Generative AI Security: Risks, Frameworks, and What Works

Equipo de expertos de Wiz

What is generative AI security?

Generative AI security protects organizations from risks created by generative AI systems and LLMs that generate content, code, or data—threats like prompt injection, model theft, and data poisoning that traditional security tools cannot detect. The core challenge is structural:

  • LLMs process natural language as executable instructions

  • Training data can be exfiltrated through model outputs

  • Third-party model dependencies introduce supply chain risk that SAST and DAST tooling were never designed to catch

Wiz Research has found this pattern across AI-as-a-service providers, model hosting platforms, and AI infrastructure: container escapes, exposed databases, and cross-tenant data leakage.

What are the main risks associated with GenAI?

Wiz: The first CNAPP to provide AI security for OpenAI customers

In practice, GenAI security risks look different than they do on paper. The most common first problems are:

  • Employees pasting sensitive documents into unapproved tools

  • Developers routing code reviews through personal AI accounts

  • Shadow AI deployments accumulating faster than any governance team can track them

Policy-only approaches fail fast; full bans push usage underground. The most effective response is visibility first: know what AI runs, what data is sensitive, and build controls from there.

With that ground-level reality as context, the four risk categories below represent the full threat landscape, from what attackers exploit to what models do on their own.

1. Model vulnerabilities

Model vulnerabilities target AI algorithms themselves, exploiting weaknesses in how models process inputs and generate outputs.

The most actively exploited vector is prompt injection, where adversarial inputs redirect model behavior away from its intended purpose. A well-crafted prompt can cause an LLM to:

  • Ignore system-level instructions

  • Exfiltrate data

  • Execute unauthorized actions

This risk scales with every external input the model accepts.

Data poisoning is another significant technique, corrupting training data to degrade or bias model outputs at inference time. Researchers demonstrated this concretely: feeding a model just 50 poisoned images caused Stable Diffusion to produce malformed outputs

TPUXtract is a method developed by researchers at North Carolina State University that extracts model architecture via electromagnetic signals from Google Edge TPUs, with no direct file access required. The technique demands specialized equipment and physical access, putting it squarely in the threat profile of state-sponsored actors and well-funded corporate espionage.

In May 2024, Wiz Research discovered a critical vulnerability in Replicate that exposed the risk of cross-tenant data leakage across millions of private AI models, reinforcing that AI infrastructure inherits the same isolation risks as any other cloud workload.

2. Data-related risks

Data-related risks threaten the sensitive information that powers AI systems. In practice, this category starts well before a sophisticated attacker enters the picture when employees: 

  • Upload internal documents to unapproved tools

  • Paste customer data into free-tier AI products with no enterprise data agreements

  • Use AI against internal datasets never classified or access-controlled for this use case

When organizations rely on "please don't paste sensitive data" as a control, it fails almost immediately. At the infrastructure level, unsecured APIs and integrations expose sensitive data to unauthorized parties at scale.

In January 2025, Wiz Research uncovered a publicly accessible DeepSeek database exposing over a million lines of log streams containing chat histories and API secrets, with no authentication required. That incident required no attacker sophistication, just a misconfigured database and no monitoring to catch it.

3. Misuse scenarios

Misuse scenarios occur when attackers weaponize AI systems to produce harmful content, from deepfakes for fraud to malicious code to discriminatory outputs.

Deepfakes present a particularly acute enterprise risk: criminals use AI-generated video and audio to bypass biometric security systems and access sensitive data that would otherwise require authenticated human identity verification.

AI-generated phishing and business email compromise (BEC) have grown significantly alongside this threat. GenAI tools have lowered the skill floor for crafting convincing impersonation attacks, producing grammatically fluent, contextually specific lures at scale in ways that substantially increase the challenge of social engineering defense.

4. Hallucinations and unreliable outputs

Hallucinations represent a distinct category because the model fails on its own:

  • AI-generated infrastructure configurations can contain security misconfigurations

  • AI-written code can introduce vulnerabilities

  • Legal or compliance summaries can misstate regulatory requirements

All this is delivered with the same confident tone as correct output. Mitigate this with output validation as a deliberate design principle by adding human-in-the-loop review for high-stakes decisions, including cross-validation against authoritative sources, and treating all AI output as untrusted input by default.

GenAI Security Best Practices Cheat Sheet

This cheat sheet provides a practical overview of the 7 best practices you can adopt to start fortifying your organization’s GenAI security posture.

