We’re all seeing it. AI is changing how we approach nearly every part of business. It’s taking meeting notes, spitting out action items, and building chatbots to handle the flood of internal questions. The potential benefits for busy teams and executives? Obvious.
Every week brings another AI-driven product, concept, or half-baked idea. Taco Bell’s using it for ordering. Delta’s using it to tweak flight pricing. Resume builders are gaming AI-powered HR tools. It’s officially the new tech gold rush-- just like cloud computing was, only faster and louder.
And just like with the rush to cloud, we’re seeing the same rapid adoption-- and the same blind spots. Organizations are diving in without doing the due diligence to weigh risk versus reward.
Most conversations about LLMs stop at the surface. People are pasting sensitive data into a prompt box. But that’s not the only danger. The real threat is what happens when a malicious prompt tricks the model into leaking prior session data, quietly poisons the model’s memory, or is tricked into fabricating information so convincingly that people act on it without question.
It’s not just about user error. It’s about manipulation, trust, and the very architecture of how these models reason. This isn’t a paste from clipboard problem. It’s a systems failure waiting to happen.
If that already sounds like a nightmare, buckle up, because we’ve already sailed past that stage.
Enter Agentic AI. Which is a fancy way to say systems powered by language models that don’t just respond to prompts but make decisions and take actions. Think of them like digital employees. Incredibly fast workers that can write and run code, send emails, access files, or kick off workflows, often without much oversight. The risk isn’t evolving. It’s erupting.
I won’t sugarcoat it; Agentic AI is a security nightmare. As I attended Blackhat and DEFCON this year, the message was loud and clear: every agent tested was vulnerable. ChatGPT, Co-Pilot, Grok, Gemini, Salesforce… all of them failed the test. Same story, same flaw. There is simply too much trust in the user.
Soft guardrails, or those built-in limits that politely “suggest” what an AI shouldn’t do, turned out to be worthless. All were bypassed with a clever prompt or two. Some attackers used base64 encoding to sneak content past filters. Others got even more ridiculous, using Morse code to smuggle in instructions like it was a 1940s spy movie. The point is, it worked.
These hacks didn’t stop at one-time access. In another example, an AI agent was manipulated to maintain persistence, sending updates to an attacker every time a Salesforce record was created or updated. That’s not just leakage. That’s exfiltration-as-a-feature.
Once attackers established that line could be crossed, it was open season. Agents leaked source code, forwarded internal notes, even executed unintended actions, all with minimal friction or denial from the agent itself.
The worst part? These weren’t fluke attacks. In many cases, it took only minutes to break the system. And when an agent has memory, any malicious input can become permanent. There’s no rollback, no patch. Just long-term contamination. And while this is happening, most vendors are pushing products out the door with no vulnerability program, no incident response plan, and no clue how deep the hole goes.
If you missed the chaos of the '90s, when zero-days dropped daily, Remote Code Execution vulnerabilities were everywhere, and attackers were discovering bugs faster than anyone could fix them... Congratulations! You're now living the remix. Back then, it was buffer overflows and FTP daemons. Today, it’s prompt injection, memory poisoning, and agents acting on behalf of hackers. Different tools, same recklessness. And the worst part? We knew better this time.
The reality is that organizations need to weigh the risk versus reward of AI in every part of their business. Not just where it’s trendy, or where it makes the most noise. The promise is tempting, but using AI comes with complexity, exposure, and devastating consequences.
Security teams guide. We can warn, advise, and even help build the guardrails. But we don’t own the risk. That belongs to the people pushing the launch button-- the executives, the business units, the risk owners chasing speed over safety. If they want to ignore the warnings and floor it into the unknown, well… at some point, all we can do is stand back and watch the truck sail off the cliff.
AI will absolutely play a pivotal role in our lives. But the near future depends on how the organizations building these tools handle the hard part, including securing systems that think, decide, and act on our behalf. Maybe one day we’ll be able to rely on our virtual assistants. But today isn’t that day.
