AI is everywhere. In enterprise software. In security tooling. In the applications your organisation builds and deploys. And wherever AI goes, attackers follow.
AI security is the discipline of understanding, testing, and defending AI systems against the threats that are specific to how they work. It is not the same as using AI to do security (though that matters too). It is securing the AI itself: the models, the data they train on, the APIs they expose, the agents they power, and the pipelines that connect all of it.
If you work in cyber security and you have not started thinking about AI security yet, now is the time. The attack surface is real, it is growing, and the skills to address it are still rare enough to be a genuine career differentiator.
Why Is AI Security Different From Traditional Security?
Traditional software has deterministic logic. You can read the code, trace a path from input to output, and reason about behaviour with confidence. AI systems are different in ways that matter fundamentally for security.
A large language model does not follow explicit rules. It generates responses based on patterns learned from training data. That means it cannot reliably distinguish a legitimate instruction from a malicious one when both appear in the same natural language context. It means its behaviour can be manipulated by crafting inputs in ways that traditional input validation was never designed to handle. And it means the attack surface includes things that have no equivalent in traditional software: the training data, the model weights, the context window, the retrieval system, the tools an agent can call.
This is genuinely new territory. The OWASP Top 10 for LLMs covers vulnerability classes that did not exist five years ago. MITRE ATLAS maps adversary tactics against AI systems in the same way ATT&CK maps them against traditional infrastructure. The field is young, the tooling is evolving fast, and the practitioners who understand it are in high demand.
What Does AI Security Actually Cover?
Prompt injection. The number one vulnerability class in deployed LLM applications. An attacker crafts input that overrides the system prompt, bypasses safety controls, or causes the model to take actions it should not. Direct prompt injection comes from user input. Indirect prompt injection is more dangerous: malicious instructions embedded in content the model retrieves or processes, like a webpage a browser agent visits or a document a summarisation tool reads. The model executes those instructions without the user or developer realising an attack has occurred.
LLM vulnerability classes. Beyond prompt injection, the OWASP LLM Top 10 covers sensitive information disclosure (models reproducing training data or system prompt contents), data and model poisoning (attacking the training process to embed backdoors), insecure output handling (injecting LLM output into SQL queries or shell commands without validation), and excessive agency (agentic systems taking real-world actions based on manipulated inputs).
AI supply chain security. Most organisations are not training their own models. They are deploying pre-trained models from third-party providers, building on top of APIs, and integrating retrieval systems. Each dependency is an attack surface. Understanding data provenance, model integrity, and secure deployment pipelines is where security engineering meets AI.
Securing agentic AI. AI agents that can browse the web, write and execute code, send emails, and call APIs are increasingly deployed in enterprise environments. When an agent has tools, a successful prompt injection does not produce a bad response. It takes real-world actions. Securing agentic systems requires understanding how to constrain tool use, enforce least privilege on AI identities, and detect when an agent is behaving unexpectedly.
AI forensics. When an AI system is compromised or produces unexpected behaviour, investigating what happened requires new techniques. Determining whether a model was poisoned, whether a prompt injection triggered an action, or whether sensitive data was extracted requires forensic approaches that do not exist in traditional security toolkits.
Who Needs to Know This?
Everyone in cyber security, eventually. But the roles where AI security skills are most immediately relevant are:
Penetration testers and red teamers who need to assess LLM applications, AI agents, and AI-integrated systems as part of standard engagement scope. If your client has deployed an AI chatbot, a RAG system, or an autonomous agent, you need to know how to test it.
SOC analysts and defenders who need to detect AI-powered attacks: phishing generated by LLMs, adaptive malware that uses AI to evade signatures, and deepfake-based fraud that bypasses traditional awareness training. Understanding the offensive use of AI is what makes defensive detection logic sharper.
Security engineers building AI systems who need to implement controls: input validation, output filtering, privilege separation, secrets management for AI service accounts, and monitoring for unexpected model behaviour.
Anyone in the field who wants to stay ahead of where the industry is moving. AI security is the fastest-growing skills gap in cyber security right now, and the practitioners who develop this specialism early will be well positioned as demand accelerates.
Where Do You Actually Learn This?
TryHackMe launched the AI Security learning path in April 2026, making it the most current and comprehensive structured AI security training available. Twenty-five rooms covering the full offensive and defensive landscape: LLM security, prompt injection, AI threat modelling using MITRE ATLAS, AI forensics, AI supply chain security, and RAG security, all in hands-on lab environments where you are working with real AI systems rather than reading about them.
The AI Security path is where the knowledge gets built. This week, TryHackMe launched AI1, the AI Security certification, which is where that knowledge gets validated.
AI1 proves your ability to attack and defend real AI systems across 13 hands-on scenarios. It is the first practical AI security certification available on any platform. No multiple choice. No theory. Thirteen live scenarios that test whether you can actually find and exploit AI-specific vulnerabilities, and whether you can defend against them. The exam was built for practitioners, not theorists, and it is the credential that puts AI security on your CV in a way employers can evaluate.
The path is the preparation, whilst AI1 is the proof.
The Honest Take
AI security is not a future concern. The applications are deployed now. The attacks are happening now. The skills gap is real now.
But it is also genuinely learnable. The concepts build on security fundamentals you already have. If you understand injection vulnerabilities in traditional web applications, prompt injection will click fast. If you understand supply chain security, AI supply chain risk is a natural extension. If you understand agent-based systems, agentic AI attack surfaces will make sense.
The AI Security path and AI1 certification are the most direct route into this specialism from wherever you are starting. Start the path, work through the labs, sit the cert, and you will be one of a relatively small number of practitioners who can claim this specialism with evidence.
That window will not stay open forever.
Nick O'Grady