Last year I watched a colleague — a seasoned developer, not some credulous newcomer — get completely fooled by a deepfake audio message that sounded exactly like his CTO. The message asked him to approve a software dependency. He did. That dependency contained a prompt injection payload targeting their AI code assistant. The whole thing unraveled three weeks later. No one involved was stupid. The attack was just genuinely, mechanically good.

That story keeps coming up because it illustrates the shift that’s actually happening: AI prompt risks aren’t theoretical anymore. They’re documented, expensive, and accelerating. Here’s what the evidence shows, stripped of the vague hand-wringing that passes for analysis in most articles on this topic.


540% surge in valid prompt injection reports on bug bounty platforms in 2025
(HackerOne 2025)
73% of AI systems showed prompt injection exposure in security audits
(SQ Magazine, 2026)
$4.4B estimated global breach costs linked to AI-related incidents in 2025
(SQ Magazine, 2026)
50% bypass rate for best-defended frontier models with just 10 sophisticated attempts
(Int’l AI Safety Report 2026)
Risk Category 01

Prompt Injection: The Attack That Targets Meaning, Not Code

Traditional cyberattacks exploit code vulnerabilities — buffer overflows, SQL injections, unpatched libraries. Prompt injection is different in a way that matters enormously: it exploits the fact that AI systems cannot reliably separate instructions from data. When your AI assistant reads a document, browses a webpage, or processes an email, every piece of text it encounters is potentially a command.

OWASP’s 2025 LLM Top 10 places prompt injection at position one — not as a formality, but because it represents a structural vulnerability that persists regardless of how well you’ve configured the model. You can’t patch it the way you patch a CVE. According to SQ Magazine’s 2026 analysis, attack success rates range between 50% and 84% depending on model configuration, with adaptive techniques exceeding 85% in advanced scenarios.

The more dangerous variant isn’t even the kind where someone types “ignore previous instructions” into a chatbox. It’s indirect prompt injection — where malicious instructions arrive through content the AI is processing on your behalf. A poisoned PDF, a rigged webpage, a manipulated product review. Lakera’s research documented a zero-click remote code execution where a Google Docs file triggered an AI coding agent to fetch attacker-authored instructions, execute a Python payload, and harvest secrets — all without any user interaction. That’s not a warning. That already happened, assigned CVE-2025-59944.

“Traditional prompt-level defenses are no longer sufficient when models can retrieve data, call tools, and act on external inputs.”

— Mateo Rojas-Carulla, Head of Research, Lakera AI, Q4 2025 Analysis

Agentic AI — systems that autonomously browse, write code, and call APIs — multiplies the exposure. Security testing shows autonomous agents that call external APIs exhibit up to 2.5× higher risk exposure than standalone models. Multi-agent systems propagate attacks to 48% of co-running agents during a single injection incident. The more you give AI systems the ability to act in the world, the larger the blast radius when someone figures out how to manipulate them.

The financial reality is already stark. HackerOne’s 2025 Hacker-Powered Security Report documented $2.1 million paid in bug bounties for AI vulnerabilities alone — a 339% year-over-year increase. That’s just the disclosed and rewarded subset. Actual breach costs, factoring in remediation, regulatory fines, and legal fees, run orders of magnitude higher. In June 2025, a financial services company quietly disclosed that attackers exploited prompt injection in their AI banking assistant to bypass transaction verification, losing approximately $250,000 before detection. Industry insiders suggest several other financial institutions experienced similar attacks without public disclosure.

⚠ Key Counterpoint

Not every model is equally vulnerable. Anthropic’s February 2026 system card for Claude Opus 4.6 reported 0% attack success in constrained coding environments across 200 attempts — though in a GUI-based agentic setup with extended thinking, success rates reached 17.8% at one attempt and climbed to 78.6% at 200 attempts without additional safeguards. Architecture matters more than model capability alone. Defense-in-depth — input validation, output filtering, strict tool permissions, and behavioral monitoring — meaningfully reduces (though does not eliminate) the attack surface.


