Ask. Learn. Improve
Features
Real EstateData CenterMarketing & SalesHealthcareLegal Teams
How it worksBlogPricingLets TalkStart free
Start free
Contact
Privacy Policy
Terms of Service

©2026. Mojar. All rights reserved.

Free Trial with No Credit Card Needed. Some features limited or blocked.

Contact
Privacy Policy
Terms of Service

©2026. Mojar. All rights reserved.

Free Trial with No Credit Card Needed. Some features limited or blocked.

← Back to Blog
Industry News

Eight Ways Attackers Get Into Your Enterprise AI — And They All Start With Your Documents

XM Cyber mapped 8 attack vectors inside AWS Bedrock. Every one starts with the knowledge layer. Here's what enterprise security teams need to know.

6 min read• March 24, 2026View raw markdown
AI SecurityRAGRSAC 2026Enterprise AIVector DatabaseKnowledge Management

The number is 8 — and none of these start with the model

XM Cyber mapped 8 validated attack vectors inside AWS Bedrock, all reachable from a low-privilege entry point, all terminating inside critical enterprise systems. That's the finding RSAC 2026 attendees are walking away with this week.

The number that should bother you more is zero. Zero of these vectors start with a model vulnerability. Every single one starts with the knowledge layer — the documents, vector stores, prompt templates, and SaaS OAuth connectors that tell your AI what to know.

The audit: what XM Cyber actually found

Knowledge base — data source

The most direct path. An attacker with S3 or SharePoint access — granted via OAuth at integration time, rarely reviewed after — can pull raw knowledge content out of the system. The same OAuth token that lets Bedrock read your documents lets an attacker read them too. From there, the path to Active Directory lateral movement is well-established: the credential chain that enterprise integrations depend on becomes the attack chain.

Knowledge base — data store

Your vector database — Pinecone, Redis Enterprise Cloud, Aurora, Redshift, whatever you're running — holds indexed embeddings of enterprise knowledge. A single credential escalation to the vector store grants full admin access to that indexed content. Not just read access. Full admin. The entire semantic representation of your organization's documents, exposed from one misconfigured permission.

Managed prompt injection

Prompt templates in Bedrock can be shared across multiple agents and workflows. An attacker who gets write access to a prompt template doesn't need to touch any individual agent. Rewrite the template once, and malicious instructions propagate to every agent and workflow using it — in-flight, no redeployment required. The blast radius depends on how many things share that template.

Agent base prompt takeover

More targeted than the above. Get write access to a specific agent's base prompt and you can redirect its behavior entirely: exfiltrate data, create unauthorized database records, forward outputs to external endpoints. The agent keeps functioning normally for users. The compromise is invisible until someone checks the right log.

Guardrail degradation

This one is the quietest. Bedrock's guardrails — PII filters, prompt injection blockers, toxicity filters — can be deleted or silently degraded with a single permission escalation. No alarms, no visible change in behavior. The AI keeps working. The guardrails are gone. You won't know unless you audit the configuration directly.

Bedrock logging disabled

An attacker who gains the right permission can disable Bedrock's model invocation logging. The AI keeps operating. The forensic trail disappears. At that point, an adversary can work freely inside the AI stack with no record of what they accessed or did.

XM Cyber's summary: "Attackers target the permissions, configurations, and integrations surrounding the model — not the model itself. A single over-privileged identity is enough to redirect logs, hijack an agent, poison a prompt, or reach critical on-premises systems from a foothold inside Bedrock."

The pattern: why this keeps happening

Three systemic failures, all compounding.

AI knowledge connections were never treated as security perimeters. OAuth tokens and data source integrations get granted at setup and reviewed almost never. The person who connected SharePoint to Bedrock six months ago was making the AI work — they weren't thinking about security boundaries. That's the authentication gap we keep seeing: the problem isn't auth failing, it's that auth succeeds and then there's no control on what happens next.

Document governance got filed under content management. Who has write access to your vector store? Who can modify a prompt template? Those sound like content operations questions. They're security questions now. The industry has spent two years thinking about "what the AI says" as an output filtering problem, while "what the AI reads" went almost entirely ungoverned.

The scale has gotten hard to reason about. According to Grip Security research, the average enterprise runs 140 AI-enabled SaaS environments. In a 23,000-environment analysis, 100% of companies had embedded AI. SaaS attacks spiked 490% year-over-year, and 80% of documented incidents involved customer or PII data. The "Great SaaS Breach of 2025" — one SaaS compromise rippling through OAuth token chains to reach 700 customer Salesforce installations — is what this cascade breach pattern looks like when it hits production.

Microsoft moved formally on this. Their new ZT4AI framework adds 700 controls across 116 logical groups for AI systems, covering data classification, labeling, governance, loss prevention, network-level inspection for prompt injections, and agent identity governance. Microsoft's own language: "Agents that are overprivileged, manipulated, or misaligned can act like 'double agents,' working against the very outcomes they were built to support."

That's not a vendor pitch. That's the ZT4AI documentation.

The fix: what the solution architecture looks like

Start by treating the knowledge base as a security perimeter.

Controlled write paths mean no ad-hoc modifications to prompt templates or vector stores outside a change management process. Audit trails on every change to knowledge content — with source attribution on every retrieval — let you reconstruct what the AI was reading when something went wrong. Guardrails alone aren't enough once you know they can be silently deleted; you need to prove what your AI actually saw.

Permission scope at retrieval time, not just integration time. The OAuth token granted at setup needs to be scoped to what each agent is actually authorized to retrieve — and reviewed on a regular cycle, not left open indefinitely because nobody wants to break the integration.

Active governance closes the gap the guardrail attack exploits. Contradiction detection, change auditing, scheduled knowledge health checks: these aren't content quality tools, they're how you detect if something in the knowledge layer was tampered with. If your knowledge base can be written to without an audit trail, you can't distinguish legitimate updates from adversarial ones.

This is where Mojar AI fits into the architecture. Governed RAG knowledge management — controlled writes, full audit trails, contradiction detection, source attribution on every answer — is a security posture. The same capabilities that keep knowledge accurate also make tampering detectable.

The takeaway

RSAC 2026 will produce a lot of AI security frameworks, threat models, and vendor pitches. Most of it will focus on model hardening, output filtering, and agent sandboxing. That work matters.

But XM Cyber's research this week makes the starting point clear: if your documents, vector stores, and prompt templates are ungoverned, every downstream control is built on a compromised foundation. Fix the knowledge layer first. Everything else is downstream of that problem.

← Back to all posts