Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

AI endpoint reconnaissance is rising, are your controls ready?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: GreyNoise captured 91,403 attack sessions from October 2025 to January 2026, including two campaigns that mapped exposed AI endpoints and abused server-side request forgery to trigger outbound connections, according to Zenity’s analysis of the findings. The threat picture is shifting from experimentation to operational targeting, and existing AI security models now need inventory, egress control, and behavior-based detection.

NHIMG editorial — based on content published by Zenity: GreyNoise findings and what they mean for AI security

Questions worth separating out

Q: How should security teams govern exposed AI endpoints and proxies?

A: Security teams should govern exposed AI endpoints and proxies as production identity surfaces.

Q: Why do AI proxies create a governance gap for IAM teams?

A: AI proxies create a governance gap because they can separate the authenticated user from the system that actually reaches the model provider or external services.

Q: How can organisations detect AI reconnaissance before exploitation?

A: Organisations can detect AI reconnaissance by correlating repeated low-noise requests, unusual callback domains, destination resolution, and identity context across telemetry.

Practitioner guidance

  • Inventory every exposed AI endpoint and proxy Map all internet-accessible model routes, wrappers, and API layers, then record who owns them, what they reach, and whether they are authenticated.
  • Constrain outbound model pulls and callback destinations Allow only trusted registries and known callback domains, and block systems that can be induced to reach arbitrary external URLs.
  • Correlate transcript, identity, and egress telemetry Join request content, source identity, destination resolution, and tool use so low-signal probing can be detected before it becomes exploitation.

What's in the full article

Zenity's full analysis covers the operational detail this post intentionally leaves for the source:

  • Indicator-level breakdown of the GreyNoise campaigns, including callback domains and probing patterns
  • Zenity's deterministic detection logic for suspicious AI communications and outbound behavior
  • Customer telemetry validation approach used to confirm whether agents were directly impacted
  • Threat-hunting guidance for teams that need to operationalize detections across SaaS, cloud, and endpoints

👉 Read Zenity's analysis of GreyNoise findings on AI security targeting →

AI endpoint reconnaissance is rising, are your controls ready?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

AI infrastructure is now a governed identity surface, not just an application layer. Exposed AI endpoints, proxies, and agent workflows can be enumerated the same way attackers once mapped other internet-facing services, but the business impact is deeper because those systems can mediate access to tools, data, and actions. The governance model has to treat the AI path as part of identity control, not as an adjacent technical detail. Practitioners should assume AI exposure is a standing inventory problem, not a one-time hardening task.

A few things that frame the scale:

  • Only 13% of organisations feel extremely prepared for the reality of agentic AI despite the majority racing toward autonomous adoption, according to The 2026 Infrastructure Identity Survey.
  • The same survey found that 67% of security leaders still rely heavily on static credentials despite the risks they pose to agentic AI deployments.

A question worth separating out:

Q: Who should own security decisions for AI infrastructure exposure?

A: Ownership should sit with the teams responsible for identity, platform, and security policy together, because exposed AI infrastructure affects authentication, routing, and runtime behavior at the same time. If no team owns the proxy, egress, and model access path as one control plane, exposure will remain invisible until an attacker maps it first.

👉 Read our full editorial: AI infrastructure is now a target, and AI security must adapt



   
ReplyQuote
Share: