Evolving Zero Trust for the Age of AI

Stephen Douglas, the Head of Market Strategy for Spirent Communications, explains how companies can evolve their zero trust initiatives for an evolving world of AI. This article originally appeared in Insight Jam, an enterprise IT community that enables human conversation on AI.

Earlier this year, OpenAI publicly accused DeepSeek, a Chinese startup and competitor, of a new type of intellectual property theft: unauthorized “distillation” of its AI models. OpenAI claims that DeepSeek improperly extracted large amounts of ChatGPT-4o output data, using carefully structured queries to train DeepSeek’s own smaller, less mature AI model. DeepSeek denies the accusation.

Even if DeepSeek did engage in distillation, does that actually constitute theft? The question is more complicated than it sounds. However, enterprises can take one clear lesson from this episode: if AI is becoming an important part of your business strategy, you should take steps to protect it. The same confidential models and datasets you’re counting on to give you a competitive edge represent an attractive new attack surface for cyber-criminals targeting your business.

Inside the AI Threat

As AI takes on a larger role in your business operations, distillation is just one of several potential threats that should be on your radar. Others include:

Model extraction and inversion

This is similar to distillation, but rather than using a proprietary model’s output data to train another AI, here, attackers attempt to copy the model itself. For example, imagine a tech startup that develops a proprietary, AI-based dynamic pricing application that it licenses to hotel chains so that they can adjust pricing based on real-time inventory and customer information. A competing firm could repeatedly query the AI model via fake user accounts and reconstruct its internal weights and parameters to duplicate it.

Data Poisoning

Rather than stealing someone else’s proprietary data, attackers could also target an organization’s AI to try to make it less effective, either to harm the target company or enable other types of crimes. For instance, a malicious actor seeking to damage a self-driving car-maker could attempt to manipulate the manufacturer’s AI training data, uploading altered or misclassified images of traffic signs to confuse the model. Similarly, criminals seeking to manipulate a bank’s AI-driven fraud detection could repeatedly classify fraudulent transactions as legitimate, ultimately training the AI model to overlook certain types of fraud.

Lateral movement attacks

These cyber-attacks aim to breach an organization’s internal networks and data using AI as a launchpad. For example, a consumer technology company might use an AI chatbot to provide customer-facing product and technical support. To provide more intelligent and personalized assistance, the AI needs access to the company’s internal engineering systems and customer databases. But this also means that if attackers gain access to the chatbot server (such as through an API that the company exposes to retail partners), they can pivot to other systems and business applications to exfiltrate data.

Safeguarding AI with Zero Trust

These are just a few examples of the new generation of cyberthreats targeting the AI attack surface, which every business should be thinking about. Fortunately, even as AI attack strategies evolve, we can continue to employ the same overarching cybersecurity strategy that companies have relied on for years: zero trust.

The basic principles of zero trust security were first introduced in 2009:

• Never trust, always verify before allowing access.
• Apply “least privilege access” to prevent users and devices from even seeing resources they’re not explicitly authorized for.
• Restrict lateral movement to reduce the damage a successful breach can cause.

Within a decade, these principles became industry best practice. But while the zero trust model is far from new, its tenets are as applicable to AI models as they’ve been for conventional networks and systems. Indeed, in a modern IT landscape dominated by mobile workers, cloud services, and applications that autonomously communicate with each other over APIs, zero trust is more relevant than ever.

Here are some examples of ways to apply zero trust to the growing AI attack surface:

Stop model extraction with continuous authentication

Attacks seeking to recreate AI models might be new, but the remedy is the same one used for decades to guard against proprietary data theft: stringent authentication and authorization. Use zero trust principles to build strict access control policies around your AI applications, including requiring multi-factor authentication and rate-limiting user queries. Depending on the application, you may also want to consider techniques like differential privacy, which add subtle randomness to model outputs to make it more difficult for attackers to reconstruct private or confidential training data.

Preventing data poisoning with least privilege access

Again, the key to protecting proprietary datasets is ensuring no unauthorized party can access them. Use strict authorization mechanisms like role-based access control (RBAC) to narrowly define who can modify training data, and use context like user device, location, role, and time of day to detect suspicious access attempts. Conduct ongoing data integrity verification checks to spot anomalies. And use micro-segmentation to isolate datasets from less secure parts of your environment.

Blocking lateral movement attacks with micro-segmentation

Micro-segmentation functions the same way as traditional network segmentation to restrict lateral movement, but it takes the concept a layer deeper, isolating individual system processes and workloads. Make sure you’re using it for sensitive AI models and datasets. And consider applying AI-driven defenses like anomaly detection tools, which can detect and shut down suspicious activity in queries and data access patterns.

Identifying the Right Approach

As with traditional cybersecurity, don’t expect zero trust AI defenses to come without tradeoffs. Adding extra layers of authentication could slow down model training, potentially adding unexpected costs and delays. In certain real-time use cases, such as AI fraud detection, the latency added by new security controls could make applications less effective. Micro-segmentation, too, must be carefully designed and implemented, or you risk breaking legitimate data flows.

In all cases, you must find the right balance for your business. Depending on the level of security your applications and data demand, you may also want to consider applying AI-enabled defenses to your AI attack surface. For example, new AI-driven security orchestration tools can dynamically adjust access control levels to protect AI models and datasets without adding unnecessary latency or delays.

Whichever interventions you choose, ensure you have a concrete strategy to protect your AI attack surface from rapidly evolving threats. And if you’re wondering how to begin, “never trust, always verify” remains a great place to start.