DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports
Events Video Library
Refcards
Trend Reports

Events

View Events Video Library

Related

  • The Reliability Gap: Why Enterprise AI Keeps Failing After It Already Works
  • The Prompt Isn't Hiding Inside the Image
  • Cost Efficiency and ROI: AI-Powered Testing vs Traditional Automation
  • Securing AI/ML Workloads in the Cloud: Integrating DevSecOps with MLOps

Trending

  • Security in the Age of MCP: Preventing "Hallucinated Privilege"
  • What Is Plagiarism? How to Avoid It and Cite Sources
  • WebSocket Debugging Without a Proxy — A Browser-First Workflow
  • Advanced Middleware Architecture For Secure, Auditable, and Reliable Data Exchange Across Systems
  1. DZone
  2. Data Engineering
  3. AI/ML
  4. AI Can't Defend What It Can't See

AI Can't Defend What It Can't See

AI can only defend what it can see. Give it incomplete data, and it won't warn you. It quietly reports everything as healthy while real attacks slip through unseen.

By 
Jithu Paulose user avatar
Jithu Paulose
·
Jul. 07, 26 · Analysis
Likes (0)
Comment
Save
Tweet
Share
32 Views

Join the DZone community and get the full member experience.

Join For Free

Most of what AI promises in security rides on something duller than the model itself: whether it can see the environment it's defending. When it can't, a stronger model doesn't help. It makes the gaps harder to spot, and it brings a few new ones of its own.

Two figures from the past year carry most of the story.

CrowdStrike's 2026 Global Threat Report put the average eCrime breakout time at 29 minutes for 2025. (Breakout time is the stretch between an attacker landing on one host and pivoting to a second.) That's down from 48 minutes the year before, 62 in 2023, and 98 in 2021. The fastest single case clocked 27 seconds, and in one intrusion, data was already moving out four minutes after the attacker got in. The report also found that 82% of intrusions involved no malware at all, with the attacker simply logging in on valid credentials, and that activity from AI-enabled adversaries climbed 89% over the prior year.

Microsoft's 2024 Digital Defense Report says where most of those footholds come from. Among ransomware attacks that reached a ransom demand, north of 90% rode in on an unmanaged device, used either for the initial access or for the encryption itself. The typical breach starts on hardware that the security team has no eyes on.

Stack those together, and the shape is hard to miss. Attackers are inside and moving within half an hour, and they come in through whatever the inventory missed. So one unglamorous question matters more than any of the ones about detection speed: can the AI see what it's supposed to be guarding? If the answer is no, a more capable model won't save the situation. It mostly produces a more polished account of the same gap.

Loud Failures Are the Easy Ones

The failures that make noise are the ones we handle well. A bad model output is obviously bad, and an engineer overrides it. An integration breaks and throws an error. A pipeline job dies. A dashboard goes red, and somebody gets paged. All of it is visible, and visible problems get worked on.

Missing telemetry is the other kind of failure. It's quiet. Feed an AI system partial data, and it still hands back a clean summary of your risk: it scores assets, ranks incidents, and tells you the controls look fine, working only from the systems that happen to report in. The write-up reads well, the confidence figure looks earned, and nothing in it mentions that a third of the fleet was never in the picture.

This cuts deeper with AI than with the dashboards we're used to, because of how the output gets read. A conventional dashboard makes you look at the raw material: the filters, the timestamps, the source systems, the columns that came back empty. The gaps are at least in front of you. An AI summary compresses all of that into a paragraph. When the data underneath is complete, that's a gift to a tired analyst. When it isn't, the compression is what buries the gap. And a confident wrong answer is harder to deal with than an honest "I'm not sure," because uncertainty at least sends someone to go look. A green light sends them home.

The “All Good” Trap

Picture a concrete version. An AI dashboard reports the internet-facing services as healthy and low risk. A senior engineer who knows the estate reads that as handled. Then someone pulls the asset count and finds 71% of that class is actually instrumented. The 71% was scored correctly; the trouble is the other 29%, which the model had no reason to mention and which everyone has now stopped worrying about, because the tile was green.

That missing slice is hardly ever random. It collects the awkward stuff: contractor-managed endpoints, cloud resources nobody claimed, an old VPN path, a few personal laptops, service accounts that outlived their owners, an integration wired up before the current identity platform existed. 

None of it reaches the model unless something feeds it telemetry, and the model has none of the institutional memory a long-tenured engineer carries: which subnet belongs to a vendor, which credentials should have died two reorgs ago. It works with what it was given. If that input is partial, the output still looks whole, and that mismatch is where the danger sits.

