AI expands attack surface
Security observers are warning that AI development is accelerating cyber risk faster than many organisations are prepared for, turning compromise from a remote possibility into a normal operating concern. Social posts this week highlighted Anthropic’s Mythos being restricted for safety and referenced discovery of numerous LLM ‘zero‑days’, underscoring that AI systems can both magnify attacker capabilities and create new exploitable vectors. Practical takeaways are immediate: audit where keys and credentials live, limit third‑party integrations, and treat AI deployments as security events. (x.com/kimmonismus/status/2042174533155836174 (x.com/exec_sum/status/2041639715502485695)
A large language model is a machine that predicts the next word, but when you connect it to code, browsers, and company data, it starts acting less like autocomplete and more like a junior operator with root access. The security problem is not just the model itself; it is every plug-in, application programming interface key, and workflow the model can touch. (owasp.org) That is why security teams now talk about “attack surface,” which is just the count of doors, windows, and vents an attacker can try. In 2026, Cloud Security Alliance published survey results from more than 1,500 security leaders, and 92% said they were concerned about artificial intelligence agents spreading through the workforce. (cloudsecurityalliance.org) The new wrinkle is that the same systems companies buy for productivity can also help attackers move faster once they get in. CrowdStrike said on February 24, 2026 that artificial-intelligence-enabled attack activity rose 89% year over year, and the fastest observed breakout from one compromised machine to broader access took 27 seconds. (crowdstrike.com) A “zero-day” is a software flaw the defender does not know about yet, like a hidden side door no one has locked because no one has found it. Anthropic said on February 5, 2026 that Claude Opus 4.6 had found and validated more than 500 high-severity vulnerabilities in open-source software, including bugs in codebases that had been fuzzed for years. (red.anthropic.com) Fuzzing is the old method, where computers throw mountains of random inputs at software to see what breaks, like shaking every window in a city to find one loose latch. Anthropic said its model was different because it read code the way a human researcher does, tracing logic and spotting bug patterns without custom scaffolding or specialized prompts. (red.anthropic.com) This week Anthropic went a step further and kept its newest model, Claude Mythos Preview, off the public market. The company said Mythos Preview can identify and exploit zero-day vulnerabilities in every major operating system and every major web browser when directed to do so, so access is being limited to vetted defenders through Project Glasswing. (anthropic.com) (red.anthropic.com) Project Glasswing is not a small pilot with one customer. Anthropic says the launch group includes Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks, plus more than 40 additional organizations that maintain critical software infrastructure. (anthropic.com 1) (anthropic.com 2) The other half of the risk is that companies are exposing their own systems to models before they have basic controls in place. The Open Worldwide Application Security Project’s 2025 list puts prompt injection first, sensitive information disclosure second, and supply chain risk third, which means the biggest failures often come from bad instructions, leaked data, and untrusted dependencies rather than from science-fiction hacking. (owasp.org) Prompt injection is the artificial-intelligence version of slipping a fake note into a stack of real instructions. The Open Worldwide Application Security Project warns that crafted inputs can trigger unauthorized access, data breaches, and compromised decisions, especially when a model is allowed to call tools or pass its output directly into other systems. (owasp.org) That is why a chatbot connected to Slack, GitHub, Google Drive, Salesforce, and a payment system is not “just a chatbot.” It is a new identity with delegated permissions, and if its secrets live in plain text or its outputs are trusted without review, one bad prompt can become a credential theft, a code change, or a data leak. (owasp.org) (crowdstrike.com) The practical response is boring in the same way seat belts are boring. Find every application programming interface key your models can reach, cut unnecessary third-party connections, require human approval for high-impact actions, and treat every new artificial intelligence deployment the way you would treat a new internet-facing server: as a security event that needs review before it goes live. (owasp.org) (cloudsecurityalliance.org)
