Prashant AkhawatBuilding AI-Native Enterprises

CXO Intelligence

Edition 04  ·  For Tech CEOs

The Fragile MoatWhy securing intelligence is now a board-level decision

The last three editions argued that the enterprise must be rebuilt around intelligence. This one confronts the uncomfortable corollary: once intelligence is what runs the company, intelligence is also what can be attacked, poisoned, or taken hostage.

The argument in 30 seconds

  • Redesigning around intelligence creates a new attack surface. Your decisions, knowledge and learning loop become targets the perimeter was never built to protect.
  • Every AI attack is one of three moves: poison the knowledge, hijack the decision, or steal the moat. The most dangerous do not look like breaches.
  • Concentrated intelligence is a single point of failure. One compromise of the shared core can halt every function at once. Agentic AI turns a wrong answer into a wrong action.
  • The gap is self-inflicted: 97% of AI-breached firms lacked access controls. Design for resilience, and treat security as the enabler of speed, not its brake.

Executive Summary

Every prior edition of this series pushed toward one conclusion: the winning enterprise is the one redesigned around intelligence. This edition adds the constraint that makes the redesign survivable. When a company routes its most important decisions, its proprietary knowledge and its learning loop through AI, it does not merely gain a capability; it creates a new, concentrated and largely undefended attack surface. Security is therefore no longer an IT function bolted on at the end. It is an architecture decision made at the top, because it determines whether the moat you are building can actually hold.

The early evidence is stark. In IBM’s 2025 study, 13 percent of organizations reported a breach of their AI models or applications, and of those, 97 percent lacked basic AI access controls. Sixty percent of these incidents led to data compromise and 31 percent to operational disruption. Meanwhile 63 percent of breached organizations had no AI governance policy at all. Adoption is outpacing not just value, as earlier editions showed, but safety.

Opening

The chatbot that cost its company in court

When Jake Moffatt’s grandmother died, he went to Air Canada’s website to book a flight to the funeral. The airline’s AI chatbot told him he could buy a full-fare ticket now and claim the bereavement discount later, within ninety days. He screenshotted the answer, booked the flights, and applied for the refund. The airline refused. Its actual policy, on a different page of the same website, said no such retroactive claims were allowed. The chatbot had invented the offer.

What happened next is the part every executive should sit with. Air Canada argued, before a Canadian tribunal, that it could not be responsible for what its chatbot said, because the chatbot was, in the airline’s words, “a separate legal entity responsible for its own actions.” The tribunal called the submission remarkable, and not as a compliment. It ruled that a company owns everything on its website, whether the words come from a static page or an AI, and ordered Air Canada to pay. A machine had spoken for the company, and the company was bound by it.

Sit with the implication. The AI did not leak a database or breach a firewall. It simply said something wrong, with authority, on the company’s behalf, and the company was held to it. Now scale that from a single customer-service answer to an enterprise that, as this series has argued, has been deliberately redesigned so that its most important decisions flow through AI. The chatbot that costs you a few hundred dollars in a small-claims court is the harmless version. The dangerous version is the intelligence layer your whole business now runs on, saying something wrong, at scale, because someone made it.

Because here is what the last three editions did not say out loud. Everything that makes the AI-native enterprise powerful, the shared intelligence, the proprietary knowledge, the learning loop that compounds, is also a target. The moat can be attacked. It can be poisoned. It can be taken hostage. And most enterprises that have raced to build it have spent a decade hardening their perimeter and almost no time hardening the intelligence now sitting inside it.

A machine spoke for the company. The company was bound by what it said. That is the whole of the AI era in a single courtroom.

Prashant AkhawatCXO Intelligence
“Prompt injection is the new SQL injection, and guardrails alone are not enough.”Cisco security research, 2026
13%
of organizations reported a breach of AI models or applications
IBM, 2025
97%
of those breached lacked proper AI access controls
IBM, 2025
31%
of AI security incidents caused operational disruption
IBM, 2025

The Argument · I

The attack surface has moved

For thirty years, enterprise security has been organized around a clear mental model: there is a perimeter, and inside it are data and systems worth protecting. Firewalls, endpoint protection, identity management and encryption all serve that model. It is mature, well-understood, and largely adequate for the digital enterprise it was built for.

