Teach

AI security: Tool, Target, Threat

Casey Ellis

Casey Ellis

4 min read
Share
AI security: Tool, Target, Threat

There's a pattern in how transformative ideas land. Every so often, one dumps itself onto the collective consciousness of the internet all at once — and in hindsight, the moment turns out to mark the early stages of a whole-of-society shift.

  • Google's NLP == the computer is trying to understand what I mean == the beginning of general population internet access.
  • Snowden's NSA revelations == maybe computer hacking is something that affects me == the beginning of general population cybersecurity awareness, and the industry that grew from it.

When OpenAI released ChatGPT at the end of 2022, it happened again. Almost overnight, compute became both accessible and powerful for non-technical users. Everyone had an AI. Nobody had shared language for how to secure it.

In 2023, alongside my security policy nerd family and partly instantiated by the Hackers In The House event that year, I spent a chunk of my policy bandwidth working with the ONCD on the White House AI Safety and Security Executive Order — EO 14110, "Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence." The conversations kept breaking down on the same thing: Everyone agree that AI was powerful enough to be considered inherently dual-use, and that this conversation was rapidly becoming an issue of retail politics — There was consensus that "AI security" was an important issue to initiate conversation around, but there was a problem: Whenever I asked "what do you mean by AI security" I'd almost never get the same answer twice.

While the EO itself was revoked on January 20, 2025. The taxonomy I built to make sense of it wasn't. Here's why it still matters.

10B1071B-1AA9-4540-B2F6-42B40F67CF37_1_105_c.jpeg

Every "AI security" conversation assumes a shared vocabulary that doesn't exist. One person means phishing-at-scale. Another means prompt injection. Another means autonomous agents. Another still is talking about societal impact. Everyone nods. Nobody's talking about the same thing.

The taxonomy has three orientations:

  • AI as a Tool — AI used by humans to accelerate existing capabilities
  • AI as a Target — AI systems as the object of attack or defense
  • AI as a Threat — AI operating as an autonomous or semi-autonomous actor

Real incidents often span more than one. They're lenses, not bins. The first question in any AI security conversation should be: tool, target, or threat?

AI as a Tool

A force multiplier. Compresses the OODA loop for whoever wields it. Doesn't change what is happening — changes speed, scale, and cost.

In November 2025, Anthropic disclosed GTG-1002: a Chinese state-sponsored espionage campaign where Claude Code executed 80–90% of tactical operations across ~30 targets. Humans picked the victims and set the strategy. The AI did the work. That's tool.

Sufficient acceleration can produce phase transitions — population-scale spear-phishing is categorically different from what existed before. But conflating tool-assisted attacks with autonomous threats drives policy responses that miss the mark.

AI as a Target

The AI itself is the thing being compromised. The attack surface isn't traditional AppSec: the model's behavior is shaped by training data and prompt context, not just code.

In June 2025, Aim Security disclosed EchoLeak (CVE-2025-32711) — a zero-click prompt injection in Microsoft 365 Copilot that exfiltrated tenant data via a single crafted email. Prompt injection isn't a bug. It's a fundamental design challenge in processing untrusted input alongside trusted instructions. Add training data poisoning, model extraction, ML supply chain attacks, and agent exploitation, and you have an attack surface traditional testing wasn't built for.

Safety alignment ≠ security. A model that refuses harmful requests is not secure against adversarial attack. Treating alignment as a substitute for security testing is a category error.

AI as a Threat

The orientation with the most hype and the fewest confirmed incidents.

When ESET flagged "PromptLock" in August 2025 as the first AI-powered ransomware, it turned out to be NYU Tandon's academic PoC. That's the current state: capability demonstrated, autonomy not yet observed in the wild. The cleanest line between tool and threat is who sets the objective. Until an AI picks its own target, threat remains theoretical.

But "early-stage" becomes permanent when it's used to justify inaction. The progression from tool to threat is continuous. Treating the category as science fiction is the other half of getting this wrong.

They compound

An AI tool for vulnerability discovery can be targeted via prompt injection, and can become a threat if it autonomously acts on what it finds. Defending AI targets requires AI tools, which may eventually need to operate as autonomous defensive agents against autonomous offensive ones.

Every capability useful for defense is available for offense. Pretending symmetry exists doesn't help. Closing the adoption gap on defense — while imposing cost on offensive misuse — does.

Regulators who can't categorize can't regulate. Practitioners who can't orient can't prioritize. Executives who can't distinguish tool from threat can't allocate.

Are we talking about a AI as a Tool, target, or threat here? is a simple but incredibly powerful framing question — getting the orientation right is where useful AI security strategy begins.

Read more