AI security gaps are not hiding in the model weights. They are hiding in the dull places where enterprises plug models into real systems: identities, permissions, code pipelines and vendor dashboards.

The old perimeter has disappeared. The model used to answer after a user logged in. Now the model logs in for you. British banks are racing to deploy agentic AI for customer service, and regulators are flagging systemic risk when dozens of autonomous agents interact at once. Security teams describe the same pattern everywhere. Unmanaged non-human identities, privilege escalation and prompt injections slip past traditional identity and access management tools. The agents are ephemeral, they spawn credentials on demand, and they keep the permissions you forgot to revoke.

Shadow AI is already inside. IBM’s 2025 breach analysis found the oversight gap is not theoretical. Ninety-seven per cent of organisations with AI-related security incidents lacked proper access controls and sixty-three per cent had no AI governance policies at all. Shadow AI, the unapproved chatbot an analyst pastes customer data into, averages $670,000 per breach, with most incidents involving personally identifiable information. You cannot secure what you cannot see and right now most security teams cannot see which models are running, where data is flowing or who approved them.

Code that writes its own vulnerabilities has become normal. “Vibe coding” is now standard in product teams from fintech to healthtech. Developers accept AI-generated pull requests with minimal review because velocity is rewarded. Researchers at Wits University warn this introduces hidden injection flaws and insecure dependencies directly into production, especially in critical sectors where a single vulnerable library can expose payment or medical records. The risk is not that the model is malicious. The risk is that it is confidently wrong and no human traced the dependency tree.

Data poisoning and prompt injection now happen at scale. Palo Alto Networks calls 2026 the Year of the Defender for a reason. Autonomous agents are now the primary drivers of identity attacks, data poisoning and emerging quantum-related risks. Attackers no longer need to craft one perfect prompt. They automate thousands of variations to find jailbreaks, then use those to poison retrieval databases or escalate an agent’s privileges. Defenders are still patching manually, which means the window between discovery and exploitation is widening, not closing.

Synthetic content has moved from science fiction to business crime. The 2026 International AI Safety Report flags three operational risks above all others: synthetic content used for impersonation, commoditised cyberattacks sold as services, and internal fraud enabled by AI. Think deepfake voice approvals for wire transfers, AI-generated vendor invoices that pass manual review and phishing campaigns that adapt in real time to your company’s tone. This is not future risk. It is already appearing in incident reports as business email compromise, but at a faster rate.

Labs are also sitting on models they themselves describe as dangerous. Anthropic executives warned this year that their internal Claude Mythos system could enable catastrophic hacks and terror attacks if released widely. Meanwhile, access to compute is shaping who can train safely and where. Legal permission, power constraints and export controls now define the contest, which pushes training into jurisdictions with weaker oversight and encourages cutting red-teaming to save GPU hours.

Closing the gaps looks less glamorous than building models. It looks like infrastructure discipline. Give every agent a named owner, a least-privilege role and an expiry date. Log every tool call the way you log human administrator actions. Run a thirty-day discovery on SaaS traffic, browser extensions and API keys to inventory shadow AI. Block unapproved model endpoints at the network layer, then provide a sanctioned path with logging. Require a reviewer to sign off on AI-generated code, with automated static analysis and dependency scanning before merge. Treat model output as untrusted input. Version your training data and retrieval corpora. Monitor for drift and poisoning signals and keep a clean, signed backup you can roll back to. Finally, tabletop the synthetic fraud. Practise a deepfake chief financial officer call. Test whether your finance team will transfer funds on voice alone and build a verification ritual that cannot be faked by audio.

The AI race rewards speed, which is why security debt compounds quietly. The gaps uncovered in 2026 are not exotic alignment problems. They are access control, code review and governance applied to a new kind of worker that never sleeps. Fix those and you buy the time everyone else is losing.