The State of AI Security in 2025: Key Insights from the Cisco Report

As more businesses adopt AI, understanding its security risks has turn out to be more essential than ever. AI is reshaping industries and workflows, nevertheless it also introduces recent security challenges that organizations must address. Protecting AI systems is crucial to keep up trust, safeguard privacy, and ensure smooth business operations. This text summarizes the important thing insights from Cisco’s recent “State of AI Security in 2025” report. It offers an outline of where AI security stands today and what firms should consider for the longer term.

A Growing Security Threat to AI

If 2024 taught us anything, it’s that AI adoption is moving faster than many organizations can secure it. Cisco’s report states that about 72% of organizations now use AI of their business functions, yet only 13% feel fully able to maximize its potential safely. This gap between adoption and readiness is essentially driven by security concerns, which remain the important barrier to wider enterprise AI use. What makes this case much more concerning is that AI introduces recent kinds of threats that traditional cybersecurity methods usually are not fully equipped to handle. Unlike conventional cybersecurity, which regularly protects fixed systems, AI brings dynamic and adaptive threats which can be harder to predict. The report highlights several emerging threats organizations should concentrate on:

• Infrastructure Attacks: AI infrastructure has turn out to be a main goal for attackers. A notable example is the compromise of NVIDIA’s Container Toolkit, which allowed attackers to access file systems, run malicious code, and escalate privileges. Similarly, Ray, an open-source AI framework for GPU management, was compromised in one in all the primary real-world AI framework attacks. These cases show how weaknesses in AI infrastructure can affect many users and systems.
• Supply Chain Risks: AI supply chain vulnerabilities present one other significant concern. Around 60% of organizations depend on open-source AI components or ecosystems. This creates risk since attackers can compromise these widely used tools. The report mentions a way called “Sleepy Pickle,” which allows adversaries to tamper with AI models even after distribution. This makes detection extremely difficult.
• AI-Specific Attacks: Latest attack techniques are evolving rapidly. Methods resembling prompt injection, jailbreaking, and training data extraction allow attackers to bypass safety controls and access sensitive information contained inside training datasets.

Attack Vectors Targeting AI Systems

The report highlights the emergence of attack vectors that malicious actors use to take advantage of weaknesses in AI systems. These attacks can occur at various stages of the AI lifecycle from data collection and model training to deployment and inference. The goal is usually to make the AI behave in unintended ways, leak private data, or perform harmful actions.

Over recent years, these attack methods have turn out to be more advanced and harder to detect. The report highlights several kinds of attack vectors:

• Jailbreaking: This system involves crafting adversarial prompts that bypass a model’s safety measures. Despite improvements in AI defenses, Cisco’s research shows even easy jailbreaks remain effective against advanced models like DeepSeek R1.
• Indirect Prompt Injection: Unlike direct attacks, this attack vector involves manipulating input data or the context the AI model uses not directly. Attackers may provide compromised source materials like malicious PDFs or web pages, causing the AI to generate unintended or harmful outputs. These attacks are especially dangerous because they don’t require direct access to the AI system, letting attackers bypass many traditional defenses.
• Training Data Extraction and Poisoning: Cisco’s researchers demonstrated that chatbots will be tricked into revealing parts of their training data. This raises serious concerns about data privacy, mental property, and compliance. Attackers may also poison training data by injecting malicious inputs. Alarmingly, poisoning just 0.01% of huge datasets like LAION-400M or COYO-700M can impact model behavior, and this will be done with a small budget (around $60 USD), making these attacks accessible to many bad actors.

The report highlights serious concerns concerning the current state of those attacks, with researchers achieving a 100% success rate against advanced models like DeepSeek R1 and Llama 2. This reveals critical security vulnerabilities and potential risks related to their use. Moreover, the report identifies the emergence of latest threats like voice-based jailbreaks that are specifically designed to focus on multimodal AI models.

Findings from Cisco’s AI Security Research

Cisco’s research team has evaluated various features of AI security and revealed several key findings:

• Algorithmic Jailbreaking: Researchers showed that even top AI models will be tricked mechanically. Using a way called Tree of Attacks with Pruning (TAP), researchers bypassed protections on GPT-4 and Llama 2.
• Risks in High quality-Tuning: Many businesses fine-tune foundation models to enhance relevance for specific domains. Nevertheless, researchers found that fine-tuning can weaken internal safety guardrails. High quality-tuned versions were over thrice more vulnerable to jailbreaking and 22 times more prone to produce harmful content than the unique models.
• Training Data Extraction: Cisco researchers used a straightforward decomposition method to trick chatbots into reproducing news article fragments which enable them to reconstruct sources of the fabric. This poses risks for exposing sensitive or proprietary data.
• Data Poisoning: Data Poisoning: Cisco’s team demonstrates how easy and cheap it’s to poison large-scale web datasets. For about $60, researchers managed to poison 0.01% of datasets like LAION-400M or COYO-700M. Furthermore, they highlight that this level of poisoning is sufficient to cause noticeable changes in model behavior.

The Role of AI in Cybercrime

AI shouldn’t be only a goal – it’s also becoming a tool for cybercriminals. The report notes that automation and AI-driven social engineering have made attacks more practical and harder to identify. From phishing scams to voice cloning, AI helps criminals create convincing and personalized attacks. The report also identifies the rise of malicious AI tools like “DarkGPT,” designed specifically to assist cybercrime by generating phishing emails or exploiting vulnerabilities. What makes these tools especially concerning is their accessibility. Even low-skilled criminals can now create highly personalized attacks that evade traditional defenses.

Best Practices for Securing AI

Given the volatile nature of AI security, Cisco recommends several practical steps for organizations:

1. Manage Risk Across the AI Lifecycle: It’s crucial to discover and reduce risks at every stage of AI lifecycle from data sourcing and model training to deployment and monitoring. This also includes securing third-party components, applying strong guardrails, and tightly controlling access points.
2. Use Established Cybersecurity Practices: While AI is exclusive, traditional cybersecurity best practices are still essential. Techniques like access control, permission management, and data loss prevention can play an important role.
3. Concentrate on Vulnerable Areas: Organizations should give attention to areas which can be almost certainly to be targeted, resembling supply chains and third-party AI applications. By understanding where the vulnerabilities lie, businesses can implement more targeted defenses.
4. Educate and Train Employees: As AI tools turn out to be widespread, it’s essential to coach users on responsible AI use and risk awareness. A well-informed workforce helps reduce accidental data exposure and misuse.

Looking Ahead

AI adoption will continue to grow, and with it, security risks will evolve. Governments and organizations worldwide are recognizing these challenges and beginning to construct policies and regulations to guide AI safety. As Cisco’s report highlights, the balance between AI safety and progress will define the subsequent era of AI development and deployment. Organizations that prioritize security alongside innovation shall be best equipped to handle the challenges and grab emerging opportunities.