Mapping the AI Attack Surface

Traditional cybersecurity was designed for a world where software follows deterministic rules — the same input always produces the same output, and vulnerabilities are fixed in code. AI breaks this model entirely.

The AI Lifecycle Threat Map

Think of an AI system as a pipeline with five distinct stages, each carrying its own risks:

• ◆Data Collection — Who controls what goes into the training data? Can it be manipulated before it reaches you?
• ◆Training — Can adversaries inject poisoned examples that corrupt the model's behaviour?
• ◆Fine-tuning — Are third-party base models carrying hidden vulnerabilities?
• ◆Deployment — Once live, can users manipulate the model through crafted inputs?
• ◆Integration — What happens when AI outputs feed into other business systems?

The critical difference between AI security and traditional security is opacity. When a conventional application behaves unexpectedly, you can read the code. When an AI model misbehaves, the cause may be buried in billions of parameters that no human can interpret directly.

Distinguishing AI Risks from Conventional Risks

Not every AI problem is a security incident. Before reaching for an incident response playbook, organisations need a clear taxonomy:

• ◆Adversarial Attack — A deliberate, malicious attempt to manipulate AI behaviour
• ◆Data Quality Failure — Garbage in, garbage out. No malicious intent, but real consequences.
• ◆Distributional Shift — The world changed and the model wasn't retrained. Common in finance and healthcare.
• ◆Integration Bug — A software engineering failure in how AI connects to other systems.
• ◆Model Drift — Gradual degradation in performance over time as patterns evolve.

How Machines Learn — Computerphile