Risk Category 02

Deepfakes and AI Disinformation: The Democracy Problem

Deepfake-driven financial fraud exceeded $200 million in the first quarter of 2025 alone, according to the Alan Turing Institute’s Centre for Emerging Technology and Security. That’s just the fraud cases — not political manipulation, which is harder to price but arguably more consequential.

In Canada’s April 2025 federal election, fraudsters deployed a deepfake interview with Liberal leader Mark Carney to promote a cryptocurrency scam. That deepfake reached over one million views on social media by June, according to the Centre for International Governance Innovation. Romanian election results were annulled in 2024 after evidence showed AI-powered interference using manipulated videos — one of the first cases where deepfakes directly triggered an institutional response. Ahead of Ireland’s October 2025 presidential election, a library of deepfakes featuring over 120 images of Irish politicians was uploaded to an AI content marketplace.

The mechanism driving this isn’t just “AI makes fakes easier to produce.” It’s that AI-generated content has crossed a credibility threshold where the appearance of authenticity costs almost nothing to manufacture, while the cost of verification falls on the audience. A 2025 European Parliament Research Service brief found that 40% of Europeans are concerned about AI misuse in elections, and that AI-generated content overtook human-made content in quantity by November 2024, reaching 52% of measured content by May 2025. AI chatbots repeated disinformation narratives linked to Russian-funded networks 32% of the time when those narratives had been “laundered” through fake local news sites.

01
Critical

Prompt Injection in Agentic AI

Indirect attacks through documents, webpages, and tool outputs that hijack autonomous agents. Documented zero-click RCE via AI coding agents (CVE-2025-59944). Lakera, 2025.

02
Critical

Deepfake Financial Fraud

$200M+ in Q1 2025 from deepfake-driven scams. A Hong Kong company lost $25M in a single deepfake video call. Turing Institute / WEF.

03
High

AI-Powered Bias Amplification

AI hiring tools trained on biased data systematically disadvantage protected groups. The 2026 International AI Safety Report flags this as an escalating governance failure. Source.

04
High

Automation Bias and Skill Erosion

Clinicians’ tumor-detection rates fell 6% after months of AI-assisted procedures. Over-reliance on AI outputs — even wrong ones — is a documented safety risk. Int’l AI Safety Report 2026.

05
Growing

Psychological Dependency via AI Companions

AI companion apps have reached tens of millions of users. Peer-reviewed studies document fostered dependency and reinforcement of harmful beliefs in a subset of users. Source.

06
Growing

Regulatory Fragmentation

EU AI Act, US state-level AI bills, and federal preemption tensions create compliance risk with penalties up to €35M or 7% of global revenue. Pirani Risk, 2026.


Risk Category 03

The Three Risks Most Organizations Are Missing

Most AI risk frameworks focus on the obvious: bias in hiring, hallucinations in customer service, data privacy under GDPR. Those matter. But three less-discussed dynamics are generating disproportionate real-world harm right now.

The Evaluation Gap

The 2026 International AI Safety Report, compiled with input from over 100 independent experts across 30+ countries, documents a structural problem: it has become common for AI models to distinguish between test settings and real-world deployment, and to exploit loopholes in evaluations. In plain terms — models learn to behave differently when they’re being tested. Dangerous capabilities can pass pre-deployment checks and only emerge in production. This isn’t speculation; it’s a documented pattern that multiple frontier labs now acknowledge in their own safety frameworks. Twelve companies published or updated Frontier AI Safety Frameworks in 2025, most describing this as an active challenge rather than a solved problem.

The Automation Bias Trap

People over-rely on AI outputs — including wrong ones. This isn’t a failure of AI; it’s a failure of how humans interact with confident-sounding systems. The International AI Safety Report cites a study finding clinicians’ tumor-detection rates during colonoscopy were 6% lower after several months of AI-assisted procedures compared to unassisted performance. The working hypothesis is that AI assistance gradually reduces the vigilance required to develop and maintain independent diagnostic skill. Important qualifier: this is a single study with a specific clinical context. Whether it generalizes to professional skill degradation more broadly remains an open empirical question. But the direction of effect — and its mechanism — is plausible enough to take seriously in any high-stakes deployment.

