Kiteworks

Enabling Zero Trust Data Exchange in One Platform

Free Trial EXPLORE KITEWORKS
Home > Security and Compliance Blog > Cybersecurity Risk Management > The 2.5x Problem: Why AI Pen Tests Just Reframed the Data Security Conversation
AI Pen Tests Expose 2.5x Flaw Density

The 2.5x Problem: Why AI Pen Tests Just Reframed the Data Security Conversation

by Patrick Spencer updated May 28, 2026 Cybersecurity Risk Management
Reading Time: 7 minutes

When your application security pen test returns a 13% severe-flaw rate, you treat it as a Tuesday. When it returns 32%, you stop the deployment. Cobalt’s 2026 State of Pentesting found the average AI and LLM-based system returning at 32% — almost 2.5x the severe-flaw density of traditional enterprise applications. Cobalt’s findings name the cause directly: prompt injection has overtaken every other category to claim the top spot in OWASP’s LLM Top 10.

New attack surfaces — model tooling, plugin orchestrators, retrieval pipelines, connector permissions — create blast radii that legacy app-sec tooling does not measure. And remediation ownership is unclear in most organizations because AI sits across security, data, and platform engineering teams simultaneously.

The conclusion pen testers are drawing is the one the rest of the industry has been avoiding: AI systems are not another app tier. They are a structurally riskier class of system, and they need their own threat model, their own secure SDLC, and their own runtime controls.

5 Key Takeaways

1. AI carries 2.5x the severe-flaw density of legacy apps.

Cobalt’s 2026 State of Pentesting found 32% of AI and LLM findings are rated high risk, versus 13% in traditional enterprise applications. That is not a tuning issue — it is a structural difference in attack surface that demands a separate threat model, a separate secure SDLC, and its own runtime controls. Pen testing AI through existing app-sec processes under-counts the severe-flaw rate by a factor of two-plus. AI governance starts with acknowledging this gap explicitly.

2. Prompt injection is the new top OWASP LLM risk.

HackerOne saw a 540% year-over-year rise in prompt-injection bug bounty reports, signaling adversaries have caught up to the AI deployment curve. Prompt injection now tops OWASP’s LLM Top 10, with new attack surfaces — model tooling, plugin orchestrators, retrieval pipelines, connector permissions — creating blast radii that legacy app-sec tooling does not measure.

3. Containment is the gap, not detection.

63% of organizations cannot enforce purpose limitations on AI agents, 60% cannot terminate a misbehaving one, and 55% cannot isolate AI systems from broader network access. The governance-versus-containment gap runs 15 to 20 points — organizations have invested in watching AI, not stopping it. With optimistic projections, roughly a quarter will end 2026 still without basic containment for AI systems already deployed. Audit trails without kill switches are evidence of a breach, not prevention of one.

4. Pen tests find what is there to find.

Prompt injection, tool-call abuse, and connector misuse all converge on the same layer: the data layer. The exploit lands in the model; the harm lands in the data. The question determining blast radius is not “can the model be tricked” — the 540% HackerOne increase confirms it will be — but “what data does it touch when tricked, and who can prove what happened?” Application-layer controls answer the first half and not the second. Data-layer controls answer both.

5. Data-layer governance is the only architecture that survives.

ABAC enforcement, FIPS 140-3 encryption, and tamper-evident audit logs at the data layer keep the blast radius small even when the exploit lands. When the model is tricked into asking for data it should not have, the policy engine refuses — and the log records the attempt. The exploit becomes a logged refusal instead of a regulatory incident.

You Trust Your Organization is Secure. But Can You Verify It?

Read Now

The Kiteworks Data Tells Us Why the Gap Exists

The Kiteworks 2026 Forecast Report makes the connection explicit. The pen-test density problem is downstream of a controls problem the survey quantified: organizations have invested in watching AI, not stopping it. 63% cannot enforce purpose limitations on AI agents — the agent can do whatever its connectors expose, regardless of what the policy says. 60% cannot quickly terminate a misbehaving agent — there is no kill switch, just a deployment they have to roll back. 55% cannot isolate AI systems from broader network access — the agent that calls a vendor API can also call your file shares.

The governance-versus-containment gap runs 15 to 20 points: 59% have human-in-the-loop oversight, 58% have continuous monitoring, 56% have data minimization. Even with optimistic projections on the planned-control pipeline, roughly a quarter of organizations will end 2026 still without basic containment for AI systems already deployed. The 2026 Forecast Report calls this the central tension of agentic AI security — and it will not resolve itself.

Why This Is a Data-Layer Problem, Not an App-Sec Problem

Trace each Cobalt attack pattern to where the actual harm occurs. Prompt injection: the model takes an instruction it should not have taken and produces output it should not have produced. Tool-call abuse: the model invokes a function with arguments it should not have. Connector misuse: the model accesses a system it should not have accessed.

In every case, the exploit lands in the model. The harm lands in the data. Which means the question determining blast radius is not “can the model be tricked” — it can, and the 540% HackerOne increase tells you it will be — but “what data does the model touch when tricked, and who can prove what happened?” Application-layer controls answer the first half. Data-layer controls answer both, and produce the evidence regulators require.

