Rethinking Penetration Testing for AI-Enabled Systems: From Resource Compromise to Behavioral Objective Violation

2026-07-15Cryptography and Security

Cryptography and SecurityArtificial Intelligence
AI summary

The authors explain that traditional penetration testing, which checks if attackers can break into systems, is not enough for AI-driven systems. In these systems, attackers can change how the AI behaves by manipulating things like prompts, data, or tools without hacking the system itself. They redefine penetration testing to focus on whether attackers can cause the AI to act against its intended goals. The authors offer a step-by-step testing method and use an example of an AI assistant in security operations to show how attacks can happen through behavior changes rather than breaking infrastructure.

penetration testingAI-enabled systemsprompt injectiondata poisoningbehavioral evaluationadversarial attackoperational objectivessensor manipulationretrieval poisoningagentic misalignment
Authors
Mohammad Allahbakhsh, Mohammad Hassan Bahari, Moslem Attar-Raouf
Abstract
Penetration testing traditionally evaluates whether adversaries can exploit weaknesses in software, infrastructure, configurations, or operational controls to achieve security-relevant compromise. This paradigm remains necessary for AI-enabled systems, but it is no longer sufficient. In such systems, adversaries may influence prompts, retrieved content, sensor inputs, training data, memory, tools, or human-AI interaction loops to alter system behavior without directly compromising the underlying infrastructure. This paper reframes penetration testing for AI-enabled systems as objective-driven behavioral evaluation. We define an AI-enabled system as one in which learned models materially influence behavior affecting operational outcomes, and we define AI-enabled penetration as the feasible induction of AI-governed behavior that violates one or more operational objectives under an explicit threat model. This definition preserves conventional penetration testing while extending it to adversarial pathways such as prompt injection, indirect prompt injection, data poisoning, sensor manipulation, retrieval poisoning, tool misuse, and agentic misalignment. We further propose a testing workflow that identifies operational objectives, maps AI-governed behavior, analyzes adversarial influence surfaces, defines behavioral failure criteria, executes scenario-based tests, and reports evidence linking adversarial action to objective violation. A running example involving an AI-enabled security operations center assistant illustrates how penetration may occur through behavioral influence rather than infrastructure compromise. Together, the definitions, workflow, and example provide a technical framework for evaluating adversarial success in deployed AI-enabled systems.