The AI-native enterprise breaks the model by introducing three things that were never attackable in the same way. The decision: when an AI shapes a choice, the reasoning itself becomes a target, manipulable through the inputs it reads. Knowledge: the proprietary data grounding the AI can be poisoned, so the corruption lives inside the asset rather than breaching a wall around it. And the learning loop: influence what the enterprise learns, and you can bend its future behavior slowly and invisibly, a category of harm traditional security was never designed to detect.

This is why buying more of the old security stack does not solve the new problem. Perimeter tools protect the walls; they do not inspect whether the intelligence inside is being taught to lie. The surface has moved inward, to the very capability the enterprise now depends on most.

Exhibit 1How the Attack Surface Expanded
TRADITIONAL SURFACE AI-NATIVE SURFACE Data & systems networks, endpoints, databases Applications code, APIs, identities Protect the perimeter and the data. Everything on the left, plus: DECISIONS (prompt injection) KNOWLEDGE (data poisoning) THE LEARNING LOOP (corruption) Now the intelligence itself can be attacked.
A larger, softer target. The AI-native enterprise keeps every traditional vulnerability and adds three new ones: its decisions, its knowledge and its learning loop. The intelligence itself is now attackable.

You spent a decade hardening the perimeter. The AI era moved the target inside it.

Prashant AkhawatCXO Intelligence

The Argument · II

Three ways to attack intelligence

The dozens of techniques catalogued in frameworks such as the OWASP Top 10 collapse, for a board’s purposes, into three strategic modes of attack, each mapping to one of the new surfaces. The first is to poison the knowledge, corrupting what the AI learns so it produces confident, wrong outputs and does not know it. The second is to hijack the decision through prompt injection, overriding the system’s instructions and substituting the attacker’s; it is the single most prevalent AI vulnerability, and it is patient work, since in one controlled agentic evaluation an injection that fooled a leading model under 5 percent of the time on the first try succeeded about 63 percent of the time by the hundredth. The third is to steal the moat, exfiltrating the proprietary model and knowledge that constitute the advantage itself. The next section walks the most dangerous of these in depth.

Exhibit 2Three Ways to Attack Intelligence
POISONthe knowledgeCorrupt the data theenterprise learns from. Itmakes confident, wrongdecisions and does not knowit.HIJACKthe decisionInject hidden instructions sothe AI acts on the attacker'sintent, at machine speed.STEALthe moatExfiltrate the proprietarymodel and knowledge. Theadvantage itself walks out thedoor.
Poison, hijack, steal. Every specific exploit reduces, strategically, to corrupting what the AI learns, commandeering what it decides, or stealing what makes it valuable.

The Argument · Depth

The attacks that can paralyze an AI organization

It is worth being specific, because “AI security” in the abstract lets a board nod along without grasping what happens. Stripped of jargon, the attacks catalogued by OWASP and, at the end of 2025, its dedicated agentic framework, fall into the three families we have named. The most dangerous are worth walking through.

Against the knowledge, the signature attack is poisoning, and its most unsettling form is memory poisoning. A technique formalized by researchers in late 2025, known as MINJA, showed that an attacker can plant a false memory in an AI agent purely by talking to it, with no access to the underlying system at all, and that the false memory then persists and shapes future decisions, even for other users. The corruption lives inside the asset. Nothing was breached in the traditional sense.

Against the decision, beyond direct prompt injection, sit goal hijacking, quietly redirecting what the AI is trying to achieve, and approval manipulation, nudging the risk scores and confidence thresholds that are supposed to be the safeguard. The safeguard becomes the target.

Against the agent and the wider system, the stakes climb again. Tool misuse turns the agent’s own legitimate tools against the business. Privilege compromise escalates access silently. In multi-agent systems, a single compromised agent can trigger a cascading failure, because trust between agents does not aggregate safely, so individually safe agents can compose into an unsafe whole. And denial of wallet, the AI-era denial of service, traps an agent in an unbounded loop that drains the compute budget within minutes. Underneath all of it lurks the shadow agent: an AI running with no owner, no registry entry and no audit trail, inheriting a real employee’s credentials, which is the agentic descendant of shadow IT and rated a critical risk for good reason.

