The Hidden Cyber Risk: Why AI Assistants Are Becoming the New Attack Surface

As companies embrace large language models (LLMs) and AI assistants to boost productivity, cybersecurity researchers are warning that these same tools may be quietly opening new digital frontiers for attackers.

The very features that make AI assistants so powerful—such as live web browsing, contextual memory, and integration with business applications—also increase their exposure to cyber threats. According to new research from cybersecurity firm Tenable, this expanding “AI attack surface” could be exploited through techniques like indirect prompt injection, a method that manipulates how AI systems interpret and act on instructions.

OpenAI ChatGPT “Command Memories” Injection via SearchGPT

Tenable researchers discovered that an attacker could use indirect prompt injection in ChatGPT to insert “Command Memories” which enable the exfiltration of user memories, potentially including PII, from victims. This vulnerability remains unpatched. The researchers identified a new technique that involves injecting a malicious prompt into sites that allow user input by default, such as news sites and blogs with comment sections.

Tenable®

“HackedGPT” and the New AI Security Reality

Tenable’s recent report, titled “HackedGPT,” outlines a series of vulnerabilities that can allow attackers to extract sensitive data or maintain malware persistence through compromised AI systems. Some of these issues have already been fixed, but others remain exploitable, the company said.

One major concern is indirect prompt injection, where hidden instructions are embedded in web pages or documents. When an AI assistant reads this content, it can be tricked into executing commands that the user never intended—such as sharing confidential information or fetching restricted files. Another risk arises when malicious queries are planted in seemingly harmless prompts, creating backdoors for data exfiltration.

The implications extend beyond technical disruption. Breaches involving AI assistants can trigger regulatory investigations, legal liabilities, and brand damage, particularly as organizations rely on these systems to handle sensitive data or interact with customers.

ChatGPT Deep Research zero-click vulnerability fixed by OpenAI

OpenAI has fixed a vulnerability in ChatGPT Deep Research after researchers found a prompt injection method to exfiltrate PII.

MalwarebytesPieter Arntz

Why AI Must Be Governed Like Any Other Connected System

Experts agree that the solution isn’t abandoning AI tools but managing them with the same rigor applied to any internet-facing application. That means establishing governance, strict access controls, and continuous monitoring.

Tenable recommends several best practices for organizations deploying AI assistants:

1. Create an AI system registry.
   Keep an inventory of all AI models, assistants, and agents in use—whether in the cloud, on-premises, or embedded in third-party software. Record ownership, access permissions, and data scope to prevent “shadow AI” from operating unseen within the network.
2. Separate identities for humans and AI agents.
   Assign distinct credentials to AI assistants and enforce zero-trust access policies. Logging every interaction between agents helps ensure accountability and limits privileges to what’s strictly necessary.
3. Limit risky features by context.
   Make browsing or autonomous actions an opt-in function, not a default. Customer-facing AIs should minimize memory retention, while internal engineering bots should operate in isolated, heavily logged environments.
4. Monitor continuously.
   Treat AI systems like active network endpoints—capture logs, set anomaly alerts, and perform injection tests before deployment. Unusual patterns such as repeated browsing to obscure domains or attempts to summarize code blocks should trigger immediate review.
5. Train your teams.
   Many organizations still lack the expertise to identify AI-specific threats. Upskilling developers, analysts, and cloud engineers to recognize injection attacks and safely respond to anomalies is essential for keeping pace with evolving risks.

The Hidden Costs and Evolving Threats

Beyond security, AI assistants can generate unseen financial and operational costs. Their ability to retain memory, browse the internet, or access multiple data connectors consumes compute and storage resources, potentially inflating cloud bills.

Meanwhile, existing governance frameworks often fall short. Systems designed for human users don’t automatically capture agent-to-agent interactions—the invisible handoffs that occur when one AI prompts another to act. Aligning controls with NIST AI Risk Management Framework and OWASP LLM Security guidelines can help close these gaps.

The research underscores an ongoing cycle of innovation and exposure. As AI vendors release new features, vulnerabilities inevitably follow. For example, OpenAI’s fix of a zero-click vulnerability in late 2025 shows how quickly threat landscapes shift and why continuous verification of vendor updates is crucial.

ChatGPT Deep Research zero-click vulnerability fixed by OpenAI

OpenAI has fixed a vulnerability in ChatGPT Deep Research after researchers found a prompt injection method to exfiltrate PII.

MalwarebytesPieter Arntz

The Bottom Line

The message for executives and IT leaders is clear: AI assistants are not mere productivity tools—they’re powerful, networked entities with real security implications. Organizations must govern them as they would any other high-risk application: register, isolate, monitor, and test continuously.

When managed responsibly, agentic AI can deliver measurable efficiency gains without becoming the next cybersecurity liability. The key is building the guardrails now—before the enemy within learns to attack.