AI-APP: Securing the New Attack Surface of AI Applications
AI-APP: Securing the New Attack Surface of AI Applications is a Cloud Security Alliance Agentic AI Summit session by Snegha Ramnarayanan of Wiz. The talk introduces AI Application Protection Platform as Wiz's category for securing AI applications across code, cloud, identity, data, models, agents, tools, and runtime behavior. Its useful premise is that AI application risk is not located in one layer. It appears when layers interact.
The session's best contribution is the context argument. A vulnerable web app, an exposed agent endpoint, an over-privileged identity, a model connected to sensitive data, an MCP server, and a permissive tool may look like separate findings when scanned in isolation. In an AI application, they can become one attack path. Wiz's AI-APP launch post makes the same point with a chatbot example: prompt handling, code execution, sensitive-data access, and cloud activity can each look normal until they are connected as a sequence. That belongs beside AI System Inventory, AI Agent Identity, Prompt Injection, and Confused Deputy Problem.
The checklist is practical: first find where AI exists, including managed services, SaaS agents, custom workloads, self-hosted models, MCP servers, plugins, SDKs, and AI credentials. Then classify what each component can do: read, write, execute, expose data, change infrastructure, or call external systems. Then connect that to cloud context, identity permissions, data sensitivity, network exposure, model configuration, guardrails, and runtime behavior. Wiz's AI-APP guide calls this an AI-BOM plus a security graph. The non-vendor version is simpler: build an inventory that explains capability and blast radius, not only asset names.
The runtime section is where the talk meets the site's recent agent-security reviews. Ramnarayanan says teams need to understand intent and detect when an AI application deviates from it, including suspicious workload behavior, rogue agent activity, prompt-injection attempts, anomalous egress, or destructive tool use. That connects directly to AARM runtime security, Observe Everything. Control Nothing., Agent Tool Permission Protocol, AI Agent Observability, AI Audit Trails, and Agent Audit and Incident Review. The key difference is that this session is broader than runtime enforcement: it argues that runtime findings must be traced back to code, cloud posture, data location, and ownership so teams can fix root causes.
The standards context supports the need for a broad control map. CSA's AI Controls Matrix is vendor-agnostic and spans cloud-based AI systems across many domains and roles, including application providers and AI customers. OWASP's Agentic AI threats and mitigations guide frames agentic AI as an expanded risk class because LLM-enabled agents can operate with greater scale, autonomy, and capability. Those sources make the talk's cross-layer framing reasonable even if "AI-APP" itself is Wiz's product category.
Evidence and limits: this is a product-marketing talk from Wiz, not an independent evaluation of Wiz AI-APP, Red Agent, Blue Agent, Green Agent, or any claimed security graph. It is strongest as a buyer checklist and weakest where "AI-powered defense" is treated as the natural answer to AI-powered attack without proving detection quality, false-positive rates, runtime coverage, or remediation safety. The durable takeaway is not the label. It is the model of risk: inventory the AI estate, classify agent capabilities, connect code to cloud to runtime, prioritize toxic combinations, and verify whether the platform can actually detect and contain bad behavior once the AI application is live.