As organizations accelerate the adoption of artificial intelligence across business operations, cybersecurity experts are warning that legacy infrastructure may become one of the most overlooked risks facing enterprise AI deployments. Speaking at the Gartner Security and Risk Management Summit, Zur Ulianitzky, Senior Vice President of Product and Security Research at XM Cyber, highlighted how attackers can bypass dedicated AI security controls by exploiting weaknesses in the underlying infrastructure that supports AI agents. While many organizations are investing heavily in protections against threats such as model poisoning, prompt injection, and data leakage, experts argue that focusing exclusively on the AI layer leaves a significant attack surface exposed. Recent industry figures indicate that approximately 71 percent of organizations are currently piloting AI agents across enterprise applications, while 31 percent have already integrated them into production workflows. As adoption grows, security teams are being urged to evaluate not only AI systems themselves but also the networks, identities, permissions, and cloud resources that enable them to function.
According to Ulianitzky, AI agents rely heavily on existing enterprise infrastructure and inherit many of the same security weaknesses that organizations have accumulated over the years. These systems authenticate through identity providers, access cloud storage platforms, execute actions through serverless computing services, and rely on existing identity and access management frameworks. Every dependency introduces potential exposure if not properly secured. Research cited in the discussion suggests that 70 percent of organizations grant AI systems more privileges than they would assign to employees performing similar roles. The consequences can be significant, with organizations reporting a 76 percent security incident rate when AI systems possess excessive privileges, compared to 17 percent among those enforcing strict least privilege controls. Since AI agents depend on technologies such as Active Directory, cloud IAM platforms, service accounts, and stored credentials, attackers do not necessarily need to target the AI directly. Instead, compromising any of the systems connected to the AI environment may provide access to sensitive data sources, integrations, and operational capabilities that the AI uses every day.
To illustrate the risk, XM Cyber researchers outlined a real world attack path involving a customer service AI assistant powered by AWS Bedrock. In the scenario, customer information from Salesforce was exported into an Amazon S3 bucket to support AI driven queries and automation. The storage environment became a valuable target because multiple users, including a developer responsible for maintaining the AI assistant, were granted unnecessary access to production data. At the same time, an internet facing Apache Tomcat server remained vulnerable to CVE-2025-24813, a remote code execution flaw disclosed in 2025 and later added to CISA’s Known Exploited Vulnerabilities catalog. After exploiting the server, attackers could obtain cached credentials and compromise an Active Directory account. Researchers further identified a Resource Based Constrained Delegation misconfiguration that enabled attackers to impersonate the developer and gain access to their workstation. Since the developer used AWS CLI tools to manage cloud resources, access keys stored on the machine could be extracted and used to reach the production S3 bucket containing data consumed by the AI assistant. Through this chain of events, attackers could influence the information the AI system reads, trusts, and delivers to users without ever attacking the AI platform itself.
Security specialists emphasize that risks of this nature often go unnoticed because organizations assess vulnerabilities within separate security domains rather than evaluating how individual weaknesses can be combined into a larger attack path. A cloud permissions issue, an Active Directory misconfiguration, and an unpatched server may each appear as moderate concerns when viewed independently. However, when linked together, they can create a direct route to critical AI resources. Experts recommend adopting exposure management strategies that treat AI knowledge bases, cloud storage repositories, serverless functions, and supporting infrastructure as interconnected assets. By mapping identity relationships, permissions, infrastructure dependencies, and exploitable weaknesses across environments, organizations can identify strategic points where remediation efforts will have the greatest impact. Security leaders are increasingly being advised to focus on the broader ecosystem supporting AI deployments, recognizing that attackers often rely on established techniques and legacy weaknesses to compromise modern technologies and gain access to valuable business data.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
