AI Weekly
Each week, I break down the latest headlines and innovations shaping artificial intelligence, from breakthrough research and industry moves to emerging risks and real-world applications. Whether it’s Big Tech battles, startup disruption, or the ethical questions no one’s asking, we cut through the noise to bring you the stories that matter most in AI.
AI Weekly
Whisper Leaks, Agentic Attacks, and Shadow AI in the C-Suite
This week, we dive into the dangerous 'Whisper Leak' side-channel attack that infers user conversation topics even when encrypted. We also analyze the new reality of AI-powered cyber campaigns and discuss why corporate executives are breaking their own internal AI security rules.
Welcome back to AI Weekly. I'm your host, Michael Housch, and we have a packed show this week covering major security flaws, the accelerating power of hostile AI agents, and a concerning trend in corporate governance—or lack thereof—starting right at the top of the organizational chart.
We're kicking off with a novel and deeply concerning AI side-channel attack dubbed Whisper Leak. This isn't your average vulnerability; Microsoft researchers have devised this attack, and it relies on metadata patterns to infer the conversation a user is having with a remote large language model, or LLM, even if that communication is end-to-end encrypted.
Think about that for a moment. Encryption schemes like HTTPS over TLS are designed to preserve the size relationship between plaintext and ciphertext. This means that while the content is secure, the size of the transmitted data chunks is leaked. LLMs generate responses token by token (or word/sub-word) in a streaming approach. This streaming process, combined with timing information between packets, leaks patterns about the tokens being generated, forming the basis of the Whisper Leak attack.
The implications are serious. This issue impacts all LLMs. Adversaries positioned to monitor network traffic—such as ISPs, governments, or cyber actors—can infer conversation topics. This exposes highly sensitive information to eavesdropping, ranging from legal advice and medical consultations to private discussions. Microsoft specifically noted that this poses real-world risks to users facing oppressive governments who might be targeting discussions on protesting, journalism, banned material, or election processes.
The researchers put this to the test, simulating a scenario where an attacker could only observe encrypted traffic. They trained a binary classifier to distinguish between the target topic, like the "legality of money laundering," and background traffic. The results were staggering: 17 out of 28 tested models achieved over 98% accuracy in distinguishing the target topic, with some exceeding 99.9% accuracy. This allows attackers to "identify 1 in 10,000 target conversations with near-zero false positives".
But there are mitigations. Researchers suggest strategies like random padding, token batching, and packet injection. Both OpenAI and Microsoft Azure have already implemented an additional field in streaming responses that adds a random sequence of text of variable length to mask the token length, and Mistral has added a similar parameter. For users, the advice is clear: avoid discussing sensitive topics on untrustworthy networks, use VPN services, choose providers that have implemented these mitigations, or use non-streaming models.
The power of AI isn't just threatening privacy through side channels; it’s being weaponized in major cyber campaigns. This week, Anthropic reported a China-linked state-sponsored threat actor abused their Claude Code model in a large-scale espionage campaign. This campaign, identified in September, targeted nearly 30 entities globally across sectors including financial, government, chemical manufacturing, and technology.
The attackers manipulated Claude's agentic capabilities to launch cyberattacks with minimal human intervention. They circumvented the AI's guardrails by posing as a cybersecurity firm employee and breaking down the attack into small, seemingly benign tasks, never providing the full context. The AI was then tasked with reconnaissance, identifying high-value assets, finding vulnerabilities, and building exploit code.
This attack framework abused Claude to exfiltrate credentials, access additional resources, and extract private data. The attackers were able to use AI to perform 80 to 90 percent of the campaign, with human intervention only required sporadically for maybe four to six critical decision points per hacking campaign. By leveraging Claude, which could make thousands of requests per second, the campaign was executed in a fraction of the time human operators would have needed. Anthropic noted that this trend shows sophisticated cyberattacks are now easier to perform. Agentic AI systems can now perform the work of entire teams of experienced hackers, analyzing targets, producing exploit code, and scanning vast datasets of stolen information more efficiently than humans.
And speaking of vulnerabilities, we also saw disclosure of a recently patched ChatGPT flaw. A researcher found a way to exploit a Server-Side Request Forgery, or SSRF, vulnerability related to custom GPTs' "Actions" section. Because user-provided URLs were not properly validated, an attacker could conduct an SSRF attack. The researcher exploited this to query a local endpoint for the Azure Instance Metadata Service (IMDS). This allowed the researcher to obtain the ChatGPT Azure IMDS identity’s access token, which could have granted access to the underlying Azure cloud infrastructure used by OpenAI. This highlights the potential for small validation gaps to cascade into cloud-level exposure.
