AI is increasingly being used for everyday tasks, such as searching emails, answering customer inquiries, or supporting internal processes. As a result, AI becomes connected to various systems within the organization. It processes incoming information, utilizes linked services, and can then independently perform actions in processes. This creates a network of dependencies that is not always visible.
A small deviation can cause big problems
In such a chain, something small can already be enough to cause problems. A misleading email, an incorrect instruction, or a weak link can mislead AI. This leads to a situation that cybercriminals can easily exploit. And because AI works with multiple systems simultaneously, such an error spreads quickly without anyone having to do anything. "You don't even have to click on anything," says Matthijs van der Wel-ter Weel, Strategic Advisor at Orange Cyberdefense. "As soon as someone exploits that, the attack spreads through the AI tool itself."
Furthermore, companies are increasingly relying on a few major players that dominate the global AI market. When such a party changes a function, imposes stricter conditions, or implements a security update, it can have immediate consequences for organizations that have deeply integrated AI into their processes. One change outside their own sphere of influence can disrupt entire workflows or create new vulnerabilities.
Exploitation in practice
These risks are not just theoretical. The EchoLeak attack on Microsoft 365 Copilot showed how a hidden command in an email was enough to manipulate the AI. And in the OAuth attack on Salesloft and Drift, a stolen token from an AI chatbot provided access to hundreds of corporate environments. According to researchers, these are not isolated incidents, but early signals that AI exploitation is developing into a persistent and structural threat.
Three measures to deploy AI safely and responsibly
According to Orange Cyberdefense, these three measures are necessary for safe and responsible AI use:
1. Map the entire AI landscape
Many organizations know that they are using AI, but not exactly where it operates, what it is connected to, and what data it uses. As a result, AI often does more in practice than managers and IT teams realize. Orange Cyberdefense therefore advises to clearly map the entire AI landscape, just as with other critical systems. Actively inventory which AI systems your organization uses. For each system, map out which model you are using, what internal systems it is linked to, what data it processes, and what access rights it has.
Without that overview, it is impossible to properly assess risks or effectively manage incidents. "No overview means no control," says Van der Wel-ter Weel.
2. Limit AI systems' access to what is truly necessary
In many organizations, an AI system automatically receives the same access rights as the application it is built into. This is practical, but also risky. If something goes wrong due to an error, misuse, or a stolen access code, it can directly grant access to large parts of the IT environment.
Research by Orange Cyberdefense shows that these broad access rights significantly increase the damage in incidents. It is not the attack itself that is the biggest problem, but the amount of systems and data that are accessible. Therefore, organizations must make conscious choices about the rights of AI systems. Only grant access to what is truly necessary. Work with separate accesses per system and limit critical actions.
Do not treat AI as a handy extra feature, but as a system with potentially broad access. And broad access requires strict control. Or as Van der Wel-ter Weel summarizes: "One access code that opens multiple environments is asking for trouble."
3. Monitor not only the network but especially the behavior of AI
AI acts independently and reacts rapidly to new input. The result is that a deviation can spread within seconds. Traditional monitoring mainly focuses on suspicious logins or unusual network traffic, but does not always see when an AI system suddenly does something that is not right. Therefore, behavioral monitoring becomes important: looking at data flows that deviate from normal use, workflows that change unexpectedly, or output that does not match the command.
According to Orange Cyberdefense, AI systems must be monitored as strictly as other critical systems. This means: clear agreements on what normal behavior is, good registration of activities, and quick follow-up on deviations.
AI reacts faster than humans. If you do not notice abnormal behavior immediately, damage may have already occurred before anyone intervenes. Van der Wel-ter Weel: "AI works faster than a human. If you do not actively monitor it, you are too late."
Download the Security Navigator 2026
The full analysis of these developments can be found in the Security Navigator 2026, the annual research report from Orange Cyberdefense. Download the report here.
