I’m Dr. David Brumley, Chief AI Officer at Bugcrowd and an active professor at Carnegie Mellon University (CMU). I recently gave a lecture on AI security, and I thought I’d share some of my insights here on the blog for security leaders.

I find that the conversation around AI in security is evolving rapidly, and a lot of it is imprecise. Before you can secure and govern AI systems or make defensible investment decisions about them, you need a working model of what they actually are.

AI is not a single technology. It is a goal—building systems that perceive, reason, decide, or act intelligently under uncertainty—and that goal can be pursued through several distinct mechanisms. Treating “AI” as a monolith is how organizations end up with security programs that protect against the wrong threats.

The seven mechanisms (and their security profiles)

Security leaders must understand that each mechanism carries a different attack surface.

Machine learning (ML): The most widely deployed and discussed subset of AI, ML’s core operation is fitting a function in high-dimensional space. ML models learn from data rather than following explicit rules. ML powers everything from fraud detection to the LLMs your employees are already using to draft procurement emails. Its security weakness is fundamental: ML models optimize to fit their training distribution, not to be robust to adversarial inputs. Small, targeted perturbations can flip classifier outputs with high confidence.

Symbolic reasoning: Expert systems, knowledge graphs, and logic engines dominated early AI and still appear in regulatory compliance tooling, formal verification, and contract analysis platforms. Symbolic reasoning offers something ML cannot: interpretability and guarantees. A logic rule either fires or it doesn’t. The security risk is different too: The attack surface is the knowledge base, not gradient descent.

Search and planning: This underlies coverage-guided fuzzers (AFL and LibAFL), automated penetration testing, and any AI that reasons about sequences of actions. When your red team starts using AI-assisted recon and exploit chaining, they are using search-based AI.

Probabilistic/Bayesian AI: Older than most people realize, naïve Bayes spam filtering from 2002 is still in production at scale. Modern uses include anomaly detection, behavioral analytics, and network intrusion detection. The security profile is about degrading the model’s probability estimates, not fooling a neural net.

Optimization, physical AI (robotics, autonomous vehicles), and hybrid approaches: Hybrid systems such as an LLM combined with tools, retrieval, planning, and memory are what most enterprise AI deployments actually are. They are also the most complex to secure because the attack surface is the composition.

The practical takeaway for CISOs

When a vendor says their product uses AI, the right follow-up questions are as follows:

  • Which mechanism? The security controls that work against a classical ML classifier are not the same controls that work against an LLM agent.
  • Is it a standalone model or a system? Most production AI is a system—a model wired to retrieval, tools, memory, and APIs. You need to assess the system.
  • Where is your organization in the AI adoption curve? Stanford HAI’s 2026 report put organizational AI adoption at 88%. Your workforce is using these tools whether you’ve sanctioned them or not.

The distinction between AI as a goal and AI as a technique is the foundation for every governance decision in your roadmap. Get it right before you build policy on top of it.

In Part 2 of my AI lecture series, I’ll dive into the anatomy of a modern AI system to help you understand what is actually running your enterprise.