AI Security Got Complicated Fast. Here’s How Microsoft is Simplifying It – Source: securityboulevard.com

Imagine someone in your organization receives a seemingly innocent email, perhaps an invitation to an event. Lurking behind the visible text and images are ASCII characters, invisible to the human eye but easily processed by the artificial intelligence (AI) assistant integrated into your everyday applications.   

The hidden prompt quietly instructs the AI assistant to search for Slack MFA codes, which it happily does.  

Prompt injections like this can be delivered in countless ways, not limited to email. “ASCII smuggling,” as it’s called, is just one of the many emerging techniques targeting our AI ‘helpers’ — or ‘overlords.’  

While this specific attack has largely been mitigated, the reality remains: AI security is still very much the Wild West, continually presenting new challenges and attack vectors. 

Consider this: Today, nearly every organization leverages AI and large language models (LLMs) in critical business functions. From user-focused AI assistants like Microsoft Copilot and Google’s Gemini, to corporate chatbots, generative AI and custom LLMs used in sensitive areas such as medical research, AI is everywhere.  

Plus, 78% of users report bringing their own AI tools into the workplace, including ChatGPT and — even DeepSeek, the much-hyped AI tool from a Chinese company recently associated with data leaks.  

And it’s complicated. There are countless models, each with its unique benefits and vulnerabilities. There are also countless platforms and infrastructures to host the said models, and many are (by necessity) internet-facing.   

So, the question is — in a world where we still struggle with basic vulnerability management for traditional systems we’ve known and loved (or hated) for decades, how can we possibly find and mitigate vulnerabilities in our rapidly evolving AI platforms before attackers exploit them?   

Nick Goodman and Neta Haiby shared some of Microsoft’s newest (and upcoming) AI-related security capabilities at a recent Tech Field Day Showcase. Nick, formerly with RiskIQ, is now the product architect for Microsoft’s Security Copilot — note the emphasis on “security” before “Copilot” here, indicating the use of specialized AI agents in Copilot tuned and tweaked to streamline SOC operations.  

Neta, the director of AI security in Microsoft’s Office of the CTO, leads the company’s comprehensive efforts to safeguard AI, a task that’s as complex as it is critical. In her session, Neta highlighted several key AI Security Posture Management (AI-SPM) features now (or soon, May 1st) available in Microsoft’s Defender for Cloud suite.  

One major highlight of Microsoft’s Defender for Cloud (CSPM) and AI Security Posture Management (AI-SPM) is the ability to manage and secure AI assets beyond just Microsoft environments. This includes not only Azure-based services, but extends to AWS, Google Cloud Platform (GCP), Amazon Bedrock and Google Vertex AI.  

These capabilities complement the extensive catalog of AI models already available through Azure’s AI Foundry, such as Meta’s Llama, Mistral, DeepSeek and others.  

And within the Microsoft environment, Neta says, “you just enable it”. There are no additional connections, integrations or agents required.   

Some noteworthy features of Microsoft’s AI-SPM include: 

• AI Workload Discovery. Automatic and continuous identification of deployed AI workloads across services such as Azure OpenAI Service, Azure Machine Learning, Amazon Bedrock, Google Vertex AI and more. ​ 

• AI Vulnerability Assessment: Detection of vulnerabilities within AI library dependencies by scanning source code for Infrastructure as Code (IaC) misconfigurations and container images.​ They map this to the OWASP Top 10 for LLM Applications.  

• AI Attack Path Analysis: This feature isn’t new but has been recently enhanced. It correlates attack paths, even between disparate models and workloads, both inside and outside the Microsoft environment. The latest update includes mapping to the MITRE ATT&CK framework.  

• Security Recommendations: Using the vulnerability assessment and attack path analysis, Microsoft’s AI-SPM can offer contextualized guidance to enhance the security posture of AI applications, including recommendations on identity management, data security and internet exposure.​ 

The threat protection capabilities for AI services now cover both current and emerging threats, including direct and indirect prompt injections, novel techniques like the ASCII smuggling example described earlier, malicious URLs embedded within user prompts and AI responses, wallet abuse and more.  

Wallet abuse is especially intriguing — I even tested it for research myself. I visited several websites with AI chatbots to see if I could persuade one to generate an elaborate fairy tale. Unfortunately (or perhaps fortunately), my attempts were denied. But had I succeeded, that playful experiment could have unintentionally caused the organization to consume significantly more AI tokens and incur higher costs due to the complexity and length of my whimsical requests. 

Microsoft’s approach offers a compelling opportunity to secure AI, leverage AI-driven security tools and establish a self-reinforcing ecosystem where AI agents effectively collaborate within defined organizational boundaries. 

For enterprises heavily invested in Microsoft’s ecosystem, the potential is particularly exciting to integrate AI-driven security agents with endpoint protection, application-based AI assistants, email defenses, workload security and comprehensive SOC operations, thus transforming security from fragmented efforts into a unified, intelligent defense system.  

Want to hear more first-hand? Microsoft is hosting an event series on securing AI  

Microsoft Secure Event 

April 9, 2025, 11:00 a.m. – noon Eastern (Americas)  

April 10, 2025, 10:00-11:00 a.m. CET (Europe, Middle East, Africa)  

April 10, 2025, 12:00 noon – 1:00 p.m. SGT (Asia)