At the Gartner Security and Risk Management Summit this month, a speaker highlighted a blind spot most security programs still ignore: attackers bypassing AI security by exploiting the legacy infrastructure underneath.
About 71% of organizations are piloting AI agents, and 31% have them in production. Security teams are focused on model poisoning, prompt injection, and data leakage. But the real risk might be an unpatched server or a misconfigured Active Directory permission.
AI agents inherit everything from existing infrastructure. They authenticate through current identity providers, store data in existing cloud buckets, run tasks through Lambda functions, and inherit IAM roles. None of that was designed with AI in mind, and most of it was provisioned long before the first agent went live.
Here is a concrete example. A company runs an AI Co-Pilot on AWS Bedrock that queries customer data from an S3 bucket. A developer named John has overly broad access to that production bucket. An external-facing Apache Tomcat server in the same environment is unpatched against CVE-2025-24813 — a remote code execution flaw added to CISA’s Known Exploited Vulnerabilities catalog in March 2025.
An attacker exploits that CVE, dumps cached AD credentials, moves laterally to John’s workstation using a Resource-Based Constrained Delegation misconfiguration, harvests his AWS access keys, and reads every record in the production S3 bucket. The AI agent is now compromised — not because anyone attacked it directly, but because three moderate infrastructure findings became one critical attack path.
The fix is not complicated, but it requires looking beyond the AI layer. Patch external-facing servers. Enforce least privilege on cloud storage and IAM roles. Audit Active Directory delegation configurations. And remember: your AI agents are only as secure as the infrastructure they inherit.
