The State of AI Security 2025

2025 was the year generative AI security stopped being a research niche and became a board-level control problem. The OWASP LLM Top 10 2025 release (late 2024) reframed priorities around disclosure, supply chain, agentic agency, RAG weaknesses, misinformation, and economic denial of service—mirroring incidents in the wild rather than theoretical lab threats.

Macro trends

• From chatbot to agent: Tool-using workflows and autonomous planners moved LLM06 (Excessive Agency) from “future risk” to “this sprint.”
• RAG everywhere: Retrieval pipelines introduced LLM08-style failures—cross-tenant data, poisoned corpora, and embedding attacks.
• Regulation and procurement: Enterprises demanded mapping to NIST AI RMF, EU AI Act readiness, and ISO/IEC 42001-style management systems—not checkbox SOC phrases alone.
• Economic attacks: Token inflation and GPU exhaustion joined classic cyber objectives (LLM10).

What improved

Vendors shipped stronger structured outputs, improved moderation APIs, and reference architectures for human-in-the-loop approvals. Open red-team datasets and community jailbreak corpora helped standardise ASR measurement. MLSecOps language (“test every model version”) gained traction in regulated sectors.

What lagged

Indirect prompt injection remained under-tested in customer-facing assistants that ingest external content. Many teams still relied on single-layer moderation without regression suites. Multi-modal attack coverage trailed text-only programs.

Looking ahead

Expect agent-to-agent protocols, richer media inputs, and tighter coupling between enterprise identity systems and model actions to dominate the threat landscape. Organisations that wired continuous adversarial testing into CI/CD and maintained tamper-evident audit evidence gained measurable sales-cycle advantages with enterprise buyers.