AI Is Building Your Attack Surface. Are You Testing It?

2026-03-19 · Source: Blog RSS Feed | Snyk · Field: Technology & Digital — Artificial Intelligence & Machine Learning, Cybersecurity & Data Privacy, Software Development & Engineering · Depth: Intermediate, medium

Summary

AI-generated code and AI agents are rapidly expanding enterprise attack surfaces, outpacing traditional security validation methods. Research using BaxBench revealed that 62% of LLM-generated backend code was either broken or insecure, with half of the functional code remaining exploitable. Concurrently, AI agents are creating a second, unmapped attack surface by autonomously invoking APIs, often privileged and undocumented; Gartner predicts AI agents will be the primary consumers of enterprise APIs by 2028, with over 50% of successful attacks on agents by 2029 exploiting access control failures like BOLA/IDOR. The CVE-2025-12420 (BodySnatcher) incident exemplified this, showing an unauthenticated attacker could exploit an AI agent to gain ServiceNow admin access. This rapid delivery speed necessitates a fundamental shift to AI-powered dynamic testing, correlated with static analysis, to identify and prioritize real exploitability amidst increased alert noise.

Key takeaway

For MLOps Engineers and AI Security Engineers deploying AI-generated services, your existing security tools are insufficient for the speed and complexity of new attack surfaces. You must integrate AI-powered dynamic application security testing (DAST) that actively probes AI-generated code and agent-invoked APIs at runtime. Correlate these dynamic findings with static analysis to identify true exploitability, reduce alert fatigue, and enable your teams to ship AI-driven applications faster and with confidence.

Key insights

AI-driven development creates new, amplified attack surfaces requiring advanced, correlated dynamic security testing.

Principles

• AI-generated code is often exploitable.
• AI agents amplify traditional API flaws.
• Validation must match AI delivery speed.

Method

Implement AI-powered dynamic testing, correlating static and dynamic findings to identify real exploitability and prioritize high-confidence fixes for AI-generated code and agent-invoked APIs.

In practice

• Deploy LLM-powered SAST in IDE/pipeline.
• Use intelligent DAST for BOLA/IDOR validation.
• Correlate static and dynamic findings.

Topics

• AI Security
• Dynamic Application Security Testing
• API Security
• AI Agents
• LLM-generated Code
• Attack Surface Management

Best for: CTO, VP of Engineering/Data, Director of AI/ML, AI Security Engineer, MLOps Engineer, Software Engineer

Related on AIssential

• The Next Era of AppSec: Why AI-Generated Code Needs Offensive Dynamic Testing — AI-generated code and distributed architectures necessitate dynamic security testing to validate emergent runtime vulnerabilities.
• Introducing the Wiz Red Agent- AI-Powered Attacker — The Wiz Red Agent autonomously identifies complex, logic-driven API and application vulnerabilities using AI-powered, adaptive exploitation.
• From Discovery to Defense: Why AI Red Teaming Is the Next Step After AI-SPM — Modern application security requires converging advanced static analysis with dynamic testing and AI-driven pentesting to address emergent runtime vulnerabilities.
• Announcing The Static Application Security Testing Solutions Forrester Wave™ And Buyer’s Guide — AI Brings Opportunity To SAST Solutions — SAST solutions are maturing, integrating AI for speed and remediation, and adapting to secure AI-generated code and applications.
• How a Penetration Test Builds Customer Trust & Strengthens ISO 42001 Certification — AI-powered attacks and agentic frameworks create novel, adaptive security risks that demand specialized penetration testing beyond traditional audits.
• AI Threat Readiness Pillar 3: Perform AI Code Analysis Natively in Wiz — AI-driven development necessitates a layered, context-aware code security approach for rapid vulnerability detection and remediation.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by Blog RSS Feed | Snyk.