AI penetration testing must evaluate whether adversaries can alter system behavior to violate business objectives through AI-specific attack surfaces like prompt injection and data poisoning, not just traditional infrastructure compromise.
This paper redefines penetration testing for AI systems beyond traditional infrastructure attacks. Instead of just finding exploitable weaknesses in code or configs, it focuses on how adversaries can manipulate AI behavior through prompts, training data, sensor inputs, or tool misuse to violate operational goals—without breaking the underlying system.