Generative artificial intelligence is not only changing the way companies program, automate processes, or serve their customers. It is also altering the speed, scale, and nature of cyberattacks. Gartner has identified four threats that, in their view, require urgent improvements by cybersecurity leaders: AI application compromise, identity impersonation with deepfakes, prompt injection, and attacks on the software supply chain.
The diagnosis is relevant because it places the problem beyond the commercial noise surrounding AI security. It’s not simply about adding another tool to the SOC or blocking ChatGPT use within the company. The attack surface is shifting toward generative applications connected to internal data, agents capable of taking actions, digital meetings where voice or images can no longer always be trusted, and development pipelines increasingly dependent on external components.
John Watts, Gartner’s Vice President Analyst, summarizes this with a clear warning: security initiatives launched by frontier AI companies are creating a lot of noise in an already saturated environment. For CISOs, the challenge is to find the real signal amid that noise and react to changing threat landscapes before attackers gain the advantage.
Enterprise AI is no longer an isolated experiment
The first threat identified by Gartner is the compromise of AI applications. Many companies have rapidly progressed from testing generative assistants to deploying internal tools, copilots, corporate chatbots, and agents connected to real systems. This acceleration offers clear benefits but also opens new doors.
An enterprise AI application may have access to confidential documents, support tickets, CRM data, databases, code repositories, calendars, automation platforms, or HR tools. If permissions, connectors, identities, and data flows are not properly managed, the model stops being an innocuous interface and becomes a new layer of risk.
Gartner recommends security teams extend their programs beyond traditional software protection. This involves mapping the attack surface generated by generative AI models and agent-based tools, applying secure lifecycle practices to AI application development, performing specific threat modeling, and enhancing data security through classification, purpose-based access control, and runtime monitoring.
The core idea is simple: an AI application should not be treated as a decorative chatbot if it has access to sensitive data or can perform actions. It needs governance, traceability, security testing, and clear limits on what it can do, for whom, and in what context.
Deepfakes and prompt injection: two risks that undermine trust
The second threat is identity impersonation through deepfakes. Advances in voice, video, and image models have made creating false identities cheaper, faster, and more convincing. What previously required advanced resources can now be generated with accessible tools and used in scams, phishing, hiring processes, video calls, or attacks on biometric systems.
The risk isn’t limited to manipulated videos circulating on social media. In the corporate environment, an attacker might mimic a executive’s voice, appear in a remote meeting with synthetic imagery, pressure an employee to authorize a transfer, or attempt to bypass digital identity checks. The visual and auditory trust built up over years as part of enterprise security is no longer enough.
Gartner warns there’s no single control to entirely resolve this issue. Deepfake detectors can help but should be combined with reinforced procedures, strong authentication, metadata analysis, contextual signals, and double validation processes for sensitive operations. For example, online meeting security will need to rely more on verified identities and less on “recognizing” faces on screen.
The third threat, prompt injection, directly affects systems based on large language models. An attacker can manipulate input to alter the model’s behavior, cause it to ignore instructions, leak confidential information, or perform unauthorized actions. The risk increases when the model can read external documents, browse websites, query databases, or interact with corporate tools.
Prompt injection breaks a traditional boundary: in classic applications, code and data are more separated. In LLMs, malicious instructions can appear within documents, emails, tickets, or web pages the agent is processing. If systems aren’t properly designed, the model may interpret them as part of the task.
Defense involves multiple layers: validating and sanitizing inputs, conducting specific prompt injection tests during development, implementing guardrails in real-time, monitoring anomalous behaviors, and issuing alerts when models behave unexpectedly. The premise is that models can be deceived; therefore, the entire system must be designed to limit the impact of that deception.
The software supply chain becomes even more delicate
The fourth threat Gartner points out is the software supply chain. Modern development depends on open source libraries, container images, external packages, CI/CD pipelines, shared repositories, AI models, and automation tools. This dependency was complex before generative AI, and now it’s even more so.
Code assistants can accelerate software creation but can also introduce insecure dependencies, suggest non-existent or malicious packages, replicate vulnerable patterns, or generate unreviewed code. Additionally, development agents may interact with build systems, repositories, and deployment environments, increasing risk if permissions aren’t well managed.
Gartner recommends building complete inventories of software assets and applying controls at each development stage. Measures include demanding SBOMs and AIBOMs from suppliers, evaluating components before deployment, using curated repositories for code, containers, and AI models, securing branches in repositories, signing artifacts during build, enforcing least privilege on build systems, and monitoring agent activity in production.
The AIBOM concept gains importance here. While SBOMs identify which software components are part of an application, AIBOM aims to catalog models, datasets, dependencies, and AI elements used within a system. Without this inventory, answering basic questions—such as which model is used, what data feeds it, which providers are involved, or what risks external updates introduce—is difficult.
The CISO needs less noise and more operational control
The four threats highlighted by Gartner share a common element: they erode fundamental assumptions of enterprise security. Previously, we relied more on application-user separation, visual identity, dependency stability, and systems responding only to expected commands. Generative AI weakens some of these certainties.
This does not mean companies should halt AI adoption. Productivity, automation, and process improvement are too important to treat technology merely as a risk. However, adoption must be accompanied by controls designed from the outset, not added after a pilot that has become production.
For security teams, this will require both cultural and technical change. Closer collaboration with development, data, legal, procurement, and business units will be necessary. Also, reviewing identity processes, agent governance, permissions, component inventories, and real-time monitoring. AI cybersecurity will no longer be an isolated category; it will permeate the entire technological architecture of the organization.
Gartner’s message points in this direction: threats are not hypothetical nor far future. They are already entering applications, meetings, pipelines, and workflows. Organizations that wait for an incident to act will find that attackers have already learned how to leverage AI to move faster.
Frequently Asked Questions
What are the four threats highlighted by Gartner?
Gartner identifies AI application compromise, deepfake identity impersonation, prompt injection, and attacks on the software supply chain.
Why are AI applications a new attack surface?
Because many connect to sensitive data, internal tools, credentials, and third-party systems. If permissions and controls are weak, they can expose information or enable unauthorized actions.
What is prompt injection?
It’s a technique that manipulates a language model’s inputs to alter its behavior, bypass instructions, leak data, or perform illegitimate actions.
What should companies do to mitigate these risks?
Implement security by design, inventory components, strengthen identity and access controls, test AI applications against prompt injection, monitor deepfakes, and oversee agents and models in production.
via: Open Security