Contact
Enterprise AI Security Threat Model
Security Reference · April 2026
⚠ Security Threat Model Attack Vectors Risk Impact Mitigation Strategy

Enterprise
AI Security
Threat Model

AI systems have expanded the enterprise attack surface beyond what traditional security frameworks were built to address. These are the nine critical threat vectors — with documented real-world incidents, risk impact analysis, and operational mitigation controls for each.

April 2026 · 9 Threat Vectors · OWASP LLM Top 10 Mapped · NIST AI RMF Aligned
Threat Index // 9 Vectors
01Compliance Violations
 02Data Poisoning
 03Excessive Autonomy
 04Supply Chain Risks
 05Model Drift
 06Model Inversion
 07API & Credential Theft
 08Unauthorized Tool Use
 09Context Leakage
9.6
CVSS score for CVE-2025-53773 — prompt injection in GitHub Copilot enabling remote code execution. AI is now a 9.6-severity attack surface.
300K
ChatGPT credentials discovered in infostealer malware in 2025 — IBM X-Force 2026. AI credential theft is a primary enterprise breach vector.
70%
of organisations identify the fast-moving GenAI ecosystem as their leading security concern — Thales Group 2025 Data Threat Report
44%
rise in attacks exploiting public-facing AI applications in 2025 — IBM X-Force 2026. AI APIs with permissive accounts are spring-boards for lateral movement.
Threat Model Overview

AI Has Expanded the Enterprise Attack Surface Beyond What Traditional Security Handles

// ENTERPRISE AI SECURITY THREAT MODEL — April 2026
// 9 attack vectors documented · OWASP LLM Top 10 mapped · NIST AI RMF aligned

CRITICAL: Prompt Injection (CVE-2025-53773, CVSS 9.6)
CRITICAL: API & Credential Theft (300K AI credentials in 2025 infostealers)
HIGH: Data Poisoning — Check Point names it “new zero-day” for AI systems
HIGH: Supply Chain (700+ orgs breached via single OAuth token — UNC6395, 2025)
HIGH: Excessive Autonomy — OWASP Agentic Top 10 published late 2025
MEDIUM: Model Inversion · Model Drift · Context Leakage · Compliance Violations

// Threat landscape is expanding faster than security frameworks can adapt.
// Continuous reassessment is mandatory — point-in-time audits are insufficient.

The AI security threat landscape of 2026 is defined by a convergence of traditional cybersecurity vectors and an entirely new class of attack that specifically exploits the probabilistic, data-dependent, and autonomous characteristics of AI systems. Attackers no longer need to hack into a server or exploit a code vulnerability to compromise an enterprise AI system — they can tamper with the data that trains it, inject instructions through the content it processes, steal the credentials that authenticate it, or simply wait for its self-supervised drift to produce harmful outputs without any active attack at all.

Check Point’s 2026 Tech Tsunami report calls prompt injection and data poisoning the “new zero-day” threats — attacks that blur the line between security vulnerability and misinformation. Microsoft’s RSAC 2026 analysis confirmed that AI is not just accelerating cyberattacks; it is upgrading them. The tempo, iteration speed, and precision of attacks have fundamentally changed even when the objectives — credential theft, financial gain, and espionage — remain constant.

The nine threat vectors mapped below each follow the same structure: Attack Vector (how the attack occurs), Risk Impact (what damage it causes), and Mitigation Strategy (the controls that address it). This is a practical operational reference, not a theoretical framework. Every documented incident cited is real and verified.

The 9 Attack Vectors
Documented Enterprise AI Threats — 2025–2026
01
COMPLY
Regulatory / Legal
Compliance & Regulatory Violations
AI outputs violate industry-specific regulatory requirements — silently, at scale
MEDIUM RISK EU AI Act · Aug 2026 GDPR Art. 22 · HIPAA

AI systems operating in regulated industries — financial services, healthcare, legal, insurance — face a compliance risk that does not require any external attacker: the system produces outputs that violate regulatory requirements on its own. An LLM-powered loan decision tool that produces discriminatory outputs violates the EU AI Act’s high-risk AI obligations and exposes the organisation to fines up to €35 million. A clinical AI that provides medical guidance beyond its authorised scope creates HIPAA exposure and professional liability.

