legacy Cybersecurity Tools Are Not Enough for AI Systems
In the absence of mature AI‑specific practices and products, enterprises largely attempt to secure AI with existing cybersecurity tooling. Pentera’s data shows that 75% of CISOs rely on legacy tools to protect AI systems — from endpoint detection and response (EDR) to web application firewalls, cloud security, and API protection platforms. Only 11% report having dedicated AI security solutions.
This pattern is typical in early phases of any technology shift: organizations extend existing controls before investing in specialized capabilities. However, tools designed for traditional systems rarely account for AI‑specific risks. For example, they often:
- miss logical vulnerabilities rooted in model behavior rather than code flaws;
- provide little to no detection of prompt injection, data exfiltration through model outputs, or jailbreak attempts;
- cannot effectively model chained attacks where AI acts as a “bridge” to other systems and sensitive data.
How AI Infrastructure Differs from Traditional IT
Traditional security focuses on components — hosts, networks, and applications. AI security must focus on model behavior in a live environment. The same AI application can be relatively safe when tightly restricted, yet highly dangerous when granted wide privileges and broad data access. Conventional tools rarely see this risk boundary.
External AI services add another layer of complexity. Public LLM APIs, SaaS AI platforms, and third‑party models shift parts of the risk to vendors. Without robust supply‑chain evaluation, contractual security guarantees, and clear data‑handling controls, organizations remain exposed to data leakage, model compromise, and vulnerabilities in upstream frameworks and libraries.
Practical Steps to Strengthen AI Security in the Enterprise
Pentera’s findings indicate that the core gap is not lack of interest, but lack of transparency, expertise, and specialized testing. To close this gap, organizations should prioritize the following measures:
- Create an AI asset inventory. Maintain an up‑to‑date registry of all AI models, services, and integrations, including third‑party tools and known cases of shadow AI.
- Assign clear ownership. Define product, technical, and security owners for each AI system, with explicit accountability for risk management.
- Enforce AI access control policies. Apply least‑privilege access for AI services, constrain data exposure, and set rules for using external AI platforms.
- Conduct adversarial testing of AI. Regularly test AI systems against prompt injection, data exfiltration, abuse of business logic, and bypass of safety controls.
- Upskill key teams. Train developers, data engineers, and security staff on AI‑specific threats, red‑teaming techniques, and relevant standards such as NIST AI RMF and ISO/IEC 42001.
As AI becomes the “nervous system” of digital business, treating AI security as an afterthought is no longer viable. Organizations that move beyond repurposed legacy tools and invest in visibility, expertise, and adversarial testing will not only reduce cyber risk, but also gain a strategic advantage — the ability to deploy new AI‑driven capabilities faster, with greater confidence, and under demonstrably stronger security controls.
