BSides Munich 2025

AI applications surface new, visible risks—but underneath lie amplified traditional ones. The massive data aggregation, probabilistic outputs, and decision‑making power of AI systems make them inherently more critical. To defend these systems, we must extend our security programs and rediscover the strength of foundational security principles. In this talk, we will examine new threats to AI applications, distinguish them from familiar "old" threats, and explore both through a practical threat model of a real‑world AI deployment.

We are using the iceberg metaphor to visualize the relationship between old and new risks. This image operates on multiple levels. Above the surface you see prompt injection, hallucinations… but beneath the waves lie familiar threats and traditional risks—amplified data exposure, access control failures, insecure components. The thesis is simple: new AI risks are real—but don’t throw out your classic AppSec toolkit.

In another interpretation, the image also illustrates how AI applications often function: only a thin layer—usually the API interface—is exposed. Beneath the surface, however, lies a vast repository of data and capabilities (agents) that pose the real danger if compromised. It’s also crucial to consider how AI is integrated into the business case, as that integration directly influences the system’s criticality.

In the example of a real‑world AI application—a RAG‑based scenario—we’ll explore how to conduct risk assessment and threat modeling for AI systems, and examine the role of traditional security measures. We show how classic defenses remain vital for protecting AI applications as we walk through a hands‑on threat‑modeling case. We cover the threat‑modeling process, highlight the new dimensions introduced by AI (including how to seamlessly incorporate EU AI Act requirements), and demonstrate how to include AI‑specific risks into your existing threat‑modeling workflows.