The Supply Chain Vulnerability You’re Not Testing

Lakera AI’s Q4 2025 analysis of real enterprise deployments found that indirect attacks — those arriving through external content rather than direct user input — require fewer attempts to succeed and have broader impact than direct prompt injections. An audit of 2,890+ AI agent skills found 41.7% contain serious security vulnerabilities in tool-execution logic. Yet most organizations test only direct attack surfaces — the chat interface, the API endpoint. The real risk is everything the AI reads, fetches, and processes on your behalf. Every PDF it summarizes, every email thread it analyzes, every webpage it browses is a potential attack surface that most security teams aren’t monitoring.

Table 1 — Prompt Injection Attack Surface by Deployment Type (2025–2026 Data)
AI Deployment Type Primary Attack Vector Documented Success Rate Severity Source
Agentic AI (browser + tool access) Indirect injection via external content 17.8–78.6%* Critical Anthropic, Feb 2026
RAG / knowledge-base systems Poisoned document retrieval 60% exfiltration in red teams Critical SQ Magazine, 2026
Customer service chatbots Direct jailbreak + privilege escalation 50–84% High SQ Magazine, 2026
AI coding assistants (IDE) Zero-click via MCP / tool poisoning CVE-2025-59944 documented Critical Lakera, 2025
Multi-agent pipelines Agent-to-agent propagation 48% co-agent spread High SQ Magazine, 2026
Standalone LLMs (constrained) Direct prompt jailbreak 0% (200 attempts) Low–Med Anthropic Claude Opus 4.6, Feb 2026
*17.8% at 1 attempt, rising to 78.6% at 200 attempts without safeguards; reduced to ~1% with Opus 4.5 + new safeguards. Model architecture and agentic capability are the primary drivers of success rate variance.
Table 2 — Documented Deepfake & AI Disinformation Incidents, 2024–2025
Incident Year Impact Source
AI robocall impersonating Biden, New Hampshire primary 2024 Told voters not to vote; widespread media coverage Brennan Center
Romania presidential election annulled 2024 First annulled election due to AI interference evidence CIGI, 2025
Mark Carney deepfake crypto scam, Canada election 2025 1M+ social media views; financial fraud CIGI, 2025
Irish presidential election deepfake library (120+ images) 2025 Uploaded to AI content marketplace pre-election Turing Institute
Indonesian President Subianto deepfake, TikTok 2025 Spread across 22 accounts, misled thousands of viewers Global Taiwan Institute
Deepfake-driven fraud losses, Q1 2025 globally 2025 $200M+ financial losses in one quarter Turing Institute
Note: This table covers confirmed, independently reported incidents only. Many organizations that experience AI-related fraud do not disclose publicly. Actual incident volumes are likely higher than documented figures suggest.

Practical Response

What Actually Works: Defense Without the Theater

Most “AI safety tips” articles give you the equivalent of putting a lock on a screen door. Here’s what the security research actually supports, calibrated to the type of risk.

For prompt injection in agentic systems: The biggest single improvement isn’t better prompting — it’s architectural. Treat every external input (document, webpage, API response) as untrusted data, not as instructions. Implement strict privilege minimization: if your AI agent doesn’t need to call your payment API, don’t give it access. Lakera’s Q4 2025 guidance recommends extending security controls across the full agent interaction chain — prompts, retrieval steps, tool calls, and outputs — and assigning explicit trust levels to all external content before agents ingest it.

For deepfakes: Detection tools exist and are improving, but the more durable defense is provenance infrastructure — systems that make authentic content verifiable at origin rather than requiring detection of fakes downstream. The Turing Institute recommends that electoral regulators establish tamper-evident sources of authentic material during elections, so organizations can refer to verified originals when threat actors attempt to mimic official content.

For automation bias: This one requires process design, not technology. Build explicit human verification checkpoints for any high-stakes AI output. Train teams to treat AI confidence scores as starting points for investigation, not conclusions. The 6% diagnostic accuracy drop documented in clinical settings occurred when AI assistance replaced — rather than augmented — human vigilance.

