AI Security:Artificial Intelligence (AI) Attack Surface Expansion and Security Governance

Many people think that the impact of AI on cybersecurity is mainly in the form of "one more smarter tool". But after reading this compendium on AI cybersecurity in the Asia-Pacific (AP), a more heartfelt conclusion emerges:AI is making attacks faster, cheaper and more realisticIt also creates new "weak layers" in the organization's systems architecture - models, data pipelines, and training and deployment processes.

In other words: you're using AI to boost efficiency, and attackers are using AI to boost speed.

Here's the most worthwhile take-away dry stuff from the report, condensed into a version you can use directly to make judgments and manage.

01 Change 1: Attacks are "more human" and more scalable

In the traditional era, phishing emails, customer service impersonation, and social worker calls were polished by human labor. Now generative AI can "mass produce" this matter:

• - Write fishing content that more closely resembles normal communication and even fits the tone of the industry, organizational structure, and current events
• - Deep forgery (audio/video) takes the "look-alike" out of strong evidence
• - You can also adjust your tactics and strategies in real time, with minimal trial-and-error costs.

This brings not some single point of risk, but an organizational level of change:The trust mechanism has been shaken.Many of the approval, payment, and change processes that used to rely on "listening to voices," "watching videos," and "talking like each other" are becoming inadequate. Many of the approval, payment, and change processes that used to rely on "listening to voices," "watching videos," and "talking like the other person" are no longer sufficient.

02 Change 2: Enterprises expand their attack surface from the "system" to the "model lifecycle".

The report breaks down AI-related cyberattacks into three broad categories, and I suggest you understand them as three main fronts.

1) Hit model "behavior": cue word injection, jailbreaks, confrontation samples

• • Prompt Injection: Hiding malicious instructions in user inputs, documents, web pages, data, so that the model "ignores the rules", reveals information, or does things it shouldn't.
• • Jailbreak: Bypass the guardrail with role-playing, multi-step induction, etc., and let the model output what is supposed to be forbidden.
• • Confrontation Samples/Confrontation Tips: Make small but deliberate changes to inputs that allow the model to misjudge and impact automated processes (e.g., risk control, anti-fraud, content review).

This may sound like "tech-sphere mumbo-jumbo," but it's often quite simple when it comes down to it:One sentence, one document, one external content reference, which could then skew the model, which in turn affects downstream processes.

2) Fighting "data and training": data poisoning, model inversion, model theft

• • Data Poisoning: Mixing "normal-looking but engineered" samples with training/fine-tuning data, distorting model performance over time, and even planting backdoors.
• • Model Inversion: Invert sensitive information in the training data by constantly querying the output.
• • Model Extraction/Theft: "Clone" the model with a large number of structured queries to steal capabilities and boundaries.

The core risks are clear:
It is possible to lose both data (privacy/trade secrets), models (intellectual property/competitiveness), and decision quality (systematic bias).

3) Fighting "supply chain and infrastructure": components, external models, development and deployment pipelines

AI systems are often highly dependent on external ecosystems: open-source libraries, pre-trained models, third-party APIs, cloud infrastructure, automated deployment tools. The report emphasizes that this can amplify traditional supply chain risks - asOne contaminated, many may be affected, and is difficult to trace and spreads quickly.

A more realistic point is this: provider maturity varies widely. Some are well-governed, while others are just starting out. Enterprises that look only at functionality and not at governance can easily "outsource back" the risk.

03 Regulatory trends: more mandatory, more fragmented, more emphasis on fast notification

The Asia-Pacific regulatory environment puts pressure on businesses from two main things:

1. 1. Mandatory safety requirements on the rise: Critical infrastructure, finance, healthcare, transportation, etc. are particularly evident.
2. 2. Incident notification is becoming more and more "urgent": Some jurisdictions have very short reporting windows for critical incidents (Singapore is reported to be as low as 2 hours in certain scenarios; Australia 12 hours in some instances; India requires 6 hours to report to CERT-In; and Hong Kong 12 hours for serious incidents after the Critical Infrastructure Act came into force).

At the same time, the rules arefragmentationThe terminology is different, the applicable objects are different, the regulators are different, and the data localization and cross-border requirements are different. It is difficult for multinational enterprises to use a set of templates, but only to make a "unified framework, the landing can be configured".

Another noteworthy signal is that while traditional cybersecurity frameworks are still dominant in most regions, theAI-specific security expectationsare emerging, e.g., model robustness, adversarial testing, secure data processing, generating content identifiers (with deep synthesis), etc.

04 Where it can go most wrong: by subjecting all AI to "maximum security".

There is a very useful reminder in the report:AI securityInputs need to be "graded", otherwise they are either a waste of resources or a drag on the efficiency of the business.

A simple but working way to divide it is:

• • Productivity AI tools(internal Q&A, retrieval, writing aids, minutes): lighter controls can usually be applied, but leakage, overstepping of authority and data leakage should be strictly guarded against.
• • Decision-critical/customer-oriented high-impact AI(Credit, Claims, Risk Control, Medical Assist, Critical Dispatch): more stringent security and auditing requirements are needed, emphasizing traceability, interpretability, continuous testing and human oversight.

The goal of security is not for AI to "never go wrong," but for risks and impacts to be minimized.Controllable, visible, recoverable.

05 A "list of seven landing strips" that enterprises can directly copy away from

If you need a version that can be brought back to the company for discussion and put into the system, these 7 are the most critical:

1. 1. Putting AI Cybersecurity at Board Level
   Make it a standing issue: risk trade-offs, resource commitment, tolerance, responsible parties, don't just stop at the weekly technical report.
2. 2. Make an "AI Asset Inventory."
   Make clear lists: what models are used, where the data comes from, what external APIs are hooked up, who is responsible, risk levels, change logs. You can't talk about governance without an inventory.
3. 3. High-risk scenarios must be "safety-first".
   Do confrontation testing and red team drills before going live; do continuous monitoring and periodic retesting after going live.
4. 4. Incorporating AI-specific events into contingency planning
   Clarify how to deal with scenarios such as data poisoning, model theft, model tampering, and cue word injection leading to overstepping of authority; and align the timeframe and caliber of notification across the region.
5. 5. Supply chain should be "contractually clear and operationally manageable"
   Contracts should cover: how data is used, how models are updated, how changes are notified, how incidents are reported, how service continuity is guaranteed; and key vendors should be in constant communication, not just signed and finished.
6. 6. Identity and permission systems need to be more rigid
   Multi-factor authentication, least privilege, and sensitive data segregation can significantly reduce the opportunities for social workers and in-depth forgery.
7. 7. Redoing key processes that "rely on verbal trust"
   For example, high-risk transfers, configuration changes, sensitive data exports: introduce dual-channel validation (system approval + callback verification/secondary validation), and don't take "sounds like" as evidence.

What we really need to upgrade is the "trust approach."

The trouble with AI is not that it's "smarter", but that it makes counterfeiting more real, attacks cheaper, and mistakes easier to amplify by automation.
Deep counterfeiting is certainly scary, but what's scarier is-We are still using the processes and intuition of the old times to verify the truth of the new times.

classifier for objects with a handleAI securityDoing it well is ultimately not about a particular tool or a particular rule, but about a more sophisticated organizational capability:
Critical links can be verified, important decisions can be traced, and problems can be recovered.

The next time you get an urgent message from your "leader", or your system suddenly produces a batch of model outputs that are "wrong, but just wrong", hopefully your team doesn't need to gamble on luck, but has a mechanism in place to make sure you get it right.

refer to:

Safeguarding Cybersecurity in AI: Building Resilience in a New Risk Landscape (December 2025).