The Control That Was Never Switched On

The 2024 Change Healthcare breach is the clearest case I know of for why "we have that control" and "that control is doing anything" are separate claims. It became the largest healthcare data breach in U.S. history, hitting roughly 190 million people, nearly one in three Americans.

How they got in was unremarkable. Attackers used stolen credentials on a Citrix remote-access portal with no multi-factor authentication turned on, spent about nine days moving around inside, pulled out terabytes of data, and only then dropped the ransomware. The part worth sitting with came out in the parent company's testimony to Congress: MFA was company policy across external-facing systems. The control was real on paper. It just wasn't switched on for that one portal, and nobody noticed the hole until it got used.

Run an AI risk model over that environment a week earlier. It finds a documented MFA policy and marks identity coverage as good. Unless it was built to check whether MFA is actually enforced on each external endpoint, rather than whether a policy exists somewhere, it shows green. The control was present and useless at once, and a model reading policy documents instead of a live enforcement state would have signed off. No alert is not the same as no problem. Often, it just means nothing was watching that spot.

The HIPAA Rewrite Asks for Visibility Before Anything Clever

Change Healthcare didn't only cost money; it moved policy. In January 2025, the U.S. Department of Health and Human Services proposed reworking the HIPAA Security Rule for the first time in more than twenty years. The comment window drew close to 5,000 responses, and a final version is expected around 2026.

The telling part is the order. Before anything sophisticated, the draft would require a current, yearly-updated inventory of every technology asset that touches protected health data, plus a network map; MFA with only narrow exceptions; encryption in transit and at rest; vulnerability scans twice a year; an annual penetration test; and network segmentation. It would also scrap the old split between "required" and "addressable" safeguards and make nearly everything mandatory. That last move is the regulatory echo of the point above: "addressable" is exactly how a safeguard ends up written down but never enforced, which is the road the Citrix portal took.

The reaction confirmed what practitioners keep saying about money. HHS estimated a first-year cost near $9 billion, and an industry group led by CHIME, joined by more than a hundred hospital systems, asked the administration to pull the rule, arguing that smaller and rural providers simply cannot carry it. Many healthcare organizations spend something like 80% of their budget on infrastructure and only a sliver on security. The proposed rule tells them the sliver has to go first to seeing the estate and enforcing the basics, not to one more detection layer bolted on at the end.

Make the Score Show Its Coverage

So what do you do about the silent-failure problem? Not stop using AI summaries. Make every summary carry its own coverage, so the gap rides along with the number instead of getting dropped on the way into a slide.

Most risk summaries today hand back something like this:

{  "asset_class": "internet-facing-services",  "risk_score": 18,  "status": "healthy"


It's tidy, and it tells you almost nothing, because you can't see whether it rests on full data, partial data, week-old data, or just the systems that were easy to wire up. A coverage-aware version states its own basis:

{  "asset_class": "internet-facing-services",  "risk_score": 18,  "status": "healthy",  "coverage": {    "assets_known": 412,    "assets_instrumented": 293,    "coverage_pct": 71,    "uninstrumented_pct": 29  },  "data_freshness": {    "newest_signal": "2026-06-21T09:14:00Z",    "oldest_signal": "2026-06-09T22:40:00Z",    "stale_sources": ["byod-mdm", "contractor-vpn"]  },  "confidence_basis": "computed on 71% of known assets; excludes BYOD and contractor access",  "blind_spots": ["unmanaged-endpoints", "third-party-saas"] }


Now status: healthy next to coverage_pct: 71 reads completely differently, and you don't have to dig to get there. Nobody needs perfect coverage; the last few percentage points cost a fortune to instrument, and plenty of assets don't justify it. What you want is a system honest about where it's blind: what it covered, what it skipped, how old the freshest gap is, and what the score rests on. Any AI security view headed for a decision-maker should answer those four on its own. A confidence number that can't say where it came from is decoration.

Shadow AI: The Gap You Didn’t Know You Opened

Up to here, the unseen assets have been familiar ones: endpoints, accounts, third-party links. The fastest-growing blind spot in 2026 is newer, and most security teams opened it without meaning to. It's the AI tooling their own people already use every day.

The numbers are blunt. IBM's 2025 Cost of a Data Breach report found one in five breached organizations was hit through shadow AI, meaning unsanctioned generative-AI tools nobody in security signed off on, and that shadow AI added roughly $670,000 to the average breach. Netskope counted the distinct generative-AI apps in use across enterprises rising past 1,550 over the year, from around 317 at its start, with close to half of users reaching them through personal accounts nobody is watching. 

