"You write a prompt, you receive an output, but you don’t have visibility of what is being thought and what is being executed." — Fabio Fratucello, Field Chief Technology Officer, World Wide, CrowdStrike.
Prompt injection: a new attack surface with phishing‑like risks
Fabio Fratucello told iTNews Asia that as enterprises across Asia‑Pacific scale generative and agentic AI, a largely overlooked risk is emerging at the prompt and interaction layer. He identified prompt injection — attackers crafting malicious inputs that alter model behaviour or bypass safeguards — as a growing concern. Fratucello likened prompt injection to phishing, saying the dynamics are similar: the attack targets the link between user and system rather than the human alone. He warned prompt injection could become "AI’s equivalent of phishing" because of its low barrier to execution and high scalability.
AI agents as digital workers with privileged access
Fratucello argued organisations must rethink how they view AI agents, which are increasingly acting as "digital workers" inside firms. He stressed that when agents are granted high privilege, they can access "extremely rich datasets and information." That potential for broad access creates a governance and security challenge: agents with elevated rights can expand the attack surface and, if compromised or misdirected, expose sensitive systems and data.
Visibility gaps and the case for runtime monitoring
A central challenge Fratucello highlighted is the lack of visibility into AI behaviour after deployment. He emphasised that traditional controls fall short because operators "don’t have visibility of what is being thought and what is being executed." To close that gap, Fratucello called for runtime monitoring that observes agent activity at the point of execution. He described the kinds of telemetry needed — commands, scripts, file access, network connections, and application behaviour — to detect misuse and enable rapid response.
Shadow AI: unmanaged tools as blind spots
Beyond sanctioned deployments, Fratucello flagged "shadow AI" as a growing blind spot. He defined shadow AI as AI capabilities inside an organisation that are "not approved, not sanctioned" and therefore lack appropriate safeguards. Examples he offered include unmanaged AI applications, plugins, models, runtimes, and development tools introduced without formal review. Such unsanctioned components, he said, "may pose a risk because they don’t have the right security, visibility and governance," underscoring the need for discovery mechanisms to surface hidden AI assets and ensure they align with organisational risk appetites.
Agentic security operations centres and the balance between speed and risk
Fratucello urged that security operations evolve to meet adversaries that operate "at machine speed." He described the emergence of agentic security operations centres, where AI‑powered systems and human analysts collaborate to improve response times. These platforms, he explained, can automate repetitive security tasks such as threat intelligence gathering, malware analysis, and investigation workflows, enabling responses at greater speed. At the same time, he cautioned organisations not to accept high risk as an inevitable trade‑off for speed: "It’s not a question of whether to adopt AI, everyone already has AI. The question is how to adopt it in a safe and considered manner," he told iTNews Asia.
What this means for enterprise security teams, procurement leaders, and adversaries
- Enterprise security teams: must prioritise visibility first, followed by prevention and response, and build runtime monitoring that captures commands, scripts, file access, network connections and application behaviour, Fratucello advised.
- Procurement and governance leads: should expect to discover unmanaged AI components — applications, plugins, models and runtimes — and put discovery and approval processes in place so shadow AI operates within the organisation’s risk appetite.
- Adversaries: gain an amplified lever from prompt injection because of its scalability and low barrier to execution; Fratucello warned this technique may parallel phishing as a primary avenue of compromise.
Fratucello's central message was a pragmatic one: do not wait for a "perfect solution." "If we’re waiting for the perfect solution, we will fall behind," he said, and "security needs to run in parallel with the slope of technology innovation." For organisations moving quickly to adopt generative and agentic AI, that means elevating the prompt and interaction layer to the same level of scrutiny once reserved for endpoints, identities and networks — because, as Fratucello concluded, how AI systems are instructed and how they interpret those instructions could define cybersecurity challenges for the next decade.
Original reporting: iTNews Asia — "Malicious AI inputs are creating a new and critical security threat"
