Risky Business: Soap Box – Red Teaming AI Systems with SpecterOps

Episode Date: March 27, 2026
Guests: Patrick Gray (Host), Russell Van Tiele (VP Services, SpecterOps), James Wilson (Risky Business Media)
Main Theme: Exploring the realities of red teaming modern AI systems, the evolving enterprise risk landscape, and the challenges/opportunities AI brings to attack path management.

Episode Overview

This sponsored “Soap Box” edition delves into how SpecterOps approaches red teaming AI-powered environments. The group discusses the difference between traditional and AI red teaming, the explosion of machine identities, and how rapid adoption of AI in enterprises is reshaping security challenges. Through practical anecdotes and a healthy skepticism of hype, the conversation covers real-world breaches, changing attacker tactics, and high-level strategic advice for organizations in 2026.

Key Discussion Points & Insights

1. Defining "AI Red Teaming" ([01:45]–[03:29])

• AI red teaming encompasses both model-centric testing (e.g., safety, alignment, adversarial ML) and whole-system engagement.
• Most organizations aren’t building their own foundational models, but rather integrating third-party offerings (like OpenAI, Anthropic) into wider systems—chatbots, RAG databases, internal tools.
• Russell (03:13):

  “For me I like to focus on actually testing like the system of systems that have a piece of AI in it at some point… testing the, the system as a whole.”

2. AI in the Enterprise: The Chatbot Reality ([03:29]–[04:17])

• Despite the AI hype, the dominant enterprise use case is still “just chatbots.”
  Patrick (04:17):

  “I gotta be really honest that I'm somewhat disappointed that it's a chatbot… I’m expecting it to be really cool and it’s not, it’s chatbots.”

3. Organizational Accountability & "AI Red Teams" ([04:33]–[05:41])

• Enterprises are experimenting with dedicated AI red teams, trying to centralize responsibility as governance struggles to keep up with rapid adoption.
• Russell (04:57):

  "...Everyone's still trying to figure it out. The AI system is moving so fast... this new AI red team is trying to get connected over to the people that are using it, if they could figure out who's using it..."

4. Is AI Pentesting Really New? ([05:41]–[07:39])

• It’s both new and not new: The basic pattern of offensive testing remains; the tech stack changes.
• Unique to AI pentests: prompt injection, probabilistic/non-deterministic behavior, and the need for new upskilling in teams.
• Russell (06:16):

  "A lot of the attack paths… just compromise identities or use other things that are not AI system for it. But… prompt injection is probably the biggest unique thing to understand."

5. Novel Risks vs. Repeating Old Mistakes ([07:39]–[09:33])

• Many vulnerabilities from AI integrations are classic “forward-slapping” (undoing years of progress by slapping in a new component that bypasses controls).
• Prompt injection is new, but akin to social engineering a human—tricking models into unintended actions.
• Russell (08:23):

  "You undo all these security principles that we spent years learning and it's like no one cares about them anymore... The only thing I would argue is new is prompt engineering."

6. Prompt Injection & Non-Determinism ([09:33]–[10:41])

• Non-deterministic models mean you can’t always reproduce a vulnerability exactly—testing must log all inputs/outputs and try attacks multiple times.
• Russell (09:58):

  "...when it comes to prompt injection, you can't just like this is the prompt I send it. You'll also get the same response because you won't."

7. Machine Identities & Attack Path Explosion ([10:41]–[13:35])

• AI agents introduce a proliferation of machine-to-machine accounts—especially service identities.
• Attackers can leverage massive new webs of non-human identities to move laterally and escalate access.
• Russell (11:43):

  "I think some of the public reports report anywhere from 82 to 96 non human identities, two human identities in an org. I think AI is definitely exacerbating that."

8. The OpenClaw and Credential Drama ([12:19]–[13:35])

• Many “security measures” are surface-level (e.g., putting OpenClaw in a VM but giving it broad credentials); the real issue is over-permissive integration.
• Patrick (12:19):

  "Some of the open claw security advice… is so funny… they give it its credit card, the credit card number and like all of the cookies..."

9. Attack Path Management, Lateral Movement, and Tool Evolution ([14:40]–[15:44])

• Classic “credential shuffle” attack paths are more critical now; technology stacks are increasingly complex (GitHub → AWS → Salesforce, etc.).
• Tools like Bloodhound (and now Open Graph extension) are mapping these multi-stack paths.
• Russell (14:40):

  "...you compromise an identity, you see what access it has and you keep doing that credential shuffle over and over again until you get the access that you're trying to go to."

10. AI Makes Old Controls (and Fundamentals) More Important ([15:44]–[18:14])

• AI's dual impact: increases internal risk (new attack surfaces) and empowers adversaries to automate/speed up attacks.
• Result: Organizations must tighten controls, embrace default-deny, and improve monitoring.
• Russell (17:19):

  "The deny by default kind of policy… everything moves so fast, and unless you can keep up with that... you're safer by, you know, secure by default mindset instead of permissive by default mindset."