Exhibit 3The Attacks That Can Paralyze an AI Organization
ON THE KNOWLEDGEData / model poisoningcorrupt what it learnsMemory poisoning (MINJA)plant a lie that persists across sessionsRAG / vector poisoningseed a poisoned document to be retrievedON THE DECISIONPrompt injectionoverride its instructions via inputGoal / intent hijackingredirect what it is trying to doApproval manipulationbend risk scores past the safeguardsON THE AGENT & SYSTEMTool misuseturn its own tools against the businessPrivilege compromiseescalate access silentlyCascading failureone rogue agent infects the restDenial of walletloop it until the budget is drained
The paralysis map. Every attack targets one of three things: what the AI knows, what it decides, or what it and its fellow agents can do. The most dangerous share a property: they do not look like breaches.

That last property should keep a board awake: the most dangerous of these attacks do not announce themselves. Consider what researchers call the dormant attack. A poisoned document enters the knowledge base looking entirely ordinary and sits for weeks, triggering no alert. Then an employee asks a routine question, the AI retrieves the poisoned content, and an agent acts on it, authorizing a transaction it should have refused. Cause and damage are separated by weeks and by context, which is exactly why traditional security, built to catch a breach as it happens, sees nothing.

Exhibit 4The Dormant Attack: Why Traditional Security Misses It
DAY 0A poisoned documententers the knowledgebaselooks completely normalWEEKS PASSThe attack liesdormantno alert, no anomaly,nothing to seeDAY 40An employee asks aroutine questionthe AI retrieves thepoisoned chunkSECONDS LATERThe agent acts on thefalse instructionand authorizes what itshould have refusedWhy traditional security misses it: the cause and the damage are separated by weeksThe malicious input is divorced from the harmful action by time and context. No firewall sees this.
Separated by time. When the poisoning and the damage are weeks apart, every tool built to catch a breach in the act is looking in the wrong moment. This is the defining challenge of securing intelligence.

The dangerous AI attack does not break down the door. It waits inside, patiently, until you ask it the right question.

Prashant AkhawatCXO Intelligence

The Argument · III

The single point of failure

There is a reason this threat is different in scale from anything that came before it, and it is the same reason the AI-native enterprise is so powerful. Edition 03 showed that these organizations run every function through one shared intelligence layer, so a decision in sales can draw instantly on what finance, legal and operations know. That shared core is what makes the enterprise smart. It is also, in security terms, the most dangerous sentence in this entire series: everything now depends on one thing.

Concentration is efficient and dangerous for the same reason. When every function depends on a common intelligence core, compromising that core is not one breach; it is a simultaneous breach of everything downstream. A poisoned model corrupts every decision it touches, across every function, until someone notices, and IBM’s data shows AI incidents already take longer to detect than ordinary ones. This is why cybersecurity can halt the entire AI: the more central the intelligence, the larger the blast radius of its failure.

The lesson is not to abandon shared intelligence, which is the source of the advantage. It is to design the concentration deliberately, with the blast radius in mind, so that the efficiency does not come bundled with catastrophic fragility.

Exhibit 5Concentrated Intelligence Is a Single Point of Failure
SHAREDINTELLIGENCEcompromisedSalesFinanceOpsHRLegalSupplyOne compromise at the core propagates to every function at once. Efficiency and fragility share a root.
The blast radius of the core. A shared intelligence layer connects every function. Compromise it once, and the failure propagates everywhere at once. Efficiency and fragility share the same root.

The Argument · IV

When AI can act, not just advise

The most important shift of 2025 and 2026 is the move from AI that recommends to AI that acts. Agentic systems do not just answer questions; they send emails, query and update databases, call APIs and take multi-step actions toward a goal. This is where the productivity upside is greatest, and it is also where the security stakes change in kind rather than degree.

The reason is simple and severe. When an advisory system is compromised, the result is bad information, and a human between the recommendation and the action can still catch it. When an agentic system is compromised, the result is bad action, taken autonomously at machine speed, with no human in the loop by design. This is why the security community released a dedicated agentic framework at the end of 2025, for risks that did not exist for chatbots: uncontrolled autonomy, delegated identity abuse, and agents manipulating one another.