The compliance failure is compounded by AI’s scale — a single non-compliant AI configuration can produce thousands of violating outputs before any human reviewer identifies the pattern. Automated pipelines that route AI outputs directly to customers or downstream systems accelerate the exposure window and the audit burden simultaneously.

The EU AI Act’s August 2026 enforcement date makes this threat operationally urgent: organisations that cannot demonstrate documentation, human oversight records, bias test results, and conformity assessments for high-risk AI systems face both fines and reputational damage. Compliance risk is no longer a legal department concern — it is an AI engineering and deployment obligation.

Attack Vector
AI outputs violate industry-specific regulatory requirements without triggering any technical alert
Automated pipelines route non-compliant outputs to customers or regulators at scale
Bias or hallucination in high-risk decision systems (credit, hiring, healthcare) produces discriminatory outcomes
Risk Impact
Legal penalties up to €35M or 7% global turnover under EU AI Act
Enterprise trust erosion with customers and institutional partners
Regulator-mandated AI system shutdown or remediation
Mitigation Strategy
Policy enforcement layers with output filtering against defined compliance rules
Comprehensive audit logging of all AI decisions and their basis
Pre-deployment regulatory risk assessment; EU AI Act conformity documentation
Human oversight checkpoints for all high-risk AI decisions before they reach end-users
02
POISON
Training / Retrieval Integrity
Data Poisoning
Compromised training or retrieval data corrupts model outputs at the source
CRITICAL RISK OWASP LLM03 Check Point “New Zero-Day”

Data poisoning attacks inject malicious, false, or biased data into an AI system’s training pipeline or retrieval index — corrupting the model’s behaviour at the source rather than at the output layer. Unlike traditional software attacks, poisoning an AI does not require hacking into a server or exploiting a code bug — it only requires tampering with the data supply chain. Check Point’s 2026 Tech Tsunami report names data poisoning a “new zero-day” threat precisely because it subverts an organisation’s AI logic without touching its traditional IT infrastructure.

The scale required is smaller than intuition suggests. Research from Columbia, NYU, and Washington University demonstrated that as few as 50,000 fake articles added to a public training dataset were sufficient to corrupt medical LLMs — while another study found that very small quantities of poisoned data corrupted even the largest models. In 2025, successful poisoning attacks were carried out against RAG pipelines, MCP tool integrations, and synthetic data generation workflows. A single poisoned dataset can propagate across thousands of applications that depend on that model.

// Documented Incident Researchers demonstrated 90% manipulation of AI responses using just 5 carefully crafted documents injected into a RAG pipeline. Fraud detection models were made to approve fraudulent transactions by injecting mislabelled “safe” examples into training data months before detection.
Attack Vector
Malicious data injected into training sets, fine-tuning datasets, or RAG retrieval indices
Corrupted data alters model behaviour — embedding backdoors, biases, or false decision patterns
Poisoned synthetic data enters training pipelines without provenance checks
Risk Impact
Model produces biased, harmful, or manipulated responses at scale
Silent fraud approval or security policy violations embedded in decision logic
Damage may not be detected for months — models continue operating during exposure window
Mitigation Strategy
Strict data provenance tracking and validation for all training and fine-tuning datasets
Anomaly detection on model outputs to catch behavioural drift indicating poisoned data
Sandbox and test model updates in isolated environments before production promotion
Continuous integrity monitoring of retrieval indices and RAG data sources
03
AGENT
Agentic AI / Autonomy
Excessive Autonomy Risks
Autonomous agents operate beyond approved boundaries — without human review in the loop
HIGH RISK OWASP Agentic Top 10 CSA ATF 2026

OWASP published a dedicated Top 10 for Agentic Applications by late 2025, confirming that autonomous AI agent risks now constitute a distinct security category. When AI agents are granted broad tool access, API permissions, and decision-making authority without corresponding oversight controls, they can take consequential actions far outside the scope their operators intended — deleting records, executing financial transactions, publishing content, or modifying infrastructure configurations.

The OpenClaw incident of 2026 — where a viral open-source AI agent with 135,000 GitHub stars created over 21,000 exposed enterprise instances — illustrated the scale of the risk. When employees connect autonomous agents to corporate systems like Slack, Google Workspace, or production databases, they create shadow AI with elevated privileges that traditional security tools cannot detect. The agent acts, at machine speed, on behalf of whoever deployed it — with no per-action human review.