11. AI-Adjacent Breach Case Studies ([18:58]–[23:10])

a. Salesloft Drift Breach ([18:58]–[20:26])

• Typical attack chain: GitHub → AWS → OAuth tokens → Data exfil.
• Key point: All classic tradecraft, just new services.
• Russell (19:39):

  "…most of the attack path was… tried and true tactics… It didn’t actually start with an AI system… someone compromising GitHub and adding a user account…"

b. Kleint (Client) Injection Attack ([21:13]–[22:50])

• Attack started with a prompt injection via GitHub issue, affecting workers that read issue titles.
• Attackers pushed malicious code (installed OpenClaw), theorized as a way to easily regain C2.
• James (22:22):

  "It's almost like... step one, build an exploit, step two, question mark, step three, profit. It's like they just skipped straight to what are we going to do with this? I don't know. Should we just dump openclaw in there?"

12. AI in the Browser: A Nightmare for Security ([23:10]–[25:14])

• Browsers already hold goldmines of credentials; adding AI and non-determinism makes them even riskier.
• AI offers new ways for attackers to accomplish tasks via natural language.
• Russell (24:07):

  "Browsers are already a gold mine to begin with... All the identities, all, everything past MFA is in there for you to just grab, scoop up and use..."

13. Strategic Advice for CISOs in the AI Era ([25:24]–[28:57])

• Identity attack path management remains most important: map, monitor, and guard credential flows, especially non-human/service accounts.
• Principle of least privilege more vital than ever; avoid giving AI components unnecessary power (e.g., arbitrary code execution, wide credential access).
• Tools that enumerate and monitor attack paths—including across hybrid and cloud environments—are now indispensable.
• Russell (28:57):

  "...understand the identities and what they have access to, which... I know is not like super high tech or anything. And that's a lot to ask... A lot of the principles, again, are still the same. You know, the principle least privilege..."

14. Final Thoughts: What’s New, What’s Not ([29:25]–end)

• Fundamental problems persist: Identity, privilege, attack paths—same problems, just more of them, and faster.
• Favorite AI incident: Chinese intelligence official using ChatGPT to summarize classified reports—an example of user-driven risk that tech can’t fully fix.
• Patrick (29:25):

  "Really what's not changing, you know, it's all the same stuff but more and faster."

Notable Quotes & Moments

• On prompt injection vs. social engineering:
  Russell (08:23):

  "...it's just like social engineering a human... The attacks are just like, how can I get this model to do what I want that it wasn't really planning on doing?"

• On the scale of the challenge:
  Patrick (18:25):

  "We thought we were dealing with a fire hose before, and now it's just, you know, wow."

• On organizational response:
  Russell (04:57):

  "...still seeing it’s developing a lot in organizations right now."

• On tools keeping up:
  Russell (14:40):

  "...open graph extension... allows you to map an identity across any technology stack... positioned well to handle that as is."

Timestamps for Important Segments

• [01:45]–[03:29] – Defining AI red teaming at SpecterOps
• [03:49]–[04:17] – What enterprise AI systems actually look like
• [05:41]–[07:39] – Is AI red teaming actually a new discipline?
• [09:33]–[10:41] – Prompt injection and reproducibility challenges
• [10:41]–[13:35] – The machine identity explosion
• [18:58]–[23:10] – Breach case studies: Salesloft Drift and Kleint
• [23:10]–[25:14] – The security perils of AI browsers
• [25:24]–[28:57] – CISO advice: focusing on identity and attack paths
• [29:25]–end – Final wrap-up and biggest takeaways

Takeaways for Security Pros

• AI doesn’t make fundamentals obsolete; it makes them indispensable.
  Identity management, least privilege, and attack path enumeration are more critical than ever.
• Most AI risks are new wrappers on old problems.
  Integration errors, over-permissive identities, and lateral movement remain core issues—just at greater scale/speed.
• Prompt injection is the signature “novel” AI problem, but closely parallels classic social engineering—know how to test for it, and don’t rely on reproducibility.
• Treat every new machine identity or AI integration as a potential attack vector.
  Map connections, monitor privileges, and minimize exposure—especially for “service accounts.”
• Beware security theater—real protection is in holistic, not piecemeal, controls.
  VMs won’t save you if you hand over too many credentials.
• Keep upskilling:
  Offensive security teams must constantly learn and adapt—AI won’t wait for your static policies.

Closing Note

The episode underscores that the AI era doesn’t bring a revolution in attacker tactics—it massively expands the scale and speed at which classic mistakes become dangerous. Enterprises and security teams need to double down on foundational hygiene, adapt tools like Bloodhound for hybrid identity mapping, and be wary of AI hype driving insecure integration.

Final quote (Patrick, 29:25):

"...it's all the same stuff but more and faster."