1 in 4
security professionals report their organization deployed generative AI tools without a formal security review — SANS 2025 AI Security Survey
43%
of LLM applications tested by OWASP researchers were vulnerable to prompt injection attacks in 2025
#1
risk on the OWASP Top 10 for LLMs: Prompt Injection — manipulating LLM behavior through malicious input
0
enterprise AI security products from major vendors that have been independently validated against all OWASP LLM Top 10 risks as of 2026

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Enterprise security programs have well-defined categories for their attack surface: network, endpoint, identity, application, and supply chain. AI deployments create a new category that does not map cleanly to any of these: the model and its interaction with data and users.

This is not theoretical. Microsoft's own AI Red Team has published findings from LLM security testing showing prompt injection, data exfiltration through model outputs, and indirect instruction attacks are real and reproducible. As organizations deploy Copilot for Microsoft 365 with access to company email and documents, custom internal chatbots with database access, and LLM-powered code generation tools with repository access, the attack surface is organizational data — accessed through a model that can be manipulated.

The enterprise AI threat model

The key architectural difference between AI security and traditional application security is that the AI model processes untrusted data (user input, documents, web content) and produces outputs that drive actions — in an application whose logic is probabilistic, not deterministic. Traditional security reviews validate deterministic code paths. AI security must account for the model's behavior across a distribution of inputs, including adversarially crafted inputs.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Microsoft Copilot for M365: specific security considerations

Copilot for Microsoft 365 is the highest-deployment enterprise AI tool as of 2026. Its security model deserves specific attention because it has broad access to organizational data.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Securing custom LLM applications and RAG pipelines

Organizations building internal LLM tools — chatbots, document summarization, code review — have more architectural control over security than Copilot deployments and should implement these controls.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Security testing for AI applications

Traditional pen testing methodologies do not comprehensively assess LLM-specific risks. Security teams need to add AI-specific testing techniques.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

The bottom line

Enterprise AI deployments require security review, not after deployment when data exposure is confirmed, but before — at the architecture phase. The core security principles apply (least privilege, input validation, output monitoring) but require AI-specific implementation. The highest-priority action for most organizations deploying M365 Copilot is a file permission audit before rollout. For custom LLM applications, implement per-user permission filtering in the retrieval layer and treat model inputs as untrusted. These controls address the most common attack paths without requiring specialized AI security tooling that the market is still developing.

Frequently asked questions

What is prompt injection and why can't it be fully patched?

Prompt injection is the manipulation of an LLM's behavior through adversarial inputs — either directly by the user or indirectly via data the model processes. It cannot be fully patched because the same model capability that allows an LLM to follow instructions also allows it to follow adversarial instructions if they are presented in a way the model processes as legitimate. Defense is through architectural controls (not through model fine-tuning alone): permission boundaries that limit what data the model can access, output validation that checks model actions before execution, and monitoring for anomalous behavior patterns.

Is Microsoft Copilot secure for enterprise use?

Copilot for M365 is as secure as your M365 data governance. If your tenant has well-managed file permissions, sensitivity labels on sensitive content, and no overly broad sharing policies, Copilot's data exposure surface is limited. If you have years of accumulated oversharing — documents shared with 'everyone' that contain sensitive data — Copilot exposes that data to any user who prompts for it. Copilot itself is not the security problem; it surfaces the permission debt that was already there.

Do I need to include AI tools in my security awareness training?

Yes. Employees need to understand: not to input sensitive personal data (customer PII, health records, financial data) into public AI tools (ChatGPT, public Claude interfaces) because that data becomes training input, not to share confidential company information with external AI services unless explicitly approved, and how to recognize prompt injection in documents they receive (though this is difficult and should not be the primary control). The primary controls are technical (data loss prevention policies, network-level controls on external AI service uploads), but employee awareness reduces the risk of well-intentioned accidental exposure.

Sources & references

  1. OWASP Top 10 for Large Language Model Applications 2025
  2. NIST AI Risk Management Framework
  3. Microsoft AI Red Team: Findings from LLM Security Testing

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.