For a CXO, the implication is a design rule rather than a prohibition. The value of agents is real, but autonomy must be granted deliberately and bounded explicitly. The question is not whether to deploy agents, but which actions they may take without a human, and that question belongs in the architecture, not in a vendor’s default settings.

Exhibit 6Advisory AI vs Agentic AI: The Change in Stakes
ADVISORY AI recommends; a human acts A compromise produces bad information. A human can still catch it. Blast radius: one decision. AGENTIC AI decides and acts autonomously A compromise produces bad action, at machine speed. No human in the loop to catch it. Blast radius: every action it can take. Autonomy converts a security incident from a wrong answer into a wrong act.
From bad answer to bad act. Autonomy is the multiplier. It converts a compromised recommendation, which a human might catch, into a compromised action taken at machine speed.

An advisory system that is fooled gives you a wrong answer. An autonomous one that is fooled takes a wrong action, before anyone can object.

Prashant AkhawatCXO Intelligence

The Evidence

The governance gap, in numbers

None of this would matter much if enterprises were defending the new surface as diligently as the old one. They are not. The single most striking finding in the 2025 data is not any individual attack; it is the scale of the undefended gap between how fast AI is being adopted and how slowly it is being governed.

The numbers describe organizations running a powerful new capability with almost none of the controls they would demand of any other critical system. Nearly all breached AI deployments lacked access controls; most breached firms had no AI governance policy. A fifth of all breaches now involve shadow AI, unsanctioned tools used without oversight, and those cost on average 670 thousand dollars more than the norm, because no one could even see the exposure.

Exhibit 7The AI Governance Gap, in Numbers
97%of AI-breached firms lacked AI access controls63%of breached firms have no AI governance policy60%of AI incidents led to data compromise31%of AI incidents caused operational disruption20%of all breaches now involve shadow AISource: IBM Cost of a Data Breach Report 2025.
Adoption is outpacing oversight. The controls enterprises take for granted on every other critical system are largely absent on AI. Source: IBM Cost of a Data Breach Report 2025.

The encouraging counterpoint in the same research is that this is a solvable, self-inflicted gap, not an unavoidable law, and it carries a number a board can act on. Organizations that used AI and automation extensively in their defense detected and contained breaches far faster and saved on the order of 1.9 million dollars per incident. That figure reframes the budget conversation entirely. Securing intelligence is not a cost center defending against a hypothetical; it is an investment with a measurable return against a quantified, already-materializing risk. The gap is a choice, and closing it is an architecture and governance decision, which is to say, a leadership one.

The Strategy

Designing for resilience, not just prevention

The instinct of traditional security is prevention: keep the attacker out. Necessary, but no longer sufficient, because the new surface is porous by nature. Prompt injection cannot be fully eliminated, poisoning cannot be perfectly detected, and agents will occasionally be fooled. The mature posture is resilience: assume compromise is possible, and design so it is survivable. Five principles translate that into architecture.

The five principles are straightforward to state and demanding to implement. Contain the blast radius: segment the intelligence layer so one compromise cannot corrupt every function at once. Keep a human at the point of high consequence: require approval where an action is irreversible or material, granting autonomy in proportion to stakes. Prove the provenance: maintain the lineage of every input that shapes a decision, so a poisoned source can be traced and its damage found. Zero-trust for agents: treat every agent as an identity with least-privilege access, not as trusted internal software. And design for recovery: rehearse detection, containment and rollback of a compromised model the way mature firms rehearse disaster recovery, because the question is when, not whether.

Exhibit 8Five Principles for a Resilient AI Architecture
1CONTAIN THE BLAST RADIUSsegment intelligence so one breach is not total2HUMAN AT HIGH CONSEQUENCErequire human approval where actions are irreversible3PROVE THE PROVENANCEtrack the lineage of every input to a decision4ZERO-TRUST FOR AGENTStreat every agent as an identity with least privilege5DESIGN FOR RECOVERYassume compromise; rehearse containment and rollback
Resilience over prevention. Because the new surface cannot be perfectly defended, the AI-native enterprise is designed so that compromise is contained, traceable and recoverable rather than catastrophic.

The Reframe

Governance is not the brake. It is the enabler.

