DEV Community

Cover image for Every AI feature is a new attack surface
issam fathi
issam fathi

Posted on

Every AI feature is a new attack surface

Every time you add an AI feature, you add a door. Most teams are so focused on whether the feature works that they forget to ask who else can walk through it.

I sit across product and security, and the pattern I see is consistent. A team ships an AI capability, a model that answers questions, summarizes documents, or acts on user data, and treats it purely as a product win. Meanwhile it quietly became one of the softest parts of the system.

The reasons are not exotic. An AI feature usually takes untrusted input, often free text, and does something meaningful with it. That is the classic shape of a security problem. Prompt injection is just untrusted input reaching a powerful interpreter, the same category as the injection bugs we have fought for twenty years, wearing new clothes. If your model can call a tool, read a file, or hit an internal service, then whoever controls its input has a lever on your system.

So here is the discipline I try to hold.

Treat model input as hostile by default. The same way you never trust a form field, never trust what reaches the model, especially if the model can then act. The convenience of "just pass it through" is exactly where the hole is.

Constrain what the model can reach. A model that can only read the one document it was given is a small risk. A model wired into your internal tools with broad permissions is a large one. Scope its access like you scope a service account, least privilege, not most convenience.

Log what it does, not just what it says. When something goes wrong with an AI feature, you need to reconstruct the actions it took, not only the text it produced. If you cannot answer "what did the model actually do at 3am," you are flying blind.

None of this slows real products down. It is the same instinct that separates engineers who ship things that survive contact with the real world from those who ship demos. AI does not get a security exemption for being new and exciting. If anything, new and exciting is exactly when people stop checking the locks.

Build the feature. Then ask who else it just let in.


I am Issam Fathi, a technology strategist and the product manager of AssetEye by Dronetjek, based in Tetouan, Morocco. I help companies build, adapt, and grow through technology.

Top comments (0)