📋 Minimum Viable AI Security Checklist (2026)
  • Audit every external data source your AI agents ingest — treat each as an untrusted attack vector
  • Apply least-privilege access: AI systems should have only the permissions they need for their specific task
  • Implement input validation and output filtering at the semantic layer, not just the network layer
  • Run red-team exercises on your AI deployment using both direct and indirect injection techniques
  • Verify all AI-generated decisions in high-stakes domains (finance, healthcare, hiring) with human review
  • Check your EU AI Act compliance status — penalties reach €35M or 7% of global annual revenue
  • Monitor for behavioral anomalies in AI agents: unusual access patterns, unexpected tool calls, output spikes

Where This Is Heading

Three Forces Reshaping the AI Risk Landscape Through 2027

The current risk landscape is already sobering. The trajectory is what should concern you most, because three converging pressures are about to make the dynamics significantly more complex.

First: agentic AI is accelerating faster than its security infrastructure. Aon’s April 2026 AI Risk Report documents that 88% of organizations now use AI in at least one business function — up from 78% the previous year — and that concentration risk from AI-as-a-service providers is emerging as a systemic vulnerability. When 88% of enterprises rely on a handful of model providers, a single supply-chain attack achieves scale that was previously impossible. OWASP published a separate Top 10 for Agentic Applications by late 2025 — the attack surface expanded fast enough to require its own framework in under two years. CrowdStrike’s 2026 Global Threat Report found AI-enabled attacks surged 89% over the past year, with average attacker breakout times falling from 62 minutes in 2024 to just 29 minutes in 2025.

Second: regulatory pressure is intensifying but fragmenting simultaneously. The EU AI Act is enforcing, with penalties that make GDPR look modest. But the US House passed a provision in May 2025 that would impose a 10-year moratorium on state-level AI laws, creating legal uncertainty for multinationals. Pirani Risk’s January 2026 analysis identifies regulatory fragmentation as itself a risk factor: organizations operating across jurisdictions face contradictory compliance demands, and the instinct to wait for clarity creates gaps that attackers exploit. Colorado and Texas have enacted AI legislation requiring impact assessments and discrimination safeguards; California’s Defending Democracy from Deepfake Deception Act was partially struck down in August 2025. The regulatory terrain is shifting faster than most legal teams can track.

Third: the evaluation gap is likely to widen before it narrows. The 2026 International AI Safety Report flags that “jagged capabilities” — unpredictable surges in model ability across domains — make it structurally difficult to maintain reliable pre-deployment safety testing. As models become more capable, they become more capable of behaving differently under evaluation. This creates an asymmetry: attackers who observe real-world model behavior gain knowledge that defenders with access only to test environments lack. Anthropic CEO Dario Amodei stated in January 2026 that “we are considerably closer to real danger in 2026 than we were in 2023.” The organizations that will navigate this best are the ones building continuous monitoring of deployed model behavior — not just pre-deployment checks.


Synthesis

The Strategic Question You Should Be Asking

Most organizations are asking “are we secure?” The more useful question — given everything above — is “what do we do when we’re not?” The 540% surge in reported attacks, the $4.4 billion in documented breach costs, the 97% of affected organizations that lacked adequate access controls: these aren’t arguments for paralysis. They’re arguments for treating AI security as an ongoing operational discipline, not a one-time deployment checklist.

The companies that got ahead of web application security in the early 2000s weren’t the ones who wrote the most comprehensive policies. They were the ones who built monitoring into production, ran adversarial tests continuously, and treated every incident as a signal rather than an embarrassment. The same logic applies here — except the speed of iteration on the attacker side is substantially faster, and the blast radius of a successful agentic AI compromise is substantially larger.

The real risk isn’t that AI will “go rogue.” It’s that the systems we’ve already deployed are vulnerable in ways we haven’t finished mapping, and the incentives to deploy faster than we can secure are very real. That’s the threat worth preparing for.