We keep trying to secure AI the same way we secure software, and that assumption is already costing us.

Modern AI systems don't behave like traditional applications. They write code, call tools, chain decisions, and interact with the world with increasing autonomy -- and most organizations are still spending their time trying to control what the model says. That's not where the bodies are buried.

I've spent three years red teaming AI systems across enterprise and government environments, and the same pattern shows up every time. The interesting failures aren't in the model. They emerge in everything built around it.
These systems expose a different kind of attack surface: agents with delegated authority, tool sprawl across environments, workflows that drift from read to action, memory and context that outlast any single session. This talk walks through how those surfaces get exploited.

We'll look at real adversarial scenarios -- a benign prompt that becomes an action chain, a low-privilege interaction that escalates through tool access, an agent that routes around intended controls without touching a traditional vulnerability, "allowed behavior" that becomes the attack path.

To make sense of why this keeps happening, I use a simple frame: behavior, authority, and control. The industry is obsessed with behavior. Attackers aren't. They're going after authority and the absence of meaningful control around it.

What that produces is a class of systems that don't need to be broken in order to be exploited. They only need to be used as designed.

'Ignore previous instructions: Embracing AI Red Teaming' was so three years ago, this is a talk about how AI systems actually get hacked.