AI has captured the attention of businesses with its potential for transformative insights and efficiency improvements. However, as companies work to implement their AI models, they are discovering a harsh reality: the inference stage is under attack. This critical phase is driving up the total cost of ownership (TCO) beyond initial estimates, leading to unexpected expenses.
Security experts and financial officers who approved AI projects for their potential benefits are now facing the hidden costs of protecting these systems. Adversaries have identified the inference stage as a vulnerable point where they can cause significant harm. Breach containment costs can exceed $5 million per incident in regulated industries, compliance updates can cost hundreds of thousands, and breaches of trust can result in stock losses or contract cancellations that undermine projected AI ROI. Without effective cost management at the inference stage, AI projects become unpredictable budget risks.
The unseen battlefield: AI inference and exploding TCO
AI inference is increasingly seen as a significant insider risk, as noted by Cristian Rodriguez, field CTO for the Americas at CrowdStrike, during RSAC 2025. Other technology leaders share this perspective, highlighting a common oversight in enterprise strategy. Vineet Arora, CTO at WinWire, emphasizes the need to focus on securing the inference stage, as many organizations prioritize securing AI infrastructure while neglecting inference. This oversight can lead to underestimated costs for continuous monitoring, real-time threat analysis, and quick patching mechanisms.
Steffen Schreier, SVP of product and portfolio at Telesign, warns against assuming that third-party models are entirely safe for deployment without thorough evaluation against an organization’s specific threat landscape and compliance requirements. Inference-time vulnerabilities, such as prompt injection or output manipulation, can be exploited by attackers to produce harmful or non-compliant results, posing serious risks, especially in regulated industries.
When the inference stage is compromised, the consequences impact various aspects of TCO. Cybersecurity budgets increase, regulatory compliance is at risk, and customer trust diminishes. A survey by CrowdStrike revealed that only 39% of respondents believe the rewards of generative AI outweigh the risks, highlighting the growing importance of safety and privacy controls in new AI initiatives.
Security leaders exhibit mixed sentiments regarding the overall safety of gen AI, with top concerns centered on the exposure of sensitive data to LLMs (26%) and adversarial attacks on AI tools (25%).
Anatomy of an inference attack
Adversaries are actively exploring the unique attack surface presented by running AI models, posing a significant threat. To defend against these attacks, Schreier advises treating every input as a potential hostile attack. The OWASP Top 10 for Large Language Model (LLM) Applications outlines various threats that are actively targeting enterprise AI applications:
- Prompt injection (LLM01) and insecure output handling (LLM02): Attackers manipulate models through inputs or outputs, potentially causing the model to ignore instructions or disclose proprietary code. Insecure output handling occurs when an application blindly trusts AI responses, allowing attackers to inject malicious scripts into downstream systems.
- Training data poisoning (LLM03) and model poisoning: Attackers corrupt training data with tainted samples, leading to hidden triggers that can produce malicious outputs from seemingly innocuous inputs.
- Model denial of service (LLM04): Adversaries can overwhelm AI models with complex inputs, consuming resources and potentially crashing the system, resulting in revenue loss.
- Supply chain and plugin vulnerabilities (LLM05 and LLM07): Vulnerabilities in shared AI components can expose sensitive data and compromise security.
- Sensitive information disclosure (LLM06): Querying AI models can extract confidential information present in training data or the current context.
- Excessive agency (LLM08) and Overreliance (LLM09): Granting unchecked permissions to AI agents can lead to disastrous outcomes if manipulated by attackers.
- Model theft (LLM10): Proprietary models can be stolen through advanced extraction techniques, undermining an organization’s competitive advantage.
These threats are compounded by foundational security failures, including the use of leaked credentials in cloud intrusions and the rise of deepfake campaigns and AI-generated phishing attacks.
The OWASP framework demonstrates how different LLM attack vectors target various components of AI applications, highlighting the need for robust security measures.
Back to basics: Foundational security for a new era
Securing AI necessitates a return to security fundamentals but tailored to modern challenges. Rodriguez emphasizes the importance of applying the same security approach to AI models as to operating systems, highlighting the need for unified protection across all attack vectors.
This approach includes implementing rigorous data governance, robust cloud security posture management (CSPM), and identity-first security through cloud infrastructure entitlement management (CIEM) to secure the cloud environments hosting AI workloads. Identity is becoming the new perimeter, and AI systems must be governed with strict access controls and runtime protections to safeguard critical assets.
The specter of “shadow AI”: Unmasking hidden risks
Shadow AI, or unauthorized use of AI tools by employees, poses a significant and often overlooked security risk. Employees using AI tools without authorization can inadvertently expose sensitive data, leading to potential data breaches. Addressing this challenge requires clear policies, employee education, and technical controls like AI security posture management (AI-SPM) to identify and assess all AI assets, whether sanctioned or not.
Fortifying the future: Actionable defense strategies
While adversaries are leveraging AI for malicious purposes, defenders are beginning to fight back. Mike Riemer, Field CISO at Ivanti, highlights the importance of using AI for cybersecurity to analyze vast amounts of data and enhance defense mechanisms. To build a robust defense, several key strategies are recommended:
Budget for inference security from day zero: Conduct a comprehensive risk assessment to identify vulnerabilities in the inference pipeline and quantify the potential financial impact of security breaches. Allocating the right budget for inference-stage security can help mitigate risks and avoid costly breaches.