There is a reflex, common in organizations under competitive pressure, to treat security and governance as the drag on AI ambition, the department of no that slows the business down. This edition’s final argument is that in the AI era the reflex is exactly backwards, and the earlier editions already contained the reason.

Enterprise Intelligence depends on the organization’s willingness to act on machine-shaped decisions. An enterprise that does not trust its AI cannot act on it; it double-checks everything by hand, and the speed advantage evaporates. An enterprise that has genuinely secured its intelligence, that can prove provenance, contain blast radius and trust its agents, can act with confidence and at speed, especially in regulated industries where a wrong autonomous action is costly. Governance, done properly, converts a dangerous capability into a usable one. It is not the brake on the moat; it is part of what makes the moat hold.

Exhibit 9Governance as Enabler, Not Brake
THE OLD VIEW Governance as a brake Controls slow the business. Security is the department of "no." THE AI-NATIVE VIEW Governance as an enabler Trust to act on AI output IS the speed. It lets a regulated firm move without fear. The firms that can trust their AI can act on it. The ones that cannot, freeze.
The reframe. The firms that can trust their AI can act on it, at speed. The ones that cannot, freeze. In the AI era, security is a precondition for velocity, not its opposite.

The Stakes

The regulator is arriving, and the liability is already here

There is a second reason security has moved to the board: the law is catching up, and not waiting for the technology to settle. The Air Canada ruling was an early tremor, a tribunal establishing that a company owns what its AI says and does. That principle is hardening into statute. The EU AI Act has begun phasing in obligations for high-risk and general-purpose AI, with penalties reaching tens of millions of euros or a percentage of global turnover. Sector regulators in finance and healthcare are issuing their own. The direction is unambiguous: accountability for AI behavior sits with the enterprise deploying it, and increasingly must be demonstrable, not merely asserted.

For a board, this converts the resilience principles from good practice into something closer to duty. Provenance is no longer only a defense against poisoning; it is the evidence trail a regulator will ask to see. Human oversight at high-consequence decisions is, in several regimes, required rather than merely prudent. The architecture choices this edition describes increasingly determine regulatory exposure and legal liability alike. A firm that cannot explain why its AI did what it did is exposed on both fronts at once, to the attacker and to the regulator.

For the Board

The questions the board must now ask

Because securing intelligence is an architecture decision, it belongs on the board’s agenda alongside capital allocation and cyber risk, not buried two levels down in IT. The board does not need to understand prompt injection at a technical level. It needs to ask six questions and be satisfied with the answers.

Exhibit 10Six Questions Every Board Should Ask
SIX QUESTIONS EVERY BOARD SHOULD ASKWhere would a single AI compromise halt the most of our business?Which autonomous actions can our agents take without a human?Can we trace every decision back to the data that shaped it?Do we know every AI tool our people actually use? (shadow AI)How fast could we detect, contain and roll back a poisoned model?Is our proprietary knowledge, the moat itself, exfiltration-proof?
Governing the fragile moat. The board’s job is not to defend the system personally, but to ensure someone owns each of these answers, and that the architecture reflects them.

The through-line of all six is ownership. The most dangerous answer a board can receive to any of these questions is a pause, followed by uncertainty about who is responsible. In the AI-native enterprise, the security of the intelligence layer is too consequential to be ownerless, and too architectural to sit anywhere but near the top.

What This Means For You

What to do Monday morning

If you take one thing from this edition into your next leadership meeting, let it be that securing intelligence is not a project to delegate but a posture to adopt, and the posture is expressed in a handful of concrete moves. None of them require you to understand the mathematics of an attack. All of them require you to decide who owns the answer.

Map the blast radius: identify honestly where a single compromise would halt the most business, because that is where budget belongs first. Bound every agent, drawing an explicit line between actions an AI may take alone and those requiring a human, in proportion to how irreversible they are. Insist on provenance, so every material decision traces back to the data that shaped it. Treat every agent as a zero-trust identity with least-privilege access, not the inherited credentials of whoever launched it. Hunt down shadow AI, because the tool you cannot see is the one you cannot defend. And rehearse recovery, running a tabletop on a poisoned-model incident, because the honest question is when, not whether.

