Runtime attacks can turn profitable AI into budget holes

AI is a promising technology, but its security costs are blinding. New attacks on AI’s operational side are quietly increasing budgets, jeopardizing compliance with regulations, and eroding customers’ trust. All of these factors threaten ROI and total cost ownership for enterprise AI deployments.

AI’s potential to deliver game-changing insights and efficiency improvements has captured the enterprise. As organizations rush to operationalize models, a sobering truth is emerging: the inference stage is under attack. This is where AI transforms investment into real-time value for business. This critical moment is driving the total cost ownership (TCO), in ways that initial business case calculations failed to predict.

Security executives, CFOs and others who approved AI projects because of their transformative potential are now faced with the hidden costs of defending them. Inference is the place where AI “comes to life” for a company, and where it can do the most damage. Cost inflation is the result. Breach containment in regulated industries can be as high as $5 million per incident, compliance retrofits can cost hundreds of thousands of dollars and trust failures may lead to stock losses or contract cancellations which can decimate AI ROI. AI becomes a budget wildcard if cost containment is not considered.

The unseen battleground: AI inference, exploding TCO and more

Cristian Rodriguez, CTO of the Americas field office at the time, said that AI inference was rapidly becoming the next insider risk. CrowdStrikewas announced to the audience at RSAC 2025 ().

Others technology leaders echo this view and see a blind spot in enterprise strategies. Vineet arora, CTO of Steffen Schreier is the SVP of Product and Portfolio at Telesigna Proximus Global Company, is “the assumption” that third-party models have been thoroughly vetted, and are inherently safe for deployment.

However, he warned that, in reality, these models “often haven’t be evaluated against an organizations specific threat landscape or regulatory needs,” which could lead to harmful or incompliant outputs, which can erode brand confidence. Schreier told VentureBeat “inference-time vulnerability — such as prompt injection, output manipulation or context leakage — could be exploited to produce harmful or biased outputs.” This can be a serious risk, especially in regulated sectors, and can quickly erode trust in brands.

The fallout from a compromised inference affects TCO on multiple fronts. Cybersecurity budgets are spiraling, regulatory compliance is in jeopardy and customer trust is eroding. This growing concern is reflected in the executive sentiment. CrowdStrike’s In the State of AI in Cybersecurity Surveyonly 39% of respondents thought that generative AI’s benefits clearly outweighed its risks, while 40% deemed them comparable. This ambivalence highlights a crucial finding: safety and privacy controls are now top requirements for new-gen AI initiatives. A striking 90% of organizations have implemented or developed policies to govern AI adoption. The top concerns are not abstract anymore; 26% cite the exposure of sensitive data and 25% fear adversarial attack as key risks.

Security leaders exhibit mixed sentiments regarding the overall safety of gen AI, with top concerns centered on the exposure of sensitive data to LLMs (26%) and adversarial attacks on AI tools (25%).

Anatomy of a inference attack

Adversaries are aggressively probing the unique attack surface revealed by running AI models. Schreier says that to defend against this, it is important to treat each input as a possible hostile attack. Frameworks such as the OWASP Top 10 Large Language Model Applicationscatalog these threats which are no more theoretical but active attack vectors affecting the enterprise:

1. Injection of prompts (LLM01) or insecure output handlings (LLM02) Attackers manipulate models using inputs or outputs. Malicious inputs may cause the model ignore instructions or reveal proprietary code. Insecure output handling occurs if an application blindly relies on AI responses. This allows attackers to inject malicious code into downstream systems.
2. Model poisoning and training data poisoning (LLM03). Attackers corrupt data by introducing tainted samples or hidden triggers. A seemingly innocent input can later unleash malicious outputs.
3. A model denial of service can be caused by adversaries using complex inputs. This will slow or crash the AI models, resulting in a direct revenue loss.
4. Supply chains and plugin vulnerabilities (LLM05, LLM07 and LLM08): AI ecosystems are built on shared components. As an example, a A vulnerability in the Flowise LLM Tool exposed sensitive data and private AI dashboards, including GitHub tokens, OpenAI API keys and other sensitive data on 438 servers.
5. Disclosure of sensitive information (LLM06). Clever queries can extract confidential data from an AI model, if the information was part of the training data.
6. Excessive Agency (LLM08) or Overreliance (LLM09). Giving an AI agent unchecked access to perform trades or modify databases can be a recipe for disaster.
7. Theft of proprietary models (LLM10) : An organization’s proprietary model can be stolen using sophisticated extraction techniques. This is a direct attack on its competitive edge.

These threats are rooted in fundamental security failures. Adversaries log in using leaked credentials. According to the report, in early 2024, 35% cloud intrusions used valid user credentials. New, unattributed cloud attacks also spiked at 26%. CrowdStrike Global Threat Report A deepfake resulted in a fraudulent $25.6 million transferwhile AI-generated emails have shown a click-through rate of 54%, which is more than four-times higher than those written manually.

The OWASP framework illustrates how various LLM attack vectors target different components of an AI application, from prompt injection at the user interface to data poisoning in the training models and sensitive information disclosure from the datastore.

Back to basics: Fundamental security for a New Era

To secure AI, we must return to the fundamentals of security — but with a modern perspective. “I believe that we need a step-back and to ensure that the foundations and fundamentals of security still apply,” Rodriguez argued. “The same approach that you would use to secure an OS is also the approach you would use to secure this AI model.”

To lock down cloud environments, where most AI workloads are located, it’s important to enforce unified protection, including rigorous data governance, robust Cloud Security posture Management (CSPM), identity-first security via cloud infrastructure entitlement management, and cloud infrastructure entitlement management. AI systems need to be protected with the same access controls and runtime protections that are applied to other business-critical cloud assets.

