Generative AI Risks: The Security Threats Every Enterprise Needs to Address

Enterprise adoption of large language models has moved faster than enterprise security policy. The generative AI risks that security teams are now managing span a wider surface than traditional application vulnerabilities: they include the model itself, the data pipelines feeding it, the orchestration layer connecting it to business systems, and the humans who interact with it. NIST data shows a greater than 2,000% increase in AI-specific CVEs since 2022, and industry surveys put 68% of organizations as having already experienced data leaks tied to AI tool usage.

This is not a forward-looking risk assessment. These threats are active. Here is what they are and what defenses apply.

Prompt Injection: The Unsolved #1 Vulnerability

Prompt injection ↗ holds the top position on the OWASP Top 10 for LLM Applications and has held it since the list’s first release. The attack is straightforward: an adversary crafts input that causes the model to deviate from its intended behavior, executing attacker-supplied instructions instead of operator-defined ones.

OWASP distinguishes two variants. Direct injection arrives through the user prompt itself. Indirect injection is embedded in external content the model retrieves and processes — a webpage, a document, an email — without the user or operator seeing it. The attacker does not need access to the system; they only need the model to fetch content they control.

The consequences range from information disclosure to full command execution in agentic pipelines where the LLM can invoke tools, APIs, or external services. OpenAI acknowledged in a late-2025 security update for ChatGPT’s Atlas browser that prompt injection “is unlikely to ever be fully solved,” comparing it structurally to social engineering on the web.

Mitigations that reduce exposure without eliminating it: constrain model behavior through explicit system prompts, validate and sanitize all external content before it reaches the model context window, enforce least-privilege on every tool the model can invoke, and require human approval before the model executes high-impact actions. For teams building or operating LLM-based applications, aisec.blog covers prompt injection attack techniques and red-teaming approaches in depth ↗.

Data Leakage: The Shadow IT Problem, Amplified

Data leakage through generative AI tools is not a hypothetical. Eleven percent of data employees paste into ChatGPT is confidential, according to research cited in the Practical DevSecOps 2026 AI Security Statistics report. Samsung banned ChatGPT enterprise-wide in 2023 after engineers pasted proprietary source code into the platform. The pattern repeats across industries because employees reach for AI tools faster than IT can provision governed alternatives.

The exposure categories are consistent across incidents: source code, internal documents, personally identifiable information, and credentials. The receiving systems are largely cloud-based SaaS LLM platforms that retain input data for model improvement under default settings, meaning a confidential document pasted into a chat session may enter a training dataset.

The governance gap is stark. Only 23% of organizations have a formal AI security policy despite 68% having already experienced AI-related data leaks.

Practical controls: deploy a data loss prevention layer that inspects traffic to AI endpoints, maintain an approved tool list rather than relying on informal norms, and audit what data categories are permitted in AI workflows. Sensitive data classification that predates the LLM rollout is the foundation — you cannot protect data categories you have not defined.

Hallucinations and Fabricated Output

Hallucinations are a distinct risk category from adversarial attacks. The model generates plausible but false content without external manipulation. The risk to organizations is reputational, legal, and operational.

In 2025, Deloitte agreed to partially refund the Australian government after a consulting report delivered using AI assistance contained fabricated citations, including a quote attributed to a federal court judgment that did not exist. The pattern is consistent with how LLMs fail: confident presentation of invented facts in contexts where citation accuracy is verifiable and consequential.

For security operations specifically, the failure mode surfaces in AI-assisted threat intelligence, where a model may fabricate CVE details, vendor advisories, or attribution claims that analysts then act on. AI-generated incident reports and runbooks carry the same risk.

Controls: treat all model output as unverified draft material in workflows where accuracy is consequential, require human verification against authoritative sources before output is acted on, and implement output validation pipelines that check claims against trusted data stores. For teams deploying AI in monitoring and detection contexts, ai-alert.org tracks real AI incidents and ML vulnerability disclosures ↗ as a cross-reference resource.

Agentic AI: A New Attack Surface Tier

The move from single-call LLMs to agentic systems — where models plan, use tools, and execute multi-step workflows autonomously — introduces a risk tier that prompt-level controls do not adequately cover.

OWASP’s December 2025 release of the Top 10 for Agentic AI Applications ↗ identified the key threat classes: agent behavior hijacking via prompt injection into the planning layer, tool misuse where an agent invokes capabilities beyond intended scope, identity and privilege abuse in multi-agent pipelines where one agent delegates to another with elevated permissions, memory poisoning that corrupts the agent’s persistent context, and cascading hallucinations where false output from one step becomes a trusted input for the next.

The attack surface for an agentic system is the sum of every API, database, file system, and external service the agent can touch. Traditional application security gates — authentication, authorization, input validation — still apply at each integration point, but the orchestration layer itself becomes an attack target. An adversary who can influence the agent’s planning process can direct it to use its legitimate access for illegitimate purposes.

Security controls for agentic deployments must include: explicit capability declarations scoped to the minimum the agent needs, structured output validation at every step boundary, human-in-the-loop checkpoints before actions with real-world consequences, and logging of every tool invocation. The OWASP 2026 data security guide specifically calls for runtime monitoring of AI systems as a distinct control, separate from the application security controls applied at build time.

Governance Baseline: What Your Security Team Should Have in Place

The OWASP GenAI Data Security Risks & Mitigations 2026 guide ↗ and NIST AI 600-1 (the companion profile to the NIST AI RMF for generative AI) provide the current framework consensus. Only 24% of enterprises have a dedicated AI security governance team, according to the Practical DevSecOps 2026 report.

The minimum governance baseline for organizations running LLM-based systems:

• Maintain a model inventory covering what models are deployed, which version, and what data they are authorized to process.
• Classify data before it enters any AI pipeline; apply the same handling rules you apply to other sensitive processing contexts.
• Require security review of any application that gives an LLM access to internal tools or data systems, using the OWASP LLM Top 10 as the test criteria.
• Establish an incident response playbook for AI-specific failure modes: model-generated disinformation, data exfiltration through a compromised AI endpoint, and supply-chain compromise of a third-party model or plugin.
• Test agentic workflows under adversarial conditions before production deployment.

Teams looking to operationalize defensive controls across guardrails, content filters, and runtime monitoring can reference guardml.io’s coverage of AI safety tooling and deployment patterns ↗.

---

Sources

• OWASP GenAI Data Security Risks & Mitigations 2026 ↗ — OWASP’s 2026 guide covering the data security risk surface for generative AI systems, from training datasets through deployed inference endpoints.

• OWASP LLM01:2025 Prompt Injection ↗ — The canonical OWASP treatment of prompt injection: taxonomy, attack scenarios, and mitigations.

• AI Security Statistics 2026, Practical DevSecOps ↗ — Aggregated research statistics on AI-related breaches, data leakage rates, enterprise readiness gaps, and CVE growth figures.

• OWASP Top 10 for Agentic AI Applications (December 2025) ↗ — OWASP’s first dedicated list for agentic systems, addressing the expanded attack surface when LLMs operate autonomously with tool access.