Why Testing AI Like Software Fails and What to Do Instead

Why Testing AI Like Software Fails and What to Do Instead

IMG_1454

By Rinki Sethi

May 12, 2026

Key Takeaways

  • AI validation is the discipline of proving which AI risks in your environment are actually reachable and exploitable before an attacker gets there first. This is not traditional application security testing applied to AI systems. The underlying assumptions are completely different.
  • SAST and DAST were built for deterministic systems and predictable code paths. AI attacks move through reasoning paths, runtime context, agent behavior, identity permissions, and dynamic interactions between models and cloud infrastructure.
  • A credible AI validation program has three pillars: Offensive Testing, Robustness, and Vulnerability Validation. Each answers a different operational question, and all three need to run continuously against live systems.
  • The attack chains that matter in 2026 are multi-stage and multi-cloud. A manipulated prompt becomes workload compromise, which becomes privilege abuse, which becomes lateral movement through agents and MCP infrastructure, which becomes data exposure.
  • Periodic penetration testing alone is no longer enough. AI systems evolve too quickly. Validation has to become continuous, runtime-aware, and grounded in production reality.

Allow me to let you in on a methodology secret

Most security teams I talk to now have budget allocated for AI security testing in 2026.

Most are spending it the same way they spent security budgets before AI existed:

  • static scanners
  • dynamic scanners
  • quarterly penetration tests
  • red-team exercises that end with a PDF nobody reads six weeks later

I’ve done the same thing myself more than once. It’s the path of least resistance because it feels familiar and gives leadership something concrete to point to when the board asks what’s being done about AI risk.

The problem is the methodology underneath those tools was built for deterministic systems.

AI systems are not deterministic.

SAST and DAST were designed to test code paths. They analyze source code or compiled applications looking for known vulnerability conditions:

  • SQL injection
  • authentication bypass
  • cross-site scripting
  • memory corruption
  • privilege escalation

Those attacks work because the system behaves predictably. The same input produces the same output.

AI systems do not behave that way.

The same prompt can produce different responses depending on:

  • context
  • system prompts
  • memory state
  • connected tools
  • model behavior
  • downstream integrations

The same agent with the same permissions can make completely different decisions depending on the conversation happening in that moment.

That changes the security model entirely.

There is no static signature for a prompt-driven attack chain because the attack is not sitting inside the code itself. The attack exists in the reasoning path the system makes possible at runtime.

That distinction matters more than most organizations realize.

I covered the broader strategic side of this shift in The 5 Hidden Challenges of Securing Enterprise AI in 2026. This post focuses on the operational side: why traditional testing methodologies break down once AI systems enter production.

What AI validation actually means

AI validation is the discipline of proving which AI risks in your environment are actually exploitable on a live system before an attacker gets there first.

It sits alongside detection, but it is not the same thing.

Detection asks:

Would we see the attack if it happened?

Validation asks:

Is the attack path actually reachable in the first place?

That distinction matters because enterprise security teams are drowning in theoretical AI risk right now.

Every framework CVE.
Every model vulnerability.
Every over-permissioned non-human identity.
Every unsanctioned model endpoint.
Every exposed inference service.
Every agent with excessive permissions.

If everything is critical, nothing is.

And if you chase theoretical risks without understanding exploitability, security teams spend quarters burning cycles on issues no attacker can realistically reach while missing the one attack chain that actually matters.

Validation is what makes prioritization credible.

You simulate the attack against the real environment and rank risk based on what is actually reachable rather than what simply looks dangerous on paper.

That’s where runtime context changes everything.

The cheaper time to discover a reachable attack path is on your schedule, not during an incident response bridge.

The three pillars of AI validation

Three categories make up the core of AI validation, and mature programs run all three continuously.

Each answers a different operational question.

Offensive Testing

Automated, continuous prompt injection and jailbreak testing against live AI systems.

The question this answers is straightforward:

Can the model, with its current prompts, guardrails, permissions, and tool access, be manipulated into doing something it should not do?

This is the AI-native equivalent of penetration testing, but it has to operate continuously because the attack surface changes constantly:

  • models change
  • prompts change
  • tools change
  • permissions change
  • integrations change

Quarterly testing is not enough for systems evolving weekly.

Robustness

Stress-testing workflows and integration boundaries between models, agents, APIs, and downstream systems.

This is what catches the failures that are not necessarily malicious initially but become exploitable once an attacker finds them.

For example:

  • unexpected API responses
  • malformed outputs
  • broken reasoning chains
  • unsafe fallback behavior
  • integration edge cases

Robustness testing is where many “safe” systems quietly fail under pressure.

Vulnerability Validation

Proving which model and infrastructure weaknesses are actually reachable from a real-world entry point.

This is where the noise starts disappearing.

A large percentage of theoretical AI risks in most enterprise environments are not realistically exploitable. Others absolutely are.

Validation separates the two.

This is where organizations finally stop arguing about vulnerability counts and start focusing on reachable attack paths.

The important thing about all three pillars is that they must run continuously against live systems with runtime context intact.

Periodic testing against staging environments with frozen prompts and static configurations will pass while production quietly drifts into exposure.

Why penetration testing alone falls short

Traditional penetration testing assumes relative system stability between engagements.

AI systems are anything but stable.

Models change.
Prompts evolve.
Agents gain new capabilities.
Tools are added.
Permissions shift.
Workflows expand.

Every one of those changes can create a new attack path that did not exist during the last engagement.

And most organizations are still testing on six-month cycles.

The other issue is that traditional penetration testing rarely captures full multi-stage AI attack chains across identities, cloud environments, and runtime systems.