Shadow AI or the unauthorised use of AI by employees creates an unknown, massive attack surface. Financial analysts who use a free online LLM to store confidential documents may accidentally leak proprietary information. As Rodriguez warned, queries made to public models could “become someone else’s answer.” To address this, a combination of a clear policy, employee training, and technical controls such as AI security posture management will be needed to discover and assess any AI assets, whether sanctioned or unsanctioned.

The tide is turning. As Mike Riemer Field CISO at Budget for inference security starting from day one: According to Arora, the first step is to conduct a “comprehensive risk-based assessment” and map the entire inference pipe to identify all data flows and vulnerabilities. He explains that by relating these risks to financial impacts, “we can better quantify the cost of a breach” and create a realistic budget.

To organize this more systematically CISOs, CFOs and other key stakeholders should begin with a risk adjusted ROI model.

Security ROI=(estimated breaches cost x annual risks probability) – total investment

As an example, if a LLM inference attack can result in a loss of $5 million and the likelihood is 10% then the expected loss would be $500,000. A $350,000 investment into inference-stage defences would result in a net gain in risk avoided of $150,000. This model allows scenario-based budgeting that is directly tied to financial outcomes.

Enterprises that allocate less than 8 to 12 percent of their AI project budgets towards inference-stage cybersecurity are often blindsided by breach recovery and regulatory costs later on. VentureBeat interviewed a Fortune 500 healthcare provider CIO who requested anonymity. She now allocates 15 percent of her total gen AI budget towards post-training risk, including runtime monitors, AI-SPM platforms, and compliance audits. A practical budgeting plan should allocate costs across four cost centers, including runtime monitoring (35%), opponential simulation (25%), Compliance tooling (20%), and User Behavior Analytics (20%).

Here is a sample allocation snapshot based on VentureBeat interviews with CFOs CIOs and CISOs who are actively budgeting for AI projects.

Budget category. Allocation. Use-case example.

Running time monitoring.	$300,000.
Adversarial Simulation.	$200,000.	Exercises by red teams to probe prompt injection.
Compliance tools.	$150,000.	Eu act alignment, soc2 inference Implement validation and runtime monitoring:Start by tuning anomaly detector to detect behaviors such as abnormal API calls, output entropy changes or query frequency spikes. Vendors such as DataDome and Telesign offer real-time behavioral analysis tailored to gen AI abuse signatures. Teams are advised to monitor entropy changes in outputs, token irregularities in model answers and atypical frequency of queries from privileged users. Effective setups include streaming data into SIEM tools, such as Splunk and Datadog, with tailored gen-AI pa rsers. They also establish real-time thresholds for deviations of model baselines. Adopting a zero-trust approach for AI is essential. In AI environments, zero-trust cannot be negotiable. It is based on the principle “never trust and always verify.” Permissions: Scope LLM Access using Role-Based Access Control (RBAC) and time-boxed priviledges. Isolation: Isolate microservices for inference using service mesh policies, and enforce least privilege defaults via cloud workload protection platforms. A proactive AI security strategy requires a holistic approach, encompassing visibility and supply chain security during development, securing infrastructure and data and implementing robust safeguards to protect AI systems in runtime during production. Protecting AI ROI: CISO/CFO Collaboration Model To protect the ROI of enterprise AI, it is necessary to model the financial upsides of security. Start with an ROI projection and then add cost-avoidance scenarios to each security control. By mapping cybersecurity investments against avoided costs, such as incident remediation, SLA breaches, and customer churn (including customer churn), risk reduction can be turned into a measurable ROI. Enterprises can model three ROI scenarios, including baseline, security investment and recovery after a breach to clearly show cost avoidance. A telecom, for example, prevented over 12,000 misrouted queries each month by deploying output verification. This saved $6.3 million in penalties and call center volumes. To build a convincing ROI argument for CFOs, tie investments to avoided costs such as breach remediation, SLA noncompliance, customer churn, and brand impact. Checklist: CFO Grade ROI Protection Model The CFO must communicate clearly how security spending protects bottom line. To protect AI ROI at the Inference Layer, security investments need to be modeled as any other strategic capital allocation. This includes direct links to TCO and risk mitigation, as well revenue preservation. Use the checklist below to make AI investment in security defensible and actionable within the budget cycle. Connect every AI security expenditure to a projected TCO category (compliance/breach remediation/SLA stability). Run simulations of cost avoidance with three scenarios: baseline, protected, and breach-reactive. Quantify the financial risk of SLA violations, regulatory penalties, brand trust erosion, and customer churn. Model inference-layer budgets with CISOs and the CFOs together to break down organizational silos. Show security investments as growth enablers and not overhead, demonstrating how they stabilize AI infrastructure to sustain value capture. The model is not just for AI investments, it also defends budgets, brands and can grow boardroom credibility. Concluding Analysis: A Strategic Imperative CISOs should present AI risk management in terms of business enablers, such as ROI protection, brand trust, and regulatory stability. Protecting AI inference as it moves deeper into revenue workflows is not a cost center, but the control plane of AI’s financial sustainability. The CFO must be able to act on financial metrics when justifying strategic security investments at the infrastructure level. To move forward, organizations must balance their investment in AI innovation and an equal investment in protecting it. This requires a new level strategic alignment. Ivanti CIO Robert Grazioli said to VentureBeat that “CISO and CIO aligned will be critical for effectively safeguarding modern businesses.” This collaboration allows organizations to manage the real cost of AI, and turn a high risk gamble into a sustainable and high ROI engine of growth. Telesign’s Schreier said: “We look at AI inference risks from the perspective of digital identity and trusted. We embed security throughout the lifecycle of our AI products, using access controls, usage tracking, rate limiting, and behavioral analytics, to detect misuse and protect our customers and end users.