Language Is the New Attack Surface
Why AI Security Needs a Fundamental Rethink
SAN FRANCISCO — As companies race to embed artificial intelligence into everything from customer service to internal operations, a new and less visible threat is emerging: attacks written not in code, but in plain language.
At the RSA Conference (RSAC) in March 2026, cloud security company Upwind presented research showing that malicious prompts targeting large language models (LLMs)—the AI systems behind tools such as chatbots and copilots—can be detected with roughly 95% precision. Crucially, this can be done in real time, with sub-millisecond latency, avoiding the performance trade-offs that have limited earlier approaches to AI security.
The findings arrive at a moment when generative AI is moving rapidly from experimentation to production. For many organisations, the question is no longer whether to adopt AI, but how to do so safely.
What Upwind’s research underscores is that the answer may require a fundamental rethink of cybersecurity in the age of AI.
A shift with major consequences
Cybersecurity has long relied on recognising patterns. Malicious code, unusual network behaviour, and known exploit techniques could be identified because they followed repeatable structures. Even modern detection systems, powered by machine learning, largely depend on spotting deviations within those structures.
Large language models challenge that foundation.
They do not simply execute instructions; they interpret them. Inputs are no longer rigid commands but expressions in natural language—often ambiguous, context-dependent, and open to interpretation.
“LLMs don’t just process input, they interpret intent,” said Moshe Hassan, Vice President of Research & Innovation at Upwind, in an exclusive interview with MoveTheNeedle.news. “That changes the security model entirely.”
This shift—from processing inputs to interpreting intent—marks a turning point. If systems can be guided by language, they can also be misled by it.
When attacks start to sound like conversation
Unlike traditional cyberattacks, which often reveal themselves through abnormal behaviour or technical signatures, attacks against LLMs can be indistinguishable from legitimate use.
Prompt injection and jailbreak techniques do not rely on breaking systems in the conventional sense. Instead, they manipulate how a model understands a request. A malicious instruction might be embedded within a broader, seemingly harmless query. It might take the form of a hypothetical scenario or a multi-step interaction that gradually steers the model towards an unintended outcome.
“The same malicious goal can be phrased in thousands of different ways,” Hassan explained. That variability makes it difficult to rely on pattern-matching or rule-based systems alone.
In this environment, the attacker’s advantage lies in creativity rather than technical precision.
From isolated tools to connected AI systems
The risks become more pronounced as LLMs move beyond standalone applications and into integrated enterprise environments.
In many organisations, these AI models are embedded in workflows, connected to internal databases, and capable of triggering actions across multiple services. What begins as a simple user prompt can evolve into a chain of operations involving data retrieval, processing, and decision-making.
Upwind’s research highlights this dynamic. A request that appears benign at the surface may, once executed, interact with sensitive systems or expose critical information.
This is where traditional security approaches struggle. They are typically designed to assess inputs at the point of entry, not to follow how those inputs propagate through a system.
As a result, they risk missing the broader context in which an attack unfolds.
Why existing defences fall short in AI environments
The limitations of conventional security tools become clearer in a language-driven environment.
Historically, security has focused on structure—analysing packets, validating code, and identifying known patterns. These methods assume that threats can be recognised by how they are constructed.
Language does not behave in this way.
It is flexible, context-sensitive, and capable of expressing intent indirectly. A harmful request can be framed in entirely legitimate terms, making it difficult to distinguish from normal usage.
“With LLMs, the attack is expressed through intent,” said Avital Harel, Security Researcher at Upwind, also speaking to MoveTheNeedle.news. “This breaks pattern-based detection entirely.”
The implication is clear: defending AI systems requires a shift from analysing structure to understanding meaning.
Interpreting intent without slowing systems down
While the need for semantic understanding in AI security is widely recognised, implementing it at scale presents practical challenges.
Advanced models capable of interpreting intent are computationally intensive. Running them on every interaction would introduce delays and increase costs—both unacceptable in production environments where performance is critical.
Upwind’s approach attempts to balance these constraints. Instead of applying the same level of analysis to every request, it prioritises. Lightweight models handle the majority of traffic, while more advanced reasoning is reserved for cases that appear uncertain or high-risk.
This selective escalation allows the system to maintain speed while improving detection accuracy.
It also addresses a key barrier to enterprise adoption. As Hassan noted, security systems that introduce latency or generate excessive noise are unlikely to be used in practice. Real-time protection must operate within the constraints of live systems.
The emergence of subtle, persistent AI threats
As AI systems become more deeply embedded in business processes, the nature of cyber threats is expected to evolve.
Rather than overt attempts to bypass safeguards, adversaries are likely to adopt more indirect strategies. They may influence model behaviour over a sequence of interactions, gradually steering responses without triggering obvious alarms.
Harel pointed to the growing overlap between technical exploitation and social engineering. Future attacks, she suggested, may rely on contextual manipulation—framing requests in ways that appear legitimate while subtly guiding the system towards unintended outcomes.
These threats are harder to detect precisely because they do not stand out.
They blend into normal usage.
Following the execution path: a runtime-first approach
To address this, Upwind advocates for what it describes as a runtime-first security approach.
Instead of analysing prompts in isolation, the system tracks how a request behaves once it enters the environment. It observes which services are involved, what data is accessed, and how the interaction unfolds across the system.
In the interview, Hassan described this as the difference between seeing a request and understanding its consequences. A prompt may appear harmless on its own, but its impact becomes clear only when viewed in context.
This perspective allows security teams to move beyond simple detection and towards actionable insight—understanding not just that something is wrong, but what it is doing and how far it has progressed.
An ecosystem effort shaping AI security
The ability to deliver this kind of real-time, context-aware AI security depends on more than a single technology.
Upwind’s collaboration with Nvidia reflects the importance of combining detection capabilities with optimised infrastructure. Semantic analysis at scale requires efficient models, fast inference, and systems designed for production environments.
More broadly, it points to the growing interdependence of the AI ecosystem. Securing AI-driven systems will depend on close coordination between model developers, infrastructure providers, and security platforms.
No single layer can address the challenge in isolation.
A strategic question for business leaders
For organisations adopting AI, these developments raise important strategic questions.
LLMs are increasingly integrated into core operations, influencing how data is accessed, how decisions are made, and how services are delivered. This integration expands both the value and the risk of AI.
The challenge is not simply to prevent technical failures, but to ensure that systems behave as intended—even when interacting with unpredictable inputs.
That requires visibility, control, and an understanding of how AI systems operate within the broader business environment.
It also requires recognising that AI security is not a peripheral concern. It is central to the safe and scalable deployment of AI technologies.
Rethinking cybersecurity for a language-driven world
The idea that language itself could become an attack surface is no longer theoretical.
As AI systems continue to evolve, the ways in which they can be manipulated will evolve with them. Attacks will become more nuanced, more context-driven, and harder to distinguish from legitimate use.
Defending against them will require a shift in mindset—from focusing on what inputs look like to understanding what they mean.
Upwind’s research offers an early indication that this is possible at scale. Systems can be built to interpret intent, operate in real time, and integrate into production environments without disruption.
Whether this approach becomes standard across the industry remains to be seen.
What is clear, however, is that cybersecurity is entering a new phase.
In a world where machines understand language, security must learn to do the same.
Further reading on MoveTheNeedle.news:
DuckDuckGoose CEO warns AI-generated identities are already testing digital banking security
Veeam launches Agent Commander to help enterprises manage AI agent risk