AI Infrastructure Security
Overview of security concerns in AI infrastructure, covering model supply chains, API security, deployment architecture, and the unique attack surfaces of ML systems.
AI infrastructure extends far beyond the model itself. The model supply chain that delivers models, the APIs that serve them, the orchestration that connects them to tools, and the deployment environments that host them all present attack surfaces that traditional AI security research often overlooks.
The AI Infrastructure Stack
Model Registries (HuggingFace, etc.) ← Supply chain attacks
↓
Model Files (.pt, .onnx, .safetensors) ← Serialization exploits
↓
Serving Infrastructure (vLLM, TGI, etc.) ← Deployment attacks
↓
API Layer (REST, gRPC, WebSocket) ← API security
↓
Orchestration (LangChain, agents, MCP) ← Integration attacks
↓
Application (chat UI, plugins, tools) ← Application attacks
Each layer in this stack has its own threat model, and a compromise at any layer can cascade to affect all layers above it.
Key Attack Categories
Model Supply Chain
The journey from a pre-trained model to a production deployment involves downloading model files, loading weights, and often running arbitrary code. This supply chain is ripe for exploitation. See Model Supply Chain.
API Security
LLM APIs handle sensitive prompts, generate potentially harmful outputs, and often provide access to internal tools. Standard API security concerns (authentication, rate limiting, input validation) apply alongside LLM-specific issues. See API Security.
Deployment Attacks
The infrastructure that hosts and serves AI models — containers, GPUs, inference servers — introduces its own attack surface. Misconfigurations, resource exhaustion, and escape vulnerabilities all apply. See Deployment Attacks.
Infrastructure vs. Model Attacks
| Aspect | Model Attacks | Infrastructure Attacks |
|---|---|---|
| Target | The model's behavior | The systems around the model |
| Access needed | Prompt/query access | Network/system access |
| Persistence | Usually ephemeral | Can be permanent |
| Detection | AI-specific monitoring | Traditional security tooling |
| Impact | Model output manipulation | Full system compromise |
Red Teaming Infrastructure
When assessing AI infrastructure:
- Map the supply chain — Where do models come from? How are they downloaded, stored, and loaded?
- Assess API security — Authentication, authorization, rate limiting, input validation, output filtering
- Review deployment — Container security, network isolation, resource limits, access controls
- Test integrations — How does the model connect to tools, databases, and external services?
Related Topics
- Model Supply Chain Risks -- pickle exploits, registry attacks, and dependency vulnerabilities
- Infrastructure Supply Chain (Advanced) -- deep-dive into supply chain attack techniques
- Cloud & App Security -- application-layer security of AI deployments
- Exploit Development -- building exploits that target infrastructure components
- Training Data Attacks -- data pipeline attacks that intersect with infrastructure
References
- OWASP, "Top 10 for Large Language Model Applications" (2025) -- industry-standard LLM security risks including infrastructure
- Gu et al., "BadNets: Identifying Vulnerabilities in the Machine Learning Model Supply Chain" (2019) -- foundational supply chain attack research
- MITRE, "ATLAS: Adversarial Threat Landscape for AI Systems" (2023) -- comprehensive AI threat framework covering infrastructure
Why might infrastructure attacks be higher impact than prompt injection for an AI red teamer?