// Documented Incident OpenClaw AI agent: 21,000+ exposed enterprise instances, malicious marketplace exploits, shadow AI with elevated corporate system access. Anthropic documented the first AI-orchestrated cyber-espionage campaign in November 2025 where a jailbroken agent handled 80–90% of a complex attack chain autonomously.
Attack Vector
Autonomous agents operate beyond approved scope with broad tool permissions
Employees deploy shadow AI agents with elevated corporate system access
Jailbroken or prompt-injected agents execute attacker-directed multi-step attack chains
Risk Impact
Unintended financial, operational, or reputational damage at machine speed
Lateral movement across enterprise systems via agent API access
Complete attacker-controlled attack chains executed by the enterprise’s own AI agents
Mitigation Strategy
Human-in-the-loop controls and escalation protocols for high-consequence actions
Minimal tool surface — expose only the permissions an agent requires for its specific task
Agent registry and workflow versioning to track all deployed autonomous agents
Circuit breakers and time-bound permission grants; kill-switch for SVID revocation
04
SUPPLY
Third-Party / Dependencies
Supply Chain Vulnerabilities
Third-party models, libraries, or APIs introduce hidden risks before deployment
HIGH RISK OWASP LLM05 Verizon DBIR 2025 ×2

Verizon’s 2025 Data Breach Investigations Report found that third-party involvement in breaches doubled year-over-year. The AI supply chain has dramatically expanded this surface: every third-party model, dataset, plugin, API integration, and library dependency is a potential vector for hidden vulnerabilities to enter enterprise AI systems before they are deployed. Unlike traditional software supply chain attacks, AI supply chain compromises can be invisible at the code level — a poisoned model checkpoint behaves identically to a clean one under normal operation but embeds backdoors that activate under specific trigger conditions.

The UNC6395 OAuth supply chain attack of August 2025 required no exploit. The attacker used stolen OAuth tokens from a trusted SaaS integration to access customer Salesforce environments across 700+ organisations — each connection looked legitimate because it came from a sanctioned SaaS app, not a compromised user account. This is the supply chain risk in its most operationally dangerous form: trust weaponised against the organisations that extended it.

// Documented Incident — UNC6395, Aug 2025 Stolen Drift OAuth tokens → 700+ org Salesforce environments accessed → contacts, opportunities, AWS keys, Snowflake tokens exfiltrated. No exploit. Legitimate access weaponised. Salesforce removed Drift from AppExchange pending investigation.
Attack Vector
Third-party models, datasets, or libraries introduce backdoors or vulnerabilities
Compromised OAuth tokens or API integrations provide legitimate-looking access to enterprise data
Poisoned container images or model checkpoints enter registries and propagate to production
Risk Impact
Backdoors, malware, or compromised dependencies silently present across production AI systems
Lateral movement from a single compromised integration across all connected enterprise systems
Single poisoned dataset propagates across thousands of applications that depend on the shared model
Mitigation Strategy
Vendor audits and dependency security scanning before any third-party AI integration
Model artifact signing and trusted registries with strict pipeline controls
Monitor app-to-app OAuth connections — non-human identity tokens run unmonitored by default
SBOM/AIBOM (AI Bill of Materials) for all AI components and dependencies
05
DRIFT
Model Lifecycle / Performance
Model Drift
Model performance degrades as real-world conditions diverge from training data — silently
MEDIUM RISK NIST AI RMF 1.0 Continuous Monitoring

Model drift is the gradual degradation of AI model performance as the statistical properties of production data diverge from those present in the training dataset. Unlike the other threats in this model, drift requires no active attacker — it is a passive failure mode inherent to any AI system operating in a dynamic world. Performance degradation is particularly dangerous because systems continue operating well enough until significant harm has already occurred.

Three drift variants require continuous monitoring: data drift (input distributions diverge from training), concept drift (the relationship between inputs and target outcomes changes over time), and upstream data drift (changes in data collection or processing alter incoming characteristics without any real-world change). A credit scoring model trained on pre-recession economic data encounters fundamentally different applicant profiles during an economic downturn — making decisions that appear algorithmically valid but are systematically miscalibrated to current conditions.