5. Compliance and governance risks

Compliance and governance risks emerge from the intersection of evolving AI regulations and existing privacy law. Follow mandatory frameworks like the EU AI Act alongside GDPR, CCPA, and growing sector-specific requirements, each with different scopes and enforcement timelines.

The EU AI Act establishes risk-tiered obligations with fines reaching up to €35 million or 7% of worldwide annual turnover for violations of its prohibited practices provisions. The broader challenge is that some regulations carry enforcement mechanisms while others are frameworks and guidelines. Organizations need structured visibility across their AI use cases to map each one to its applicable obligations before regulators come looking.

What frameworks help manage generative AI security risks?

Gartner’s AI TRiSM framework (Source: Gartner)

The industry has converged on a small set of frameworks that map GenAI risks to controls. Each addresses a different layer of the problem, and understanding what each covers helps security leaders decide where to focus rather than treating all frameworks as equally applicable.

The four below cover the threat taxonomy, risk management lifecycle, attack technique knowledge base, and governance model a CISO needs to know.

FrameworkWhat it coversBest for
OWASP Top 10 for LLM ApplicationsCatalogs the top 10 LLM security risks, including prompt injection and data poisoning, with concrete mitigation guidance for eachSecurity teams that need a practical threat taxonomy mapped to the most common adversarial risks
NIST AI RMFProvides a lifecycle-based governance structure across four functions: Govern, Map, Measure, and ManageOrganizations building or formalizing an AI risk management program across the full development and deployment lifecycle
MITRE ATLASA knowledge base of adversarial attack techniques targeting AI systems, paired with detailed mitigation guidance for each technique and tactic categorySecurity teams focused on adversarial AI attacks that need a mapping between known threat actor behavior and specific defensive controls
Gartner AI TRiSMA governance model built around four components: explainability and model monitoring, ModelOps, AI application security, and privacyCISOs building board-level AI governance structures and demonstrating trust to customers and regulators
Pro tip

For a hands-on companion to these frameworks, the GenAI security best practices cheat sheet maps the most actionable controls across the AI security lifecycle, and the LLM security best practices cheat sheet goes deeper on LLM-specific risks and mitigations.

Watch 10-min AI Guided Tour

Interactive walkthrough of how Wiz helps security teams secure AI workloads across the cloud with full visibility.

Generative AI security best practices

Building a GenAI security program means addressing the full stack: models, data, access, compliance, incident response, and posture visibility. The practices below cover the core controls, sequenced to build on each other.

Prioritize your AI bill of materials (AI-BOM)

Example of an AI-BOM filtered for the Azure AI services

Complete AI visibility starts with cataloging every AI system in your environment. An AI-BOM identifies all AI models, training datasets, APIs, and tools across your cloud environment. Without it, security teams have no reliable foundation for risk assessment, no way to detect shadow AI, and no basis for proving compliance with frameworks that require an inventory of AI assets.

Implementation for an AI-BOM program includes:

  • Documenting all AI models in use, covering vendor models such as those from OpenAI and Anthropic, custom models your teams built, and embedded models bundled within third-party applications.

  • Mapping data flows to understand where training and inference data originates and how it moves through the pipeline from collection to production.

  • Using automated discovery tools to surface undocumented AI systems because shadow AI is rarely self-reported and manual inventories go stale quickly.

Implement zero-trust controls

Zero-trust architecture assumes no AI system or user is inherently trustworthy. This approach implements least-privilege access, continuous authentication, and real-time monitoring for all AI interactions. Without zero-trust controls, a single compromised credential or over-permissioned service account can give an attacker unrestricted access to model APIs, training datasets, and inference infrastructure simultaneously.

Effective zero-trust implementation for GenAI environments includes the following steps:

  • Apply identity-based access controls to all GenAI endpoints, requiring SSO or equivalent authentication for access to model APIs and inference services.

  • Implement context-based API rate limiting scoped per user, per endpoint, or per model access level to reduce the blast radius of credential abuse.

  • Segment your GenAI environment from other production systems so a compromise in the AI layer does not provide direct lateral movement into unrelated workloads.

Secure your GenAI data

Training datasets, vector databases, and inference pipelines are all potential exposure surfaces. Without proper controls, the model itself becomes the leakage vector, surfacing confidential information directly in its outputs.