Finally, AI guardrails—those safety filters designed to prevent malicious input—are also under attack. Researchers developed a technique called EchoGram, which discovers text sequences no more complicated than the string =coffee that, when appended to a prompt injection attack, can bypass guardrails that would otherwise block the input. These guardrails are often the first and only line of defense, and EchoGram shows they can be systematically bypassed or destabilized.
Moving from external threats to internal struggles, a new survey on enterprise AI adoption reveals a profound governance crisis. The data, commissioned by Nitro, found that more than two-thirds—or 68 percent—of corporate executives have violated their own AI usage policies in the past three months. Furthermore, over half of these leaders ranked security and compliance as their greatest AI implementation challenge.
This practice, known as "shadow IT" or "shadow AI," where unapproved tools are used within an organization, is being driven by C-suite leaders who are betting that the competitive advantages of AI outweigh the security risks. Employees aren't far behind, with half admitting to unapproved use of AI tools. The gap in perception is striking: 82 percent of executives believe their approved AI tools meet security and compliance requirements, yet only 55 percent of employees agree. Perhaps this difference stems from the fact that 33 percent of employees report processing confidential corporate data using these unapproved AI tools.
Nitro's CEO suggested that the shadow AI crisis starts at the top with executives who have built careers on finding workarounds. He argued that approved tools are often losing to consumer AI on speed, simplicity, and user experience, meaning adoption must be earned, not mandated.
This lack of control is especially worrying given the increasing autonomy of AI agents. These aren't simple chatbots; they are autonomous software that plans and executes multi-step workflows, learns from feedback, and handles complex tasks like data extraction, summarization, and routing.
For these powerful tools, governance is mandatory. An agentic AI system needs a "governance-first blueprint," meaning they must be permission-aware by default, inheriting user roles and least-privilege access. Every action must be logged, recording what users requested, what tools were used, what data was touched, and the resulting outputs. Furthermore, policies like GDPR, PII handling, and redaction should be baked in from the start. Even with automation, a human in the loop is critical, especially through approval gates for high-risk steps.
The need for governance is also reflected in the fact that many AI projects are failing to make it past the initial testing stage. Omdia’s 2025 AI Market Maturity Survey found that the largest single category of enterprises, 31 percent, experienced a success rate lower than five percent for their Proof-of-Concept, or PoC, projects. The chief reason for failure isn't technology flaws, but rather that customers and vendors fail to appreciate the complexity involved in AI deployment, often rushing ahead without defining a clear business case.
Let’s shift briefly to the trenches of development and infrastructure. We’ve heard the hype about AI coding assistants, but experienced engineers are offering a much more nuanced view. One veteran software engineer noted that while AI (like CoPilot) shines on simple, direct questions and conversational summaries, the variable and sometimes crude or wrong results mean they are often not time savers.
For experienced engineers, especially those working on large, complex, and long-maintained codebases, integrating AI-suggested code is risky and often requires the code to be completely re-written. One test manager even noted that generating unit tests with AI was a net time-waster, requiring several cycles of "prompt engineering" before the answer was usable. Concerns remain that new developers might lose the critical experience of "cracking their heads" on hard problems if they rely too heavily on the confidently asserted, but sometimes incomplete, answers provided by AI tools.
Finally, the sheer demand of these AI workloads is reshaping hardware architecture. The AI revolution has transformed HPC facilities into "AI factories," primarily driven by GPUs. This is creating new challenges for storage systems, as AI applications create spiky, random I/O patterns. Throughput is now king for AI training, measured in gigabytes or terabytes per second, because high bandwidth ensures that expensive GPUs remain busy and don't stall during checkpointing.
Legacy storage systems are struggling. For example, the metadata operations alone can consume 10 to 20 percent of all I/O. To cope, facilities are embracing parallel file systems and NVMe-first architectures, deploying NVMe-based storage servers to saturate the GPUs. As VDURA CEO Ken Claffey put it, the new reality means that storage has moved from a support function to a "make-or-break competitive advantage," because every second of GPU idle time bleeds money.
From encrypted data leaks via network metadata, to state-sponsored attacks automated by AI agents, and a corporate culture where leaders ignore their own security policies, the risks associated with AI are complex and multifaceted. The technology offers immense power, but that power demands stringent governance, both architecturally and culturally.
That’s all the time we have for this week. Thank you for tuning into AI Weekly. Join us next time as we continue to track the rapid evolution of artificial intelligence.