Attack Vector
Model performance degrades as production data distributions shift from training conditions
Concept drift — relationship between input features and correct outputs changes over time
Upstream changes in data pipelines alter model inputs without triggering alerts
Risk Impact
Incorrect decisions propagated through enterprise automation pipelines at scale
Unreliable AI outputs undermine trust in downstream automated workflows
Regulatory exposure when drifted model produces discriminatory or non-compliant outputs
Mitigation Strategy
Continuous monitoring with automated alerts when drift thresholds are crossed
Baseline performance metrics and validation datasets for early drift detection
Retraining governance frameworks — scheduled and trigger-based re-validation
Explainability monitoring (SHAP) to detect feature importance shifts before output quality degrades
06
INVERT
Privacy / Training Data Exposure
Model Inversion
Repeated queries reconstruct private training data — no server access required
HIGH RISK OWASP LLM06 GDPR Art. 17 · HIPAA

Model inversion attacks systematically query a deployed AI model and analyse its outputs to reconstruct information about its training data — recovering Personally Identifiable Information (PII), proprietary records, or confidential datasets that the model was trained on, without ever having access to those datasets directly. The attack requires only API access to the model — which may be publicly available.

When models memorise training data rather than learning patterns, information can leak via well-scoped queries never intended to retrieve it. This is especially severe for models fine-tuned on sensitive domain data — medical records, financial information, legal documents, internal communications. A healthcare organisation that fine-tunes an LLM on patient records and then deploys it via API has potentially created a recoverable store of protected health information accessible to anyone with an API key.

Attack Vector
Adversary systematically queries the model and analyses outputs to reverse-engineer training data
Gradient-based techniques, membership inference, or high-volume queries extract training data traces
LLMs trained on sensitive data may reproduce it verbatim via seemingly innocuous queries
Risk Impact
Leakage of proprietary or personal information from training data
GDPR, HIPAA, and data protection regulatory violations with material liability
Competitive intelligence exposure from models trained on internal enterprise data
Mitigation Strategy
Output filtering and differential privacy techniques during training to prevent memorisation
Audit what data AI systems can access; enforce least-privilege across all integrations
Regular adversarial probing to test for memorisation and unintended data leakage
Rate limiting and anomaly detection on query patterns that suggest extraction attempts
07
CRED
Identity / Access
API Key & Credential Theft
Compromised keys enable unauthorised model access, service usage, and lateral movement
CRITICAL RISK IBM X-Force 2026 300K credentials in 2025

IBM’s 2026 X-Force Threat Intelligence Index found over 300,000 ChatGPT credentials discovered in infostealer malware in 2025. Stolen AI platform credentials pose risks far beyond another account entry point: attackers can siphon entire conversation histories filled with sensitive business information, access connected enterprise integrations, and use the legitimate account to make API calls that appear authorised. The Internet Archive’s catastrophic 2024 breach resulted from a GitLab authentication token hardcoded in 2022 — sitting dormant and unrotated for two years before exploitation.

AI API keys present unique risks because they are high-value, often long-lived, and frequently embedded in application code, environment variables, or CI/CD pipelines. Once compromised, an API key provides access not just to the model but to every integration that key has been granted permission to access — including RAG retrieval systems, tool call endpoints, and connected enterprise data stores.

// Documented Scale — IBM X-Force 2026 300,000+ ChatGPT credentials found in infostealer malware in 2025 alone. 44% rise in attacks exploiting public-facing AI applications — AI APIs with permissive accounts used as springboards for lateral movement across the entire enterprise stack.
Attack Vector
API keys stolen via infostealer malware, phishing, or hardcoded credentials in code repositories
Long-lived tokens remain valid for years after exposure without rotation
AI platform credentials enable access to conversation histories, integrations, and connected data
Risk Impact
Financial loss from unauthorised model usage billed to enterprise accounts
Lateral movement: compromised AI key provides access to all connected enterprise integrations
Sensitive conversation history exfiltration — business strategy, legal matters, PII
Mitigation Strategy
Secret rotation policies — short-lived credentials with automated rotation cycles
Secure vault storage (HashiCorp Vault, AWS Secrets Manager) — never hardcode credentials
SPIFFE/SPIRE workload identity — replace API keys with cryptographically attested identities
Anomaly detection on API usage patterns to detect compromised credential activity
08
TOOL
Agentic / Function Calling
Unauthorized Tool Invocation
AI invokes tools or APIs outside its authorised scope — triggered by injection or hallucination
HIGH RISK OWASP LLM07 Function Hallucination

Unauthorized tool invocation occurs when an AI agent calls a function, API endpoint, or tool it was not supposed to invoke for a given task — either because a prompt injection instructed it to, or because the model hallucinated an appropriate tool call and selected incorrectly from its available function set. The consequence is not incorrect text — it is an incorrect real-world action executed with the full permissions of the agent.

