Last week, as soon as Anthropic announced Claude Code Security, cybersecurity stocks dropped sharply. An AI model is claiming it can identify hundreds of vulnerabilities in open-source code that has been used for years. This is a development that changes the rules of speed and scale in software security. But we now need to ask a new question. AI will find vulnerabilities in software. Will the same structure also be able to find vulnerabilities in your AI systems? AI itself is opening up as a new field of cybersecurity.

Software security is not the only dimension of cybersecurity. An organization’s risk does not arise solely from coding flaws. Identity and access management, cloud configurations, secret management, supply chains, monitoring and response capabilities, and social engineering are all layers that are decisive for security. In fact, the disruption we are experiencing is not just about stronger code scanning. It is about AI being added across each of these layers as a new interface and a new set of capabilities.

AI is turning into agents inside companies that query databases, access internal documents, open tickets, change configurations, and behave like security tools. It retrieves information, takes action by using tools, and moves decisions closer to implementation through autonomous workflows. But this transformation is also turning AI itself into a new attack surface, and this surface does not appear to be something that can be protected automatically through the reflexes of classical application security.

The first examples we have been discussing revolve around prompt injection. An input that appears to come from a user triggers an unauthorized query in a background tool. A system that is supposed to function as a security tool ends up executing the wrong instruction as if it were legitimate work. Or the retrieval-augmented generation pipeline carries out sensitive data that your agent is supposed to protect, because of the wrong context. When weak access-control connectors, excessively broad permissions, and inadequate logging come together, what looks like a leak may actually be a natural consequence of how the AI system was designed. Worse still, as agents accumulate privileges in order to get work done, they may open up a new route for privilege-escalation attacks. Attackers are no longer targeting only the application itself, but also the AI layer that exercises authority through the application.

Today, many large institutions and organizations will not deploy a web application without first conducting a penetration test. Yet those same organizations may put into operation an AI system that can run queries and read internal documents without conducting adequate testing. That is because the controls are focused on the model’s generated output. But the risk now spreads across the systems the model is connected to, the permissions it holds, the tools it can use, the logs it generates, and the automation flows it triggers.

AI will transform application security. But AI itself is now the new frontier of security. The next major loss will come either from AI vulnerabilities that no one tested, or from the unexpected consequences of decisions made by AI that no one properly controlled.