One survey put the share of organizations with no real view of how data moves in and out of AI tools at 86%. IBM filled in the reason: 63% have no policy for managing AI or heading off shadow use, and among firms that took an AI-related hit, 97% had no proper access controls on AI in place.

It's the same visibility problem in different clothes. An engineer pastes proprietary code into a chatbot to debug it; a manager drops a customer list into an unapproved summarizer. The data crosses the boundary and settles into a third-party model the security team can't see into, govern, or claw back. A risk model has nothing to score, and the data path shows up in no inventory. 

Banning the tools doesn't help much; people keep using AI after a ban, which only drives it further out of sight. The workable answer looks like the old shadow-SaaS hunt: discover what's actually in use, give people sanctioned options so they don't need the back channels, and put data-loss controls on the paths out. IBM's analysts put it bluntly that the human-centered measures, the training sessions, warning emails, and written policies, fail over and over, and the only thing that reliably holds is a technical control that stops the upload before it leaves.

The Defender’s AI Is Part of the Attack Surface Now

There's a second new gap, and it's the AI you brought in to help. The moment a model is wired into your environment, it becomes one more thing to watch and fence in, and it drags a crowd of machine identities along with it.

Non-human identities, the service accounts and API keys and OAuth tokens and workload credentials, and now the AI agents, already outnumber human users badly: estimates run from about 45 to 1 in an ordinary enterprise to 144 to 1 in cloud-native and DevOps shops, and one vendor's count grew 44% in a single year. A typical enterprise has gone from tens of thousands of machine identities a few years back to something like a quarter million today. 

CyberArk's 2025 identity survey found 68% of organizations with no identity-security controls for AI and 47% unable to lock down shadow AI at all, while SpyCloud researchers turned up 6.2 million exposed credentials tied to AI tools in one year. Most are created outside any IT process, hold broad permissions, and never get revoked. Together, they're the least-governed part of the modern attack surface, and because machine-to-machine traffic looks like business as usual, abuse of them goes unseen until the data is already gone.

Agents push this up another level. Gartner expects task-specific AI agents in 40% of enterprise applications by the end of 2026, against under 5% in 2025. A static API key has a fixed scope you can list and audit. An autonomous agent calls external APIs, spins up sub-agents, writes and runs its own code, and can pick up new permissions while it runs, so you can't fully say ahead of time what it will touch.

And the model in the middle of all this carries a weakness you can't patch away. Prompt injection has held the top slot in OWASP's Top 10 for LLM Applications across two editions, for a structural reason: a model takes instructions and data over the same channel and can't reliably tell which is which. Tuck an instruction inside a document, a support ticket, a web page, or a code comment, and a model that reads it may follow it as a command. 

Retrieval-augmented generation doesn't close that, and neither does fine-tuning; OWASP's advice is layered defense, with least-privilege tooling, filtering in and out, a human in the loop for anything sensitive, and regular adversarial testing. 

This isn't a thought experiment: CrowdStrike worked incidents at more than 90 organizations where attackers went straight at AI tools and dev platforms, slipping malicious prompts into live systems, and mentions of ChatGPT in criminal forums jumped more than fivefold. Which brings it back around: if you can't watch and constrain the security AI itself, it stops being a defense and turns into another asset on the surface, one that can be talked into helping the other side.

There’s a Name for the Attacker’s-Eye View: CTEM

That better question, asking what you look like to an attacker right now instead of whether you're safe, already has a formal home. Gartner called it Continuous Threat Exposure Management, or CTEM, in 2022, and has since put it among its top security investments for 2026.

CTEM is a program, not a tool you buy. It cycles through five stages, scoping, discovery, prioritization, validation, and mobilization, and the heart of it is reasoning about attack paths rather than counting isolated vulnerabilities. Scoping opens right where this article does, by deciding which slices of the attack surface actually matter to the business, since not every system carries the same weight. 

Discovery is where continuous asset inventory lives, and the tooling is worth knowing by name: Cyber Asset Attack Surface Management (CAASM) pulls asset data out of the systems you already run and stitches it into one view, while External Attack Surface Management (EASM) shows what's reachable from outside. 

Validation is where you test whether a control actually fires, the discipline that catches a documented-but-disabled MFA setting. Gartner has predicted that organizations running an exposure-management program would be three times less likely to be breached, though that's a forecast, not a measured result; the independent reads so far show better visibility for adopters, not a proven drop in breach rate. The direction holds up regardless, and the practical value is that it turns "what do we look like to an attacker" from a one-time exercise into a standing process.