In 2025, the first major AI agent security crisis came from precisely this vector: OpenClaw agents connected to corporate Slack workspaces and Google Workspace began taking actions outside their intended scope when users connected them to production systems. Tool proliferation is the primary risk amplifier — an agent with 50 tools in its schema will mis-select far more often than one with 5. Every tool the agent can invoke is a surface for hallucinated invocations and adversarial injection.

Attack Vector
Prompt injection redirects the agent to invoke tools outside its authorised scope
Function hallucination — model selects wrong tool or generates fabricated tool parameters
Over-permissioned tool schemas enable lateral movement across enterprise systems
Risk Impact
Unintended data deletion, publication, financial transactions, or infrastructure changes
Lateral movement via agent API access across all connected enterprise systems
Regulatory exposure if unauthorised tool calls involve customer data or financial records
Mitigation Strategy
Minimal tool surface — expose only the functions required for the specific agent’s task
Input validation and isolated instruction boundaries — separate system prompts from user input
Human-in-the-loop confirmation before destructive or irreversible tool executions
Dry-run / sandbox mode to simulate tool call consequences before committing
09
LEAK
Confidentiality / Data Exposure
Context Leakage
Improper context handling exposes confidential enterprise information through AI outputs
HIGH RISK EchoLeak CVE-2025-32711 OWASP LLM02

Context leakage occurs when an AI system exposes information it should not — through its outputs, its reasoning trace, its system prompt, or through data accessible in its retrieval context. The EchoLeak vulnerability (CVE-2025-32711) in Microsoft 365 Copilot demonstrated the most dangerous form: a zero-click prompt injection embedded in a normal business document silently exfiltrated enterprise data without any user action. No code was executed. Copilot processed the malicious instruction as if it were a legitimate part of the document.

Context leakage is compounded by multi-tenant AI deployments where multiple users or organisations share a model instance without adequate context segmentation. When one user’s interaction can surface information loaded into the model’s context for another user’s session, the result is a cross-tenant data breach that is architecturally trivial to exploit and extremely difficult to detect after the fact.

// Documented Incident — EchoLeak CVE-2025-32711 Zero-click data exfiltration from Microsoft 365 Copilot via text embedded in normal business documents. No code execution required. Copilot behaved exactly as designed — processing the malicious prompt injection when users opened innocent files. CVSS score classified critical.
Attack Vector
Prompt injection in processed documents silently exfiltrates enterprise data
Improper context segmentation exposes one user’s or tenant’s data to another
System prompt extraction reveals privileged instructions and business logic
Risk Impact
Regulatory violations — GDPR, HIPAA, sector-specific data protection requirements
Intellectual property compromise — system prompts expose proprietary business logic
Cross-tenant data breach in multi-user AI deployments
Mitigation Strategy
Strict access control and contextual data segmentation — no cross-tenant context bleed
Treat all retrieved content as untrusted input — sandbox RAG retrieval from action execution
Data Loss Prevention (DLP) layers scanning AI inputs and outputs for sensitive patterns
Enforce output filters and prompt logging at runtime for all GenAI deployments

“AI is not just accelerating cyberattacks — it is upgrading them. The objective has not changed: credential theft, financial gain, and espionage. What has changed is the tempo, the iteration speed, and the ability to test and refine at scale. Organizations building security around a static checklist will find their controls outdated before the next budget cycle.”

Microsoft Security Blog — Threat Actor Abuse of AI Accelerates From Tool to Cyberattack Surface · RSAC 2026
Threat Matrix

All 9 Vectors — Quick Reference

Severity, OWASP mapping, and primary mitigation control for every documented threat.