To structure this more systematically, CISOs and CFOs should start with a risk-adjusted ROI model. One approach:
Security ROI = (estimated breach cost × annual risk probability) – total security investment
For example, if an LLM inference attack could result in a $5 million loss with a 10% likelihood, the expected loss is $500,000. Investing $350,000 in inference-stage defenses could lead to a net gain of $150,000 by avoiding risks. This model enables scenario-based budgeting tied directly to financial outcomes.
Enterprises allocating less than 8 to 12% of their AI project budgets to inference-stage security are often blindsided later by breach recovery and compliance costs. A Fortune 500 healthcare provider CIO now allocates 15% of their total gen AI budget to post-training risk management, including runtime monitoring, AI-SPM platforms, and compliance audits. A practical budgeting model should allocate across four cost centers: runtime monitoring (35%), adversarial simulation (25%), compliance tooling (20%), and user behavior analytics (20%).
Here’s a sample allocation snapshot for a $2 million enterprise AI deployment based on ongoing interviews with CFOs, CIOs, and CISOs actively budgeting for AI projects:
| Budget category | Allocation | Use case example |
|---|---|---|
| Runtime monitoring | $300,000 | Behavioral anomaly detection (API spikes) |
| Adversarial simulation | $200,000 | Red team exercises to probe prompt injection |
| Compliance tooling | $150,000 | EU AI Act alignment, SOC 2 inference validations |
| User behavior analytics | $150,000 | Detect misuse patterns in internal AI use |
These investments help reduce breach remediation costs, regulatory penalties, and SLA violations, ultimately stabilizing AI TCO.
Implement runtime monitoring and validation: Set up anomaly detection to identify unusual behaviors at the inference layer, such as abnormal API call patterns or output entropy shifts. Providers like DataDome and Telesign offer real-time behavioral analytics tailored to detect misuse in gen AI systems.
Monitor output entropy shifts, track token irregularities in responses, and watch for unusual query frequencies from privileged accounts. Configure streaming logs into SIEM tools with specific gen AI parsers and establish real-time alert thresholds for deviations from model baselines.
Adopt a zero-trust framework for AI: Implement a zero-trust architecture for AI environments, ensuring only authenticated users and devices have access to sensitive data and applications. Enforce identity verification, permissions based on roles, and segmentation to isolate AI microservices and enforce least-privilege principles.
A comprehensive AI security strategy requires a holistic approach, covering visibility, supply chain security during development, infrastructure and data security, and robust safeguards to protect AI systems during production.
Protecting AI ROI: A CISO/CFO collaboration model
Preserving the ROI of enterprise AI involves modeling the financial benefits of security measures. Begin with a baseline ROI projection and incorporate cost-avoidance scenarios for each security control. By linking cybersecurity investments to avoided costs like incident remediation and customer churn, risk reduction becomes a tangible ROI gain.
Develop three ROI scenarios, including baseline, with security investment, and post-breach recovery, to illustrate cost avoidance clearly. For instance, a telecom company that implemented output validation prevented over 12,000 misrouted queries monthly, saving $6.3 million annually in penalties and call center volume. Demonstrate how security investments can mitigate risks across breach remediation, SLA non-compliance, brand impact, and customer churn to build a compelling case for ROI.
Checklist: CFO-Grade ROI protection model
CFOs must articulate how security spending safeguards the bottom line effectively. To protect AI ROI at the inference layer, security investments should be modeled like strategic capital allocations, with direct links to TCO, risk mitigation, and revenue preservation.
Use this checklist to make AI security investments boardroom-ready and actionable in budget planning.
- Link every AI security spend to a projected TCO reduction category (compliance, breach remediation, SLA stability).
- Run cost-avoidance simulations with 3-year horizon scenarios: baseline, protected, and breach-reactive.
- Quantify financial risk from SLA violations, regulatory fines, brand trust erosion, and customer churn.
- Collaborate with CISOs and CFOs to co-model inference-layer security budgets and break organizational silos.
- Present security investments as growth enablers, showcasing how they stabilize AI infrastructure for sustained value capture.
This approach not only defends AI investments but also safeguards budgets and brands, enhancing boardroom credibility and supporting growth.
Concluding analysis: A strategic imperative
CISOs must position AI risk management as a business enabler, quantifying it in terms of ROI protection, brand trust preservation, and regulatory stability. As AI inference becomes more integral to revenue workflows, protecting it is not a cost burden but a critical component for ensuring the financial sustainability of AI projects. Strategic security investments at the infrastructure layer should be justified using financial metrics that resonate with CFOs.
Organizations must strike a balance between investing in AI innovation and securing it effectively. This requires a high level of strategic alignment. As Robert Grazioli, CIO at Ivanti, emphasizes, CISO and CIO collaboration is essential for safeguarding modern businesses. This partnership breaks down silos and enables organizations to manage the true costs of AI, transforming high-risk ventures into sustainable engines of growth.
Schreier from Telesign emphasizes the importance of embedding security across the lifecycle of AI tools to protect digital identity and trust. By implementing access controls, usage monitoring, and behavioral analytics, organizations can detect misuse and safeguard both their customers and end-users from evolving threats.
He further explains, “Output validation plays a crucial role in our AI security architecture, particularly as many risks during inference stem from how a model behaves in real
