AI Has Created a New Attack Surface and Encryption Is Not Enough

Executive Insight

For decades, enterprises relied on strong encryption to protect sensitive data in transit, and encryption used to be the end of the conversation. If an organization could say “we use TLS 1.3 and modern cipher suites,” that was enough to reassure boards, regulators, and customers that data in transit was safe.

AI has quietly introduced a new cybersecurity problem, one that most organizations have not yet recognized, and that traditional defenses were never designed to handle. Modern AI systems from LLMs, agentic frameworks to autonomous machine-to-machine (M2M) workflow, don’t just send encrypted data. They generate highly structured, repetitive, machine-driven communication patterns. Those patterns are now a source of intelligence for attackers, even when the payload is perfectly encrypted.

Two recent developments illustrate this shift.

The first is Microsoft’s Whisper Leak research. Microsoft’s security team demonstrated that an attacker who can observe encrypted LLM traffic may be able to infer the topic of a user’s query by analyzing metadata such as packet timing, size, and sequence. The cryptography remains intact; the attacker never sees plaintext. The risk comes from the shape of the traffic, not the content. Whisper Leak is presented as a research result, not a claim that all deployed systems are equally exposed, but it establishes a critical fact: AI traffic is fingerprintable because AI systems communicate in stable, recognizable ways.

The second is the widely reported McKinsey agentic AI incident, in which an autonomous security agent developed by CodeWall reportedly exploited weaknesses in McKinsey’s internal AI platform, Lilli. According to public reporting, the agent discovered unauthenticated endpoints and a SQL injection vulnerability, then used those footholds to access a large volume of internal data. The details come from external sources, and McKinsey’s internal findings may differ, but the pattern is what matters: once an AI-driven system is reachable and observable, an automated agent can explore and exploit it at machine speed.

Together, these events reveal a new reality for CISOs and technical leaders:

• AI systems leak operational intent through traffic patterns, even when encrypted.
• Agentic AI can accelerate exploitation, compressing the attack timeline from days to hours.
• Encryption protects content, not context, and context is often enough to infer sensitive activity.
• Traditional network defenses were not designed for autonomous, high-frequency, machine-generated communication.

AI is no longer just a workload. It is an attack surface, one that behaves differently from anything enterprises have secured before.

Technical Perspective

Why AI Traffic is Inherently Fingerprintable

Human-driven applications produce irregular, noisy traffic. People pause, think, click unpredictably, and abandon workflows. AI systems behave differently. Their communication patterns are:

• Repetitive — the same orchestration loops repeat across thousands of sessions.
• Structured — requests and responses follow consistent schemas and sequences.
• High-frequency — token emission and agent planning loops generate rapid bursts.
• Stable — patterns remain similar across users, time, and environments.

From a machine learning perspective, this stability is ideal training data. If an adversary can observe enough encrypted traffic, they can train classifiers to recognize patterns that correlate with specific intents, workflows, or application states.

Whisper Leak: Metadata‑only Inference Against Encrypted AI Traffic

Microsoft’s Whisper Leak research describes a side-channel attack on remote language models that relies on network metadata, not decrypted content. According to Microsoft, the attack “could allow a cyberattacker in a position to observe your network traffic to conclude language model conversation topics, despite being end-to-end encrypted via TLS.”

At a high level:

• The attacker observes encrypted traffic between a client and an LLM endpoint.
  
  
• They collect features such as packet sizes, interarrival times, burst patterns, and flow duration.
  
  
• They train a machine learning model to associate those features with specific query categories.
  
  
• At inference time, they classify new encrypted queries based solely on traffic shape.

Important nuances:

• The cryptographic protocols are not broken.
  
  
• The attacker never sees plaintext.
  
  
• The signal comes entirely from how the model communicates, not what it says.
  
  
• Microsoft does not claim that all LLM deployments are equally exposed; the research demonstrates feasibility under certain conditions.

The implication is structural: if AI traffic is stable and observable, it is likely inferable. This applies not only to LLM prompts but to any AI-driven system that communicates over the network.

The McKinsey Incident: Agentic AI as an Exploitation Accelerator

The McKinsey case illustrates a complementary risk: once an AI system is reachable and its behavior is observable, an autonomous agent can use that visibility to drive exploitation.

Public reporting describes the following sequence:

• A CodeWall autonomous security agent was directed at McKinsey’s internal AI platform.
  
  
• The agent discovered internal endpoints, some reportedly lacking authentication.
• It identified a SQL injection vulnerability.
  
  
• Using that vulnerability, it accessed backend data stores and large volumes of internal information.

The details come from external reporting, and the full internal incident analysis has not been published. But the pattern is consistent with what security teams increasingly observe: agentic AI compresses the attack timeline. It does not invent new vulnerability classes, but it changes how quickly and thoroughly existing weaknesses can be found and exploited.

Why Encryption Doesn’t Stop These Attacks

In both Whisper Leak and the McKinsey incident, encryption did what it was designed to do:

• It protected the contents of individual messages.
  
  
• It prevented direct eavesdropping on plaintext.

What it did not do:

• Hide timing, size, and sequence of packets.
  
  
• Conceal which services were communicating.
  
  
• Obscure the orchestration patterns of the AI system.
  
  
• Prevent an authenticated or internally reachable agent from exploring exposed endpoints.
  
  

TLS, AES, ChaCha, and post-quantum key exchange protect content and keys. They do not erase context:

• When messages are sent
  
  
• How long sessions last
  
  
• How many packets are exchanged
  
  
• How flows correlate across services
  
  
• How often certain patterns repeat

For traditional applications, this contextual leakage has often been considered low risk. For AI systems, it is different:

• The context itself encodes sensitive information about prompts, workflows, and decision processes.
  
  
• The regularity of AI traffic makes that context easier to model and exploit.
  
  
• The speed and autonomy of agentic systems make exploitation faster and more scalable once any foothold exists.

The Two Structural Conditions Behind These Threats

Both Whisper Leak and the McKinsey incident depend on two structural conditions:

• Visibility — the attacker (or agent) can observe traffic or system behavior.
• Stability — the traffic or behavior is consistent enough to be learned and exploited.

If either condition is removed:

• Metadata‑based inference becomes far harder or impossible.
  
  
• Agentic exploitation becomes brittle and unreliable.
  
  
• Machine learning models struggle to generalize.

This is the pivot point for the architectural argument that follows in the rest of the series: AI security cannot rely on cryptographic strength alone; it must address observability and stability at the transport layer.

In Conclusion

Whisper Leak shows that attackers can infer what your AI systems are doing without breaking encryption, simply by watching how they talk. The McKinsey incident shows that once an AI system is reachable and observable, an autonomous agent can use that visibility to drive exploitation at machine speed. In both cases, the core issue is not weak cryptography but exposed, learnable patterns in AI communication and behavior.

AI has created a new attack surface, one where context can be as revealing as content, and where autonomy accelerates risk. The next blog in this series examines why traditional mitigations such as padding, batching, shaping, noise, and application-layer normalization cannot fully close this gap, and why a structural approach to eliminating observability is required.

Make Your AI Systems Unobservable

If your AI systems rely on encryption alone, they remain observable. Dispersive eliminates that observability at the transport layer. To understand how structural dispersion protects AI, agents, and autonomous workflows, connect with our team for a technical briefing.

📞 Learn more or request a demo: www.dispersive.io


Header image courtesy of wastedgeneration from Pixabay.