# Threat Vector Severity OWASP / Reference Primary Mitigation
01 Compliance & Regulatory Violations MEDIUM EU AI Act · GDPR Art. 22 Policy enforcement layers + audit logging + human oversight gates
02 Data Poisoning CRITICAL OWASP LLM03 Data provenance tracking + anomaly detection + sandbox model updates
03 Excessive Autonomy Risks HIGH OWASP Agentic Top 10 HITL controls + agent registry + minimal permissions + kill-switch
04 Supply Chain Vulnerabilities HIGH OWASP LLM05 · Verizon DBIR 2025 Vendor audits + artifact signing + AIBOM + OAuth token monitoring
05 Model Drift MEDIUM NIST AI RMF MEASURE Continuous monitoring + drift detection + retraining governance
06 Model Inversion HIGH OWASP LLM06 · GDPR Art. 17 Differential privacy + output filtering + adversarial probing + rate limiting
07 API Key & Credential Theft CRITICAL IBM X-Force 2026 Secret rotation + vault storage + SPIFFE workload identity + usage anomaly detection
08 Unauthorized Tool Invocation HIGH OWASP LLM07 Minimal tool surface + input validation + HITL for destructive calls + dry-run mode
09 Context Leakage HIGH EchoLeak CVE-2025-32711 Context segmentation + DLP layers + treat retrieved content as untrusted + prompt logging
Operational Posture

Continuous Reassessment Is Not Optional

The nine threat vectors documented here were not theoretical when this model was written. Every documented incident cited — the Internet Archive breach, the UNC6395 OAuth attack, EchoLeak, OpenClaw, the 300,000 stolen ChatGPT credentials, the first AI-orchestrated cyber-espionage campaign — occurred in 2024–2026 in production enterprise environments. These are the operational conditions that every AI deployment team is working in right now.

Traditional security frameworks were not designed for AI’s unique threat surface. Data poisoning does not require hacking a server. Model inversion only requires API access. Context leakage can happen without any code execution. Excessive autonomy risk is created the moment an agent is granted broad permissions — before any attacker is involved. The controls that address these vectors — SPIFFE workload identity, policy-as-code enforcement, continuous drift monitoring, differential privacy, data provenance tracking — are AI-native security disciplines, not extensions of traditional perimeter defences.

Organisations that adopt a static, point-in-time security audit against this threat model will find their controls outdated before the next budget cycle. New attack vectors emerge with every new AI capability release — OWASP went from no LLM framework to a Top 10 for both LLMs and Agentic Applications in under 24 months. The only sustainable posture is continuous reassessment: quarterly at minimum, and immediately after any trigger event — a new AI vendor, a regulatory update, a new model deployment, or a threat intelligence report describing a new attack class.

// ENTERPRISE AI SECURITY POSTURE CHECKLIST
$✓ credential_rotation SPIFFE identity replacing static API keys in production
$✓ data_provenance Training dataset lineage tracking and integrity monitoring active
$⚠ agent_permissions Minimal tool surface enforced — audit recommended for existing deployments
$✓ drift_monitoring Automated alerts on model performance degradation configured
$✗ context_segmentation Multi-tenant AI context isolation not fully implemented — CRITICAL
$⚠ supply_chain Third-party model audit coverage partial — AIBOM not yet generated
$✓ hitl_gates Human-in-the-loop approval for high-consequence agent actions configured
$✗ eu_ai_act Conformity documentation for high-risk AI systems incomplete — August 2026 deadline
Sources: PurpleSec — 21 AI Security Risks Every Business Must Know 2026 · Microsoft Security Blog — Threat Actor Abuse of AI Accelerates (RSAC 2026) · Cycode — Top AI Security Vulnerabilities 2026 · SentinelOne — Top 14 AI Security Risks 2026 · Reco — AI & Cloud Security Breaches 2025 Year in Review · TTMS — Training Data Poisoning: The Invisible Cyber Threat of 2026 · DeepStrike — AI Cybersecurity Threats 2026: Enterprise Risks and Defenses · ITTech Pulse — AI Security Risks 2026: Emerging Threats Every Enterprise Must Prepare For · Trend Micro — AI-fication of Cyberthreats: Security Predictions 2026 · Microsoft Tech Community — Securing the AI Pipeline: From Data to Deployment · IBM X-Force Threat Intelligence Index 2026 · Verizon DBIR 2025 (Third-party breach involvement doubled) · Check Point 2026 Tech Tsunami Report · OWASP LLM Top 10 2025 · OWASP Agentic AI Top 10 (late 2025) · Thales Group 2025 Data Threat Report (70% cite GenAI as leading security concern) · CVE-2025-32711 EchoLeak · CVE-2025-53773 GitHub Copilot (CVSS 9.6) · Anthropic — GTG-1002 Technical Report (AI-orchestrated cyber-espionage November 2025)