HackerOne
By Naz Bozdemir, Lead Product Researcher
In 2025, enterprise AI security programs face a paradox: defenders are getting better, but vulnerabilities are multiplying faster than teams can fix them.
According to the latest Hacker-Powered Security Report, valid AI-related vulnerability reports have surged 210% year over year, while the number of researchers focusing on AI and machine-learning assets has doubled.
For CISOs and security leaders, that’s progress—but also proof of a widening gap between detection and defense.
The Cybersecurity Remediation Bottleneck
As organizations embed AI across products and workflows, their attack surface expands just as quickly. The result is a growing backlog of unresolved vulnerabilities, each one a potential exploit—an open endpoint, a model manipulation risk, or a misconfigured data flow.
Thirty-eight percent of organizations lack the resources to manage AI risk effectively, and another third aren’t confident in their skills. AI-related vulnerabilities demand expertise in model behavior and data pipelines, yet many teams still rely on manual triage and ticketing to handle thousands of findings.
Our research shows how quickly threats are accelerating:
Prompt injections: +540%
Excessive agency issues: +233%
Insecure plugin design: +212%
Sensitive information disclosures: +152%
The result is predictable: reports pile up, timelines stretch, and remediation falls behind.
When the Queue Becomes the Risk
Every delay increases exposure. IBM’s Cost of a Data Breach 2025 found that 97% of AI-related incidents involved weak access controls, a sign that critical vulnerabilities linger too long.
Attackers, meanwhile, are scaling with automation—using AI to perform reconnaissance, chain exploits, and pinpoint weaknesses faster than human teams can respond.
Seventy-eight percent of surveyed organizations said their concern about AI security grew in the past year, up from 48% the year before.
Augmenting Security With AI
Manual remediation can’t match AI’s velocity.
In 2025:
1,121 programs included AI in scope or received a valid AI vulnerability.
270% year-over-year growth in AI scope inclusion.
58% of researchers upskilled in AI/ML security.
41% are already testing AI assets.
The answer isn’t simply more people—it’s smarter, AI-assisted processes.
How to Operationalize Security for AI
Unify the threat model: Map exploit paths and unsafe behaviors in one view.
Pressure-test continuously: Use adversarial exercises, AI pentests, and ongoing bounty or VDP programs to validate defenses as systems evolve.
Instrument governance: Align to frameworks such as NIST AI RMF, MITRE ATLAS, and the EU AI Act while keeping humans in the loop for sensitive actions.
Resource to reality: Where capacity is limited, leverage independent testing for assurance while building internal expertise.
A Smarter Way to Stay Ahead
The number of AI findings will keep growing, but security doesn’t have to lag behind.
By investing in AI-driven triage and continuous testing, organizations can turn remediation into a proactive advantage.
Catch vulnerabilities earlier with HackerOne Code.