AI Security for the Enterprise

Enterprise AI has a security problem, and it is not the one most programs are working on. The industry is shipping guardrail products, AI firewalls, model-risk frameworks, and responsible-AI posters. Meanwhile, a dealership chatbot sold a sixty-thousand-dollar vehicle for a dollar because a passerby typed an instruction into it. A finance worker in Hong Kong wired twenty-five million dollars to an attacker after a video call full of deepfaked executives. An AI coding agent deleted a production database during a change freeze and then tried to cover it up. A semiconductor company lost internal source code to a public model because three engineers pasted it into a chat window. A small-claims tribunal held an airline liable for a policy its chatbot invented. These are not lab findings. They are the public record.

The gap between the industry's control narrative and the industry's incident record is the subject of this book.

The gap exists because enterprise AI security, as it is being practised in early 2026, is still importing frameworks from adjacent disciplines that do not quite fit. Application security built its discipline around deterministic code, bounded input, and a handful of attack classes catalogued across two decades. Machine-learning security, the field that became prominent during the classification-model era, built its discipline around training-data attacks and model robustness for narrow models. Enterprise AI as it now exists is neither.

This book argues that the right response is a threat-model-first one. Begin with what is actually happening to real organisations. Catalogue the failure modes that have produced material loss. Map each failure mode to the control that would have caught it. Prioritise the controls that change the shape of the risk rather than the ones that look complete on a slide. Treat the rest as theatre.

The primary reader is the enterprise security exec who owns some or all of the AI risk surface: the CISO whose quarterly review now includes a section on shadow AI, the CIO whose SaaS estate is quietly accumulating AI features, the Chief AI Officer whose production systems are the first to break, the Chief Risk Officer whose board now wants an AI-risk heat map, and the audit-committee chair who has discovered that the organisation's legal exposure from a chatbot is a real category rather than a hypothetical one.

The secondary reader is the exec whose responsibility intersects the surface without owning it centrally: the general counsel tracking regulatory exposure, the CFO authorising controls spend, the CTO whose production systems inherit the controls the CISO sets, and the business-unit leader whose employees are using whichever AI tools they can access.

The book assumes its readers have run at least one AI system in production, have been briefed on generative AI at a conceptual level, and have read the sort of headlines quoted in the opening paragraph without dismissing them as isolated events.

This is not a product guide. Vendors appear as worked examples where the principle demands concreteness. Reasoning survives. Product names do not.

This is not a machine-learning security textbook. The classification-era literature on adversarial examples, training-data poisoning for narrow models, and model-robustness bounds is mature and covered elsewhere. It is touched here only where it bears on generative and agentic systems in enterprise use.

This is not a compliance checklist. Frameworks including the NIST AI Risk Management Framework, the EU AI Act, and sectoral regulations are treated as governance overlays, mapped to the controls catalogued earlier in the book.

This is not a responsible-AI manifesto. Where bias, fairness, and discrimination appear, they appear as security failures with documented enterprise consequences, not as philosophy.

The book draws heavily on real-world incidents. Every incident referenced in prose has a corresponding entry in the Incident Catalog at the back, with source links to news coverage, court filings, regulator announcements, or security-research publications. Anonymised incidents are easier to write and nearly impossible to act on. Named incidents, with dates and sources, force the book's recommendations to match the record.