Two years ago, researchers Hillai Ben Sasson and Dan Segev began a comprehensive security assessment of AI infrastructure. Their objective was to evaluate the resilience of the systems used to train, run, and host AI services. The results, which they plan to present at the upcoming RSA Conference in March, indicate that vulnerabilities exist across virtually every major AI platform examined.
Ben Sasson and Segev, who work in offensive and defensive research at cloud security firm Wiz, initially focused on simple supply chain risks, such as the potential for arbitrary code execution within the widely used Pickle format. However, their investigation expanded into a broader analysis of the AI stack, ultimately identifying a threat model comprised of five distinct layers.
Dan Segev, a security architect in the Office of the CTO at Wiz, suggests that while prompt injection receives significant attention, the primary security focus should shift toward the infrastructure supporting AI services. While prompt injection remains a valid vector, new technologies—such as the Model Context Protocol (MCP)—are frequently deployed with fundamental infrastructure vulnerabilities. Without a clear understanding of the threat model at this deeper level, organizations may overlook critical risks.
This research arrives as enterprises rapidly integrate AI to drive innovation and efficiency, often outpacing security validation. According to the 2026 CISO AI Risk Report, 83% of Chief Information Security Officers express concern regarding the level of access AI tools have to enterprise systems. Furthermore, 71% believe AI has access to core business systems and have identified unsanctioned AI tools operating within their environments. The speed of development has, in some cases, led to the deployment of products where security features were not the primary design priority.
Architectural Risks in Model Formats
A primary example of infrastructure risk involves the Pickle format. Frequently used to store model weights, Pickle mixes data and code, a design choice that allows the execution of arbitrary commands when a file is loaded. Because many current formats and infrastructure tools originated in data research environments, early design decisions often lacked a rigorous security threat model.
Ben Sasson notes that the research team was surprised to find that popular formats like Pickle contain inherent security risks by design. To test the implications, the researchers simulated the deployment of models containing proof-of-concept code to major AI providers to observe the results.
This testing led to the development of a five-layer threat model, mapping risks across the AI lifecycle:
Model Training: The primary risk at this stage is data leakage. In 2023, researchers identified that an overly permissive file-sharing link granted public access to a 38TB data store used by Microsoft for model training.
Inference: This layer, where users interact with models, also presents significant surface area. The researchers identified vulnerabilities in production models, such as DeepSeek, and inference services like Ollama.
Vulnerabilities in the Application and Cloud Layers
The third layer covers the application level. While this includes prompt injection, it also encompasses "vibe coding" platforms. The research team identified a vulnerability in the platform Base44 that could have granted unauthorized access to private enterprise applications. Segev notes that many applications built using these newer methodologies currently lack sturdy security controls.
The model extends to two additional layers:
AI Clouds: The platforms hosting models and applications carry their own risks. A compromise at the cloud layer can potentially impact all tenants and customers utilizing that infrastructure.
Hardware and Systems: The foundational hardware and software libraries are also susceptible. For example, researchers discovered vulnerabilities in Nvidia’s Triton Inference Server. These flaws could be chained to allow an unauthenticated party to gain complete access to the AI model.
Ben Sasson highlights the criticality of library-level vulnerabilities, noting that a single flaw in a widely used dependency can affect every cloud provider and application that relies on it.
Establishing Continuous Security
Addressing these systemic issues requires a shift in strategy. Segev emphasizes that because many risks reside in third-party components, there are no immediate, universal fixes. Instead, organizations should move away from an "implement and forget" approach.
Wiz employs security agents to conduct regular reviews of code, services, and applications. This allows for continuous compliance checks as new elements of the AI ecosystem are deployed. Segev argues that "closing the loop" through automated validation will become standard practice, introducing better protocols and standards. As threat actors refine their methods, organizations must ensure that exposures are detected and remediated within minutes.