Exhibit 11The CXO Action List
THE CXO ACTION LISTWHO OWNS ITMap the blast radiusWhere would one AI compromise halt the most?CIO / CISOBound every agentWhich actions need a human? Set the line.CTO / ProductProve provenanceTrace each decision to its source data.CDO / DataZero-trust the agentsLeast-privilege identity for every agent.CISOKill shadow AIFind and govern every unsanctioned tool.CIO / SecurityRehearse recoveryTabletop a poisoned-model incident.CISO / Risk
Six moves, six owners. The point of the checklist is not the tasks. It is the last column: every one of these must have a named owner, because the most dangerous answer a board can hear is silence about who is responsible.

Conclusion

A moat worth building is a moat worth defending

Follow the series to its end and the logic is inescapable. The CEO’s job is to redesign the enterprise. The prize is Enterprise Intelligence, the last durable moat. Building it means becoming AI-native, structured around intelligence rather than retrofitted with it. And this edition adds the sentence that the other three imply but never say: a moat built on intelligence is worth exactly as much as the security of that intelligence, and not a rupee more.

The firms that win the AI era will not be those that deploy AI fastest, or even those that redesign around it most thoroughly, but those that do both while making their intelligence trustworthy enough to act on. Security is not a tax on the transformation; it is the part that determines whether the advantage survives contact with a determined adversary. The moat is fragile by default. Making it durable is a decision, made in the boardroom and in the architecture, before the first agent is ever granted the right to act.

Key Takeaways

  1. Redesigning around intelligence creates a new attack surface. The enterprise’s decisions, knowledge and learning loop become targets that traditional perimeter security was never built to protect.
  2. Every AI attack is one of three moves: poison the knowledge, hijack the decision, or steal the moat. Each needs a different defense.
  3. Concentrated intelligence is a single point of failure. The shared layer that makes the enterprise smart also gives a single compromise an enterprise-wide blast radius.
  4. Agentic AI changes the stakes in kind. Autonomy converts a compromised recommendation into a compromised action taken at machine speed. Grant autonomy deliberately.
  5. The gap is self-inflicted: 97% of AI-breached firms lacked access controls and 63% had no AI governance policy. Closing it is a leadership decision, not a technical impossibility.
  6. Design for resilience, not just prevention, and reframe governance as the enabler of speed. The firm that can trust its AI can act on it; the one that cannot, freezes.

A question for the boardroom

If an adversary poisoned the intelligence layer your most important decisions now flow through, how long would it take you to notice, and how much of the business would it have touched by then?

Selected Sources

  1. IBM, Cost of a Data Breach Report 2025 (Ponemon Institute), July 2025: 13% AI model/app breaches; 97% lacked AI access controls; 60% data compromise; 31% operational disruption; 63% no AI governance policy; shadow AI +$670K; 16% of breaches involved attacker use of AI; ~$1.9M savings from extensive security AI use.
  2. OWASP GenAI Security Project, Top 10 for LLM Applications (2025): prompt injection (LLM01), sensitive information disclosure, supply chain, data and model poisoning, improper output handling, excessive agency, system prompt leakage, vector and embedding weaknesses.
  3. OWASP GenAI Security Project, Top 10 for Agentic Applications, December 2025: uncontrolled autonomy, delegated identity abuse, cross-agent prompt injection.
  4. Anthropic, Claude Opus 4.5 System Card, November 2025: indirect prompt-injection attack success rising with repeated attempts (approximately 5% at one attempt to roughly 63% at one hundred) in an agentic evaluation.
  5. Cisco, security research on prompt injection, 2026 (“the new SQL injection; guardrails alone are not enough”).
  6. NIST, Artificial Intelligence Risk Management Framework: Generative AI Profile (NIST AI 600-1), 2024.
  7. McKinsey & Company, The State of AI in 2025 and Seizing the Agentic AI Advantage, 2025.
  8. Kiteworks and Harmonic Security analyses of shadow AI data exposure, 2025 to 2026.
  9. CXO Intelligence Series: Edition 01, The CEO’s Real Job in the AI Transition; Edition 02, The Last Moat; Edition 03, The AI-Native Enterprise.

Statistics reflect the cited primary research at time of writing. Attack-success rates are drawn from controlled evaluations and vary by model, setting and method; they are cited to illustrate direction and persistence, not to characterize any single product. Quotations are reproduced from public records.