AI security: Tool, Target, Threat

caseyjohnellis

caseyjohnellis

3 min read

The AI security conversation is vast, dynamic, and — too often — imprecise. One person means AI-powered phishing. Another means adversarial attacks on models. Another means autonomous agents. Everyone says "AI security" and assumes they're talking about the same thing. They're usually not.

I created this taxonomy to fix that. It breaks AI security into three orientations based on the role AI plays in the security context:

  • AI as a Tool — AI used by humans to accelerate capabilities they already have
  • AI as a Target — AI systems as the object of attack or defense
  • AI as a Threat — AI operating as an autonomous or semi-autonomous actor

These aren't mutually exclusive bins. Real-world scenarios frequently involve more than one. They're lenses — and every AI security conversation benefits from one question up front: Are we talking about tool, target, or threat?

AI as a Tool

AI as a tool is a force multiplier. It compresses the OODA loop for whoever wields it. It doesn't change what is being done — it changes the speed, scale, and cost.

On offense, that means vulnerability discovery that took weeks now takes minutes, spear phishing that's personalized at population scale, and malware generation where the barrier to entry has effectively collapsed. On defense, it means AI-powered detection that correlates millions of events, shift-left security in CI/CD pipelines, and incident response playbooks that execute in minutes instead of hours.

The critical nuance: sufficient acceleration can produce qualitative phase transitions. When targeted phishing becomes economically viable at population scale, the nature of the threat changes — not just its tempo. This is precisely how tools begin migrating toward threats.

Where it goes wrong: conflating tool-assisted attacks with autonomous threats. When Salt Typhoon or Volt Typhoon use AI somewhere in their chain, that's AI as a tool — not AI as a threat. Conflating the two leads to policy responses that miss the mark.

AI as a Target

The AI itself is the thing being compromised, manipulated, or secured. This attack surface is fundamentally different from traditional application security: the model's behavior is shaped by its training data and prompt context, not just its code.

Prompt injection isn't a bug — it's a fundamental design challenge in processing untrusted input alongside trusted instructions. It's a genuinely novel attack class that didn't exist before LLMs. Add training data poisoning, model extraction, ML supply chain attacks, and agent exploitation, and you have an attack surface that traditional security testing wasn't built to assess.

The defensive side is equally important: AI red teaming, input validation, model monitoring, supply chain verification, and AI-specific vulnerability frameworks like Bugcrowd's VRT expansion and the OWASP Top 10 for LLM Applications.

Where it goes wrong: assuming safety alignment equals security. A model aligned to refuse harmful requests is not necessarily secure against adversarial attack. Safety and security are overlapping but distinct properties. Treating alignment as a substitute for security testing is a category error.

AI as a Threat

This is the orientation that drives the most hype and currently has the least confirmed autonomous incidents in the wild. But the progression from tool to threat is continuous, and treating this category as purely theoretical would be a mistake.

AI as a threat means autonomous exploit chains, adaptive malware that responds to defensive measures in real time, and the systemic compression of the OODA loop to the point where human decision-making can't keep up. On the defensive side, it means autonomous threat response, adaptive defense systems, and counter-adversarial AI.

Where it goes wrong: overattributing autonomy. When a human attacker uses AI to generate an exploit, that's a tool, not a threat. Calling it an "AI-powered cyberattack" implies autonomous agency that doesn't exist and drives fear-based narratives. But equally dangerous is using "early-stage" as justification for inaction. History shows that "the technology is still evolving" becomes a permanent state used to justify permanent inaction.

They compound

These orientations don't exist in isolation. An AI tool used for vulnerability discovery might be targeted via prompt injection to misdirect its findings, and could become a threat if it autonomously acts on what it discovers without human oversight. Defending an AI target requires AI tools, which may eventually need to operate as autonomous defensive threats to counter autonomous offensive ones.

The dual-use nature of each orientation means every capability useful for defense is available for offense. The strategic response isn't to pretend symmetry exists, but to close the adoption gap for defensive applications while building governance structures that impose cost on offensive misuse.

Regulators who can't categorize can't regulate. Practitioners who can't orient can't prioritize. Executives who can't distinguish tool from threat can't allocate. Tool, target, or threat — getting the orientation right is where useful AI security strategy begins.

Read more