In the lab, a Generative AI application feels like magic, but it also hides the risks of AI evolution. The rapid adoption of Generative AI has created a massive blind spot for security teams. While we focus on what the AI says, we often ignore where it lives. AI infrastructure, such as cloud storage, containers, and Model Context Protocol (MCP) servers, is frequently deployed with inadequate controls due to the ecosystems rapid maturation.
I often use the highway analogy: if your AI model is the vehicle, your infrastructure is the road it travels on. We spend a lot of time debating model parameters and context windows, but we often overlook the "potholes" in our cloud storage, MCP servers, and RAG pipelines.
Because the AI ecosystem is maturing at breakneck speed, these resources are frequently launched without the same rigorous "Secure-by-Design" controls we demand in traditional software, often missing basic authentication, least-privilege IAM, or centralised logging.
The Infrastructure Threat Landscape
Through my work in large-scale platforms, I’ve seen that traditional cloud misconfigurations become high-velocity risks when connected to an LLM. Drawing from recent research and the AI Security Best Practices Guide, here are three tactics currently targeting the "AI Highway":
- Poisoned RAG Pathways In a Retrieval-Augmented Generation (RAG) setup, your model is only as secure as the data it retrieves. An attacker can "poison" the knowledge base by sending a malicious email or document that the system automatically indexes.
The Enterprise Reality: If an HR bot indexes a poisoned document, it might serve up fraudulent bank details for payroll updates to employees, not because the model failed, but because the infrastructure's "ingest" layer was compromised.
- Scaling Frameworks & Credential Scavenging We use frameworks like Ray to scale our Python-based AI workloads, but they can be a goldmine for attackers. Public-facing clusters have been found exposing SSH keys, tokens, and Kubernetes secrets. Once an attacker has these, they don't just steal data; they move laterally into your entire enterprise supply chain.
- LLM Jacking This is the AI equivalent of "crypto-jacking." Attackers use stolen cloud credentials to access expensive third-party LLM services (like Amazon Bedrock or Google Vertex AI) on your company's dime. They probe your environment with legitimate-looking API calls, often flying under the radar unless you are specifically monitoring for atypical call parameters.
Architecting the Defence
Hardening this layer starts with bridging the gap between experimental AI and enterprise reality. Here is how I approach it:
- Kill the Long-Lived Key: Transitioning to short-lived, temporary credentials is the single most effective way to shrink the attack surface. In a regulated environment, a static API key is a liability we can't afford.
- Intelligent Logging & Observability: We need to monitor for "unusual" but technically "legitimate" API calls. If your system suddenly triggers InvokeModel across three different regions simultaneously, your SIEM should be screaming.
- Sanitise the Retrieval Layer: Before a document enters your RAG database, it needs to be treated as untrusted input. We must build automated "sanity check" layers for our data pipelines.
Key Takeaways
In a RAG system, the vector database isn't looking for "new" or "important" data; it is looking for the data mathematically closest to
the user's query in high-dimensional space.Here are the three likely reasons a poisoning attempt "fails" to override the legitimate context:
The "Semantic Relevance" Gap
Even though the malicious file contains phrases like "URGENT UPDATE," the vector model (all-MiniLM-L6-v2) might still find that the wording in the internal_kb.txt matches the user's query ("How should I update my payroll information?") more precisely.
The Fix: You need to perform Semantic Optimisation. An attacker must use the same terminology as the query to "win" the nearest-neighbour race.
The Retrieval Top-K (K=1)
In the code, I have index.search(..., k=1). If the legitimate document has a similarity score of 0.85 and the poison has 0.84, the legitimate one will win every time.
** In a real enterprise application, k is usually 3, 5, or 10. If k > 1, the LLM receives both the truth and the poison. If the poison contains "Instruction Precedence" (e.g., "Ignore all other instructions below"), the LLM may follow the poison even if it isn't the most "relevant" match.
Vector Collision and Normalisation
IndexFlatL2 measures Euclidean distance. If the malicious input is significantly longer or shorter than the legitimate text, the distance might be larger than expected.
Architect's Tip: In production-grade systems, we often use Inner Product (IP) with normalised vectors (Cosine Similarity) rather than L2 distance, as it handles varying text lengths more effectively for semantic meaning.
RAG systems have a natural, albeit flimsy, defence:
The danger of "Indirect Prompt Injection," where an attacker carefully crafts a payload to be the "most relevant" answer to a common employee question.