Our AI strategy for preemptive security
I’m Dr. David Brumley, Chief AI Officer at Bugcrowd and an active professor at Carnegie Mellon University (CMU). I recently gave a lecture on AI security, and I thought I’d share some of my insights here on the blog for security leaders.
I find that the conversation around AI in security is evolving rapidly, and a lot of it is imprecise. Before you can secure and govern AI systems or make defensible investment decisions about them, you need a working model of what they actually are.
AI is not a single technology. It is a goal—building systems that perceive, reason, decide, or act intelligently under uncertainty—and that goal can be pursued through several distinct mechanisms. Treating “AI” as a monolith is how organizations end up with security programs that protect against the wrong threats.
Security leaders must understand that each mechanism carries a different attack surface.
Machine learning (ML): The most widely deployed and discussed subset of AI, ML’s core operation is fitting a function in high-dimensional space. ML models learn from data rather than following explicit rules. ML powers everything from fraud detection to the LLMs your employees are already using to draft procurement emails. Its security weakness is fundamental: ML models optimize to fit their training distribution, not to be robust to adversarial inputs. Small, targeted perturbations can flip classifier outputs with high confidence.
Symbolic reasoning: Expert systems, knowledge graphs, and logic engines dominated early AI and still appear in regulatory compliance tooling, formal verification, and contract analysis platforms. Symbolic reasoning offers something ML cannot: interpretability and guarantees. A logic rule either fires or it doesn’t. The security risk is different too: The attack surface is the knowledge base, not gradient descent.
Search and planning: This underlies coverage-guided fuzzers (AFL and LibAFL), automated penetration testing, and any AI that reasons about sequences of actions. When your red team starts using AI-assisted recon and exploit chaining, they are using search-based AI.
Probabilistic/Bayesian AI: Older than most people realize, naïve Bayes spam filtering from 2002 is still in production at scale. Modern uses include anomaly detection, behavioral analytics, and network intrusion detection. The security profile is about degrading the model’s probability estimates, not fooling a neural net.
Optimization, physical AI (robotics, autonomous vehicles), and hybrid approaches: Hybrid systems such as an LLM combined with tools, retrieval, planning, and memory are what most enterprise AI deployments actually are. They are also the most complex to secure because the attack surface is the composition.
When a vendor says their product uses AI, the right follow-up questions are as follows:
The distinction between AI as a goal and AI as a technique is the foundation for every governance decision in your roadmap. Get it right before you build policy on top of it.
In Part 2 of my AI lecture series, I’ll dive into the anatomy of a modern AI system to help you understand what is actually running your enterprise.