Push the Checks Earlier, Not Later

None of this holds if security stays a last-step review. AI is speeding up how fast teams turn out code, tests, and operational glue, and that same speed carries mistakes and untested assumptions downstream just as quickly. Adding observability at the very end only ships the risk faster.

The fix is to pull the security and observability questions into the definition of done, so a feature isn't finished until it can answer them. How will this get monitored in production? What does it emit, who can reach it, and what data does it handle? What does abuse look like in the logs, what happens when something upstream falls over, and how does the system flag that it doesn't have enough context to judge? 

AI helps with a lot of this, drafting tests, spotting risky dependencies, reading code paths, but AI-assisted development with no AI-assisted assurance just moves risk along faster. The checking has to keep pace with the generating. And none of it stands in for zero trust; it makes zero trust matter more. Don't extend trust on the basis of network, device, or past access. Verify as you go, hold access down, watch how things behave, keep the blast radius small. A model can narrate your risk in fluent prose and still do nothing to reduce it without real identity, policy, and enforcement underneath.

What the Breach Math Says

If the case needs a number, IBM's 2025 report supplies one with an edge on both sides. The global average breach cost dropped 9% to $4.44 million, the first decline in five years, on faster detection and containment from AI-assisted defense. Organizations using security AI and automation heavily spent about $1.9 million less per breach and cut roughly 80 days off the breach lifecycle. So AI, on a foundation that works, does pay.

The same report shows the other path. Shadow AI added that $670,000; breaches involving it ran longer and gave up more personal data and IP; and again, 97% of organizations hit by an AI-related incident had no basic access controls on AI. Only about 17% have automated blocking and scanning for AI use, which leaves everyone else on the human-centered controls that don't hold. 

In the U.S., the average breach reached a record $10.22 million, driven up by regulatory and escalation costs. The through-line matches everything above: AI defense built on real visibility and governance saves real money, while AI rushed in over a blind spot costs more than skipping it would have. Whatever foundation it lands on, the technology makes it bigger.

What to do on Monday

If you're running an engineering or security team, five moves beat buying another tool.

  1. Make one AI security view honest about its coverage. Take a single AI-generated dashboard and have it show coverage and freshness next to every score, so it can't call something healthy without saying what it actually looked at.

  2. Check enforcement, not policy. Pick one control that matters, MFA on external access being the obvious one, and line up what the policy says against where it's truly enforced today. The Change Healthcare gap lived in exactly that distance.

  3. Count your shadow AI and your machine identities. Find the unsanctioned AI tools in play and the data routes into them, and inventory the service accounts, tokens, and agents running in your environment. Nothing you haven't counted can be governed.

  4. Drill against the clock. With breakout time around half an hour, rehearse a believable initial-access path and ask what the attacker reaches in the first thirty minutes, and which telemetry would confirm or rule out each step. Make it recurring, not a one-off.

  5. Run a visibility-focused Wheel of Misfortune. Pick a plausible gap, an unmanaged endpoint, a stale cloud asset, an agent fed untrusted content, and ask whether your AI security view would even see it, whether it would call out the missing data, or whether it would just hand back a confident summary anyway. You're hunting for what the dashboard can't see, ideally before someone else finds it first.

The First Question

AI is going to be a permanent fixture in security. It will cut manual work, add context to noisy signals, and let teams respond with more than instinct, and the cost data shows that the payoff is real. What it won't do is let you off the hook for the fundamentals. It raises the price of skipping them, partly because it makes a thin foundation look finished, and partly because the AI itself becomes one more thing you have to see and hold in check.

If you can't see your assets, your identities, your telemetry, your shadow AI, and the gaps in your controls, AI won't cover that distance. It mostly paints over it.

The first question for AI security was never how powerful the model is. It's whether you can see enough of your own environment to put it to work.

AI IT Multi-factor authentication

Opinions expressed by DZone contributors are their own.

Related

  • The Reliability Gap: Why Enterprise AI Keeps Failing After It Already Works
  • The Prompt Isn't Hiding Inside the Image
  • Cost Efficiency and ROI: AI-Powered Testing vs Traditional Automation
  • Securing AI/ML Workloads in the Cloud: Integrating DevSecOps with MLOps

Partner Resources

×

Comments

The likes didn't load as expected. Please refresh the page and try again.

  • RSS
  • X
  • Facebook

ABOUT US

  • About DZone
  • Support and feedback
  • Community research

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Core Program
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 3343 Perimeter Hill Drive
  • Suite 215
  • Nashville, TN 37211
  • [email protected]

Let's be friends:

  • RSS
  • X
  • Facebook