A tester might find:

  • prompt injection
  • excessive permissions
  • an exposed workload
  • a vulnerable MCP integration

But most engagements do not fully chain those conditions together across environments because doing so requires deeper runtime visibility and more continuous telemetry than traditional testing models were built around.

Continuous validation changes that.

The same attack chain gets tested repeatedly as the environment evolves.

The moment the path becomes reachable, security teams know.

Not six months later.

Multi-stage agentic AI attack emulation

The name sounds complicated. The concept is actually straightforward.

You simulate the behavior of a real attacker continuously against the live environment.

The attack chains that matter in 2026 are multi-stage and multi-cloud.

Picture something like this:

  • A manipulated prompt reaches a customer-facing AI endpoint.
  • The model triggers unintended code execution through connected tooling.
  • The workload’s non-human identity has broader permissions than intended.
  • Excessive permissions enable lateral movement through an MCP server.
  • The chain reaches sensitive cloud storage containing PCI, PHI, or proprietary data.
  • External AI services are used either for exfiltration or obfuscation along the way.

Every step individually may appear acceptable.

Every individual control might pass a static scan.

The risk only materializes once:

  • the system is running
  • the agent is reasoning
  • the identities are active
  • the attacker provides the right input sequence

That is why runtime-grounded validation matters so much.

Validation catches the chain before an attacker assembles it in production.

What a 2026 AI red-team program actually looks like

Three things separate a modern AI red-team program from a traditional one.

Continuous coverage

Testing runs continuously against live systems whenever meaningful changes occur:

  • model swaps
  • prompt revisions
  • tool additions
  • identity changes
  • workflow modifications

The shift is from periodic engagement to standing operational capability.

Automated execution

Manual red-teaming still matters, especially for creative attack chaining and novel exploitation paths.

But the validation surface is now too large and changes too quickly for manual execution alone to scale.

Automation is what makes continuous coverage realistic.

Runtime-grounded results

Validation has to run against production environments using:

  • production identities
  • production telemetry
  • production integrations
  • production data context

Not approximations.

This is where Vulnerability Validation becomes operationally valuable. The same runtime telemetry powering detection also powers validation, which means reachable attack paths surface with real context attached.

That is what makes the result trustworthy when teams need to make decisions quickly.

Where to start

If you want to move your AI validation program in the right direction, start here.

1. Identify which validation pillar your program is missing

Walk through Offensive Testing, Robustness, and Vulnerability Validation honestly.

The pillar nobody owns is usually the one creating the biggest blind spot.

2. Establish a baseline of reachable risk

Run a Vulnerability Validation pass against your current AI environment and separate:

  • theoretical risk
  • reachable risk

Most teams discover the risks they prioritized highest were not actually exploitable while reachable attack paths were buried underneath noise.

3. Move one pillar from periodic to continuous

For most organizations this starts with Offensive Testing because AI applications are changing faster than testing programs are adapting.

Continuous coverage on one pillar is more valuable than shallow coverage across all three.

4. Tie validation and detection together on the same telemetry plane

Separate pipelines create:

  • separate queues
  • separate workflows
  • separate context
  • separate blind spots

Unified runtime telemetry changes triage dramatically because teams can see both:

  • reachable attack paths
  • active attack behavior

inside the same operational context.

5. Make AI validation visible to the board

Boards are going to ask about AI validation directly over the next 12–24 months.

“Doing AI red-teaming” is not going to be a sufficient answer.

Organizations need to articulate:

  • validation coverage
  • testing cadence
  • reachable risk counts
  • runtime validation posture
  • operational maturity

Those become the metrics that matter alongside traditional detection metrics like MTTD and MTTR.

Run those five steps and you move from reactive AI security toward proactive validation grounded in runtime reality.

You won’t eliminate every risk immediately.

But you will stop treating theoretical exposure and reachable attack paths like they deserve equal attention.

And that changes how modern security organizations operate.

The complete framework

The complete framework is in AI Security in 2026: A Field Guide to View, Protect, Validate, dropping this summer.

Get the Field Guide →

Read more from the launch series

Why Testing AI Like Software Fails and What to Do Instead

Further Reading

AI Threat Landscape
Thought Leadership

The AI Threat Landscape Demands a New Cloud Security Model

Moshe Hassan Upwind

By Moshe Hassan

May 13, 2026

This week, the Shai-Hulud npm campaign showed how quickly a compromised package can move through the software supply chain, jumping across trusted dependencies and reaching build pipelines before many teams even knew what they were looking at. But this is not just an npm story, and it is not just a story about one campaign. […]

Agentic Pack
Thought Leadership

The next wave of AI is here. Upwind becomes Agentic.

A smiling man wearing glasses and a pink t-shirt, sitting in a lounge in front of exposed brick.

By Amiram Shachar

May 13, 2026

One of the most fascinating technologies I’ve encountered in my personal life over the past few years is autonomous driving. It started as a curiosity, “can my car really drive itself?” Can it actually make decisions with enough necessary context, and not rely solely on static things it sees like trees and roads? Can it […]

The exploit window didn't shrink. It flipped.
Thought Leadership

The exploit window didn’t shrink. It flipped.

Smiling person with short dark hair and a beard, wearing a black shirt with a logo that includes the letter U. The background is a plain light grey.

By Tomer Hadassi

Apr 29, 2026

TL;DR: Time-to-Exploit (TTE), the gap between vulnerability disclosure and first observed exploitation, has gone negative. Mandiant’s M-Trends 2026 report shows attackers now exploit vulnerabilities, on average, before a patch is publicly available and we see the same in running environments. That breaks the foundational assumption every legacy CNAPP architecture was built on — that defenders […]