A structured approach to GenAI data security includes the following steps:

  • Encrypt all training data at rest using AES-256 and apply encryption in transit across all data flows between pipeline components.

  • Combine regex filtering with machine learning–based anomaly detection to catch prompt injection attempts at the input layer before they reach the model.

  • Apply role-based access controls to training datasets based on sensitivity classification, so only authorized personnel and processes interact with production training data.

Untangle your AI compliance requirements

Compliance mapping identifies which regulations apply to each AI system in your environment and what technical controls each requires. The challenge is that AI compliance obligations now span multiple jurisdictions, frameworks, and enforcement timelines, and violations carry significant financial exposure. EU AI Act fines for prohibited practices reach up to €35 million or 7% of worldwide annual turnover.

Concrete steps for building a compliance mapping capability include the following approaches:

  • Create a regulatory mapping matrix that links each AI use case to its applicable requirements, covering the EU AI Act, GDPR's right to explanation for AI-driven decisions, CCPA, and any sector-specific frameworks relevant to your industry.

  • Develop a compliance calendar that tracks upcoming enforcement dates and regulatory updates, since the AI regulatory landscape is still actively evolving, with high-risk AI system obligations under the EU AI Act taking effect on August 2, 2026.

  • Build a data sovereignty framework to ensure local processing requirements are met where applicable, particularly for EU-based deployments subject to GDPR.

Kickstart GenAI-specific incident response plans

Even organizations with strong preventive controls will face AI security incidents. Whether it's contained or catastrophic often depends on whether a plan existed before the incident started. GenAI incidents require playbooks that address failure modes specific to AI systems, including prompt injection attempts, model manipulation, data leakage through outputs, and harmful content generation.

Building a GenAI incident response capability means taking the following steps:

  • Create playbooks for the most likely GenAI incident types, including data leakage from model outputs, model manipulation through adversarial inputs, and harmful or policy-violating outputs.

  • Implement automated detection and response for known patterns, such as automatic rate limiting or circuit-breaker responses when prompt injection signatures appear in production traffic.

  • Conduct tabletop exercises that simulate GenAI security breaches, as AI-specific scenarios require different muscle memory than traditional network or endpoint incidents.

Get visibility into security posture with AI security tools

Traditional CSPM tools were designed to assess cloud infrastructure configurations. They were not built to inventory AI models, detect misconfigurations in LLM integrations, or surface attack paths that originate in AI workloads and traverse into sensitive data stores. This gap is precisely what AI-SPM addresses.

AI-SPM provides a continuous inventory of AI models and pipelines, detects misconfigurations in LLM integrations and inference endpoints, and surfaces attack paths that connect AI workloads to sensitive data. Where CSPM covers infrastructure risk, and DSPM covers data risk, AI-SPM bridges the gap, showing how your AI systems relate to both, what they can reach, and where the combined exposure paths lie. Without it, security teams must manage AI security risks blindly.

How to approach generative AI security with the right platform

Wiz AI-SPM provides unparalleled visibility into GenAI security risks

Building a mature GenAI security program requires full-stack visibility across models, data pipelines, and cloud infrastructure, continuous detection of AI-specific misconfigurations, and attack path analysis that shows not just what's misconfigured, but what an attacker could actually reach.

According to Wiz’s State of AI in the Cloud 2026 report, 81% of organizations use managed AI services and 90% run self-hosted AI software, yet 25% still lack visibility into which AI services run in their environment. Reactive security alone can't close that gap.

Wiz AI-SPM delivers the visibility and control this environment demands. As the pioneer of AI-SPM, Wiz built these capabilities because traditional cloud security tools were not equipped to handle the AI layer.

Wiz provides a complete AI inventory across managed services and self-hosted models, detects misconfigurations and attack paths across the full AI stack, surfaces shadow AI before it becomes a breach, and connects AI risk findings to the broader cloud security context through the Wiz Security Graph. Whether your teams are building on OpenAI, running self-hosted models, or both, Wiz gives you the continuous detection and prioritized remediation to stay ahead of the AI attack surface.

Request a demo to see how Wiz secures GenAI across your organization, or get a free AI security assessment today.

See for yourself...

Learn what makes Wiz the platform to enable your cloud security operation

Para obtener información sobre cómo Wiz maneja sus datos personales, consulte nuestra Política de privacidad.

FAQs about generative AI security