AI & Security Landscape Articles

An agent's run is a graph of model calls, tool invocations, and decisions. Observability that maps cleanly to that graph is the difference between debugging and guessing.

SynthID, the Aaronson scheme, and lexical watermarks embed signatures in model output. Detection works statistically. None survives heavy editing — useful but bounded.

Manual red-teaming finds gaps once. Continuous pipelines find regressions every model upgrade. The infrastructure exists; most teams haven't wired it up.

ML inference leaks training data through membership inference, model inversion, and embedding attacks. Differential privacy, TEE-based inference, and output filtering bound the leakage.

Synthetic media is now indistinguishable from camera output. Content Credentials are the practical defense — signed manifests embedded in the file itself.

MCP servers expose tool surfaces to LLM agents. The auth model decides what an agent can do — and most deployments leave it underspecified.

Provider-side prompt caching speeds up applications by 30-90% — and introduces a new attack surface with timing side-channels and poisoning vectors.

Agents with long-term memory survive across sessions. Anything poisoned into that memory persists. A one-shot prompt injection becomes a permanent behavioural change.

A modern virus is not the same as a virus from five years ago. AI-generated payloads observe their environment, profile the host, detect sandboxes, adapt their persistence mechanism to the OS they land on, and modify their C2 communication to blend with normal traffic. Every instance is unique. This article covers how adaptive malware works and the defensive controls that defeat it.

If Anthropic's Mythos can find your vulnerabilities, so can every attacker with API access. The only rational response is to find them first. This article covers how to run systematic AI-powered security assessments across your code, infrastructure-as-code, and runtime configuration.

Generative AI has eliminated every traditional indicator of phishing: perfect grammar, personalised context, cloned executive voices, and real-time video deepfakes. This article covers the defensive controls that work when human judgement alone cannot distinguish real from fake.

Frontier AI models like Anthropic's Mythos find vulnerability classes that traditional scanners miss: logic flaws, implicit trust, hardcoded secrets, configuration drift. The defensive response is not faster patching. It is eliminating these classes before they are discovered.

Large language models memorise portions of their training data. Given the right prompt, a model will reproduce training examples verbatim, including..

Model extraction (model stealing) is an attack where an adversary queries a production ML API systematically to reconstruct a functionally equivalent...

AI agents are being deployed with production tool access: shell execution, kubectl, terraform apply, database queries, API calls.

AI governance in most organisations is a manual process. A model is trained, someone writes a document, a committee meets, approvals are collected...

AI systems introduce a supply chain attack surface that traditional software security does not cover. The three new vectors are.

The EU AI Act entered into force in August 2024, with enforcement timelines staggered through 2027.

MCP servers expose tools that agents invoke. Without fine-grained permissions, every connected agent can call every tool. This article covers least privilege patterns, per-client allowlists, human approval gates, audit logging, multi-tenant isolation, and capability tokens.

Static application security testing (SAST) tools find pattern-based vulnerabilities effectively. Semgrep matches code against rules.

AI agents operate at machine speed, generating 10-100x the audit data of human operators.

MCP supports three transport types: stdio, SSE, and HTTP. Each has distinct security characteristics. This article covers transport-level hardening for all three, including process isolation, TLS, mTLS, CORS, reverse proxy configuration, and rate limiting.

Kubernetes security scanners evaluate resources individually. Tools like kube-bench check node configurations against CIS benchmarks.

LLM jailbreaks are inputs that cause a model to ignore its system prompt, safety training, or usage policies.

AI agents generate infrastructure configurations, database migrations, deployment manifests, and shell commands. It passes a casual review.

The Model Context Protocol (MCP) gives AI agents structured access to tools: filesystem operations, database queries, API calls, shell commands.

Infrastructure-as-Code scanners like Checkov, tflint, and cfn-lint enforce policy through pattern matching.

LLM applications are vulnerable to prompt injection, system prompt leakage, and cross-user context contamination. This article covers system prompt hardening, input sanitisation, output filtering, and context isolation for multi-tenant deployments.

AI systems make decisions that affect people: who gets approved for a loan, whose resume gets shortlisted, which content gets flagged, whose...

AI models are no longer just tools that engineers use to write code. They are becoming direct infrastructure consumers:

Signature-based detection (WAF CRS rules, static Falco rules, antivirus signatures) matches "known bad." AI-generated attacks are polymorphic, every...

Embedding-based retrieval powers RAG pipelines, semantic search, recommendation systems, and classification.

AI models can now discover exploitable vulnerabilities in source code faster than human researchers.

Multi-agent systems are moving from research demos to production deployments. A coordinator agent delegates tasks to specialist agents: one handles...

Deploying LLMs in production introduces infrastructure security challenges: model integrity verification, GPU isolation, runtime sandboxing, API authentication, and safe model updates. This article covers the full inference deployment security stack.

Every security architecture is built on assumptions about what attackers can do, how fast they can do it, and at what scale.

Every production AI model has boundaries: input domains where it performs well, edge cases where it fails, and security properties that constrain how...

AI agents with write access to production systems can execute 100+ infrastructure changes per minute.

The gap between vulnerability disclosure and weaponised exploit used to be measured in weeks.

Membership inference attacks determine whether a specific data record was used to train a model.

AI agents execute tool calls on real infrastructure: writing files, running shell commands, making HTTP requests, modifying databases.

Traditional security scanners operate on pattern matching. They check for known CVEs in dependency trees, match regex patterns for hardcoded secrets,...

Manual security review of infrastructure-as-code takes 2-4 hours per pull request for complex changes.

AI agents need credentials to do useful work: database passwords, API keys, Kubernetes service account tokens, cloud IAM roles.

Traditional incident response assumes failures are binary: the service is up or it is down, the response is correct or it throws an error.

When a security alert fires at 2 AM, the on-call engineer faces an information overload problem.