Passing the buck, and the blame, down the road shows lack of AI companies' maturity

OPINION AI vendors: "You need to use AI to fight AI threats (and do everything else in your corporate IT environment)." Also AI vendors: "That's not a security flaw; it's working as intended."

This pattern has become increasingly common as the digital hypemeisters tell businesses to use AI to do all the things, especially when it comes to detecting and blocking security issues. That is – until a security flaw exists in the AI itself, and then it's "expected behavior" or a "by-design risk." 

Maybe, if we're lucky, the AI company at fault will quietly publish new security considerations in its documentation. But the root problem doesn't get fixed. In some cases – like prompt injection – the vendors can't really fix the flaw, even if they wanted to.

A couple of recent examples show how this plays out.

Researchers recently showed how three popular AI agents ...