What Data-Layer Governance Actually Means in Practice

Three controls do most of the work, each shifting where the model meets the data:

Attribute-based access controls on every data access. Every AI agent request is evaluated against ABAC policies before any data is touched — who is calling, what dataset they are requesting, what the purpose is, and whether the policy permits that combination. The model can be tricked into asking. The policy engine answers no.

FIPS 140-3 validated encryption with customer-managed keys. The model never sees decrypted bulk data unless the policy engine has authorized the access. Customer-managed keys held outside the AI vendor’s reach mean that even a compromised orchestration layer cannot retrieve the underlying material.

Tamper-evident audit logs delivered to SIEM in real time. Every model interaction with regulated data produces an immutable record — caller identity, dataset, attribute evaluation, policy decision, timestamp. When the regulator asks what happened during the prompt injection incident, you have the answer.

The Kiteworks Approach: Governance That Holds When Prompts Do Not

The Kiteworks Secure MCP Server and AI Data Gateway extend data-layer governance to AI agent interactions, so every model request to regulated data passes through the same controls applied to human users: ABAC on every call, FIPS 140-3 validated encryption with customer-managed keys, tamper-evident audit trails delivered in real time, and single-tenant isolation eliminating cross-tenant attack paths.

Prompt injection still happens. The 540% HackerOne increase is not going to slow down. What changes is the blast radius. When the model is tricked into asking for data it should not have, the policy engine refuses — and the audit log records the attempt. The exploit becomes a logged refusal instead of a regulatory incident. The Kiteworks Private Data Network extends this architecture across email, file sharing, MFT, SFTP, web forms, and APIs under one policy engine and one consolidated audit log.

What CISOs Should Do This Quarter

First, treat AI systems as a distinct attack surface in your threat model. Build a separate AI threat-modeling track with prompt injection, tool-call abuse, and connector permissions as primary failure modes. Your existing app-sec process will under-count the severe-flaw rate by a factor of two-plus.

Second, audit containment controls before governance controls. Governance is the easier investment — logging does not require architecture changes. Containment is harder and more important. If you cannot kill-switch a misbehaving agent, the rest of the controls do not matter.

Third, shift access enforcement from the application layer to the data layer. ABAC on every model request to regulated data, with FIPS 140-3 validated encryption and customer-managed keys, is the only architecture that survives prompt injection at scale. The 2026 Forecast Report’s projections — 24 to 36% of organizations still missing basic kill switches and purpose binding at year-end — mean any organization without data-layer enforcement is in the trailing cohort.

Fourth, rehearse the prompt injection incident playbook. What does your SOC do when an AI agent is tricked into accessing data outside its authorized scope? Who gets paged? What logs get pulled? What evidence package goes to the regulator? Tabletop exercises are how the gap stops being theoretical before the regulator finds it for you.

To learn more about governing AI data, schedule a custom demo today.

Frequently Asked Questions

Yes. AI/LLM systems carry a 32% severe-flaw rate versus 13% in traditional apps per Cobalt 2026. Containment controls — purpose binding, kill switches, and network isolation — are the largest gaps per the Kiteworks 2026 Forecast. Build a separate AI threat-modeling track targeting prompt injection and tool-call abuse, and pair it with data-layer ABAC enforcement and tamper-evident audit trails.

Regulated AI use cases need three controls minimum: ABAC on every model request, FIPS 140-3 validated encryption with customer-managed keys, and tamper-evident audit logs. PCI DSS requires demonstrable separation of cardholder data from any model that does not need it — the policy engine, not the model, has to enforce that boundary. HIPAA‘s minimum-necessary standard requires the same logic at the PHI level.

Probably not in the way you mean. 60% of organizations cannot terminate a misbehaving agent quickly, and the most common gap is detection — you may have had an incident already without knowing it. The 540% rise in prompt injection bug bounty reports suggests adversaries have caught up. The right question is not whether you have had an incident; it is whether your audit logs would tell you if you had.

Three numbers anchor the conversation: severe-flaw density (32% vs 13% per Cobalt), containment gap (63% cannot enforce purpose limitations, 60% lack kill switches, 55% cannot isolate AI from network access per the Kiteworks 2026 Forecast), and AI-enabled adversary attacks (89% year-over-year increase per CrowdStrike). Together they tell the board AI risk is not a 2027 problem — it is a current-quarter compliance priority.

Partially. Commercial AI offerings provide some governance primitives — access controls, retention policies, platform-level audit logs. They do not provide ABAC on the underlying enterprise data the model queries through connectors. That boundary — the data-to-model interface — has to be enforced by your data architecture, not the AI vendor’s. The Kiteworks AI Data Gateway governs that layer regardless of which AI platform is in use.

Additional Resources

Get started.

It’s easy to start ensuring regulatory compliance and effectively managing risk with Kiteworks. Join the thousands of organizations who are confident in how they exchange private data between people, machines, and systems. Get started today.

Schedule a Demo

Table of Contents

Table of Content
Share
Tweet
Share
Explore Kiteworks