The Enemy Within: Mitigating Insider Threats in the Age of AI

For the better part of two decades, the cybersecurity industry was obsessed with the perimeter. We built firewalls, hardened networks, and deployed sentries to keep the “bad guys” out. But as digital transformation has accelerated, the shape of the battlefield has changed. The perimeter hasn’t just shifted; in many cloud-native organizations, it has evaporated.

We now prioritize rapid elasticity, on-demand self-service, and broad network access to scale critical operations. We have torn down silos to allow employees, contractors, and third-party partners fluid access to proprietary data. While this new ecosystem drives innovation, it has simultaneously granted the “keys to the kingdom” to a wider group of people than ever before.

Those with privileged knowledge of a company’s processes and security measures have already bypassed our hardest layers of defense. They are already inside.

Now, we face a new technology that is rapidly accelerating this risk: Artificial Intelligence.

As organizations integrate AI tools into their workflows to boost productivity, they are inadvertently handing insiders a tool that can magnify negligence or weaponize malice. The intersection of the Insider Threat and the AI Revolution is the new frontier of risk management.

The Expanding Threat Landscape

To understand the modern insider threat, we must first look at the environment in which it creates friction. Today, business is defined by:

• Rapid Elasticity: New resources are spun up and down instantly, sometimes bypassing traditional IT procurement processes.
• On-Demand Self-Service: Developers and business units deploy their own infrastructure, creating “Shadow IT” pockets where security visibility is low.
• Broad Network Access: Work happens everywhere—coffee shops, home offices, and client sites—dissolving the physical boundary of the organization.

In this hyper-connected ecosystem, businesses are rightfully concerned about data protection. When a trusted insider compromises data, it is a betrayal of trust between a business and its stakeholders.

The statistics paint a grim picture of our current reality. According to recent industry reports* 83% of organizations have experienced at least one insider attack over the past year. 

What makes these threats particularly insidious is the “dwell time.” Unlike a ransomware attack that announces itself immediately with a locked screen, insider threats are silent. The average time to detect and contain an insider incident is 81 days. That is nearly three months of unfettered access, data siphoning, or configuration tampering.

The financial repercussions are equally staggering, costing organizations an average of US$17.4 million per year. However, the dollar figure only tells part of the story. The total impact is much higher when you include things such as theft of intellectual property, reputational harm, regulatory fines and class-action lawsuits resulting from negligence.

The AI Multiplier: Innovation vs. Exfiltration

If digital transformation opened the door to insider threats, Generative AI has kicked it wide open.

The integration of AI tools into corporate workflows is undeniably a boon for efficiency. It is a productivity multiplier that allows junior developers to code like seniors and marketing teams to generate copy at lightning speed. However, from a security perspective, it represents a massive expansion of the attack surface.

Similar to the term “Shadow IT”, we are witnessing the rise of “Shadow AI.”

Employees, driven by a desire to work faster and smarter, are bypassing approved software lists to use public, consumer-grade AI tools. Consider the following scenarios:

1. The Diligent Developer: To debug a complex issue effectively, a software engineer copies a block of proprietary source code and pastes it into a public LLM (Large Language Model). That source code is now potentially part of the model’s training data, existing outside the organization’s control.
2. The Efficient Analyst: A financial analyst uploads a PDF of quarterly projections—marked “Internal Only”—into a chatbot to request a summary for a presentation.
3. The Overwhelmed HR Rep: Sensitive employee PII (Personally Identifiable Information) is fed into an AI tool to draft performance reviews.

In all three cases, the employee believes they are acting in the company’s best interest by increasing efficiency. In reality, they are exfiltrating data.

When conducting an internal security hygiene audit, security teams must now ask three critical questions:

1. Who is using AI?
2. Which models are being used (Enterprise vs. Public)?
3. What data is being exposed?

For many organizations, the answer to all three is “We don’t know.” Without visibility, you cannot quantify risk. Without quantification, you cannot mitigate it.

---

The Malicious Actor in the Age of AI

While negligence accounts for a significant portion of insider risk, we cannot ignore the malicious insider. AI lowers the barrier to entry for sophisticated sabotage.

A disgruntled employee with limited technical skills can now leverage AI to write obfuscated scripts to delete backups, craft convincing phishing emails to target executives, or automate the exfiltration of databases in small, undetectable chunks. AI acts as a force multiplier for the bad actor, allowing them to do more damage in less time, often while hiding their tracks more effectively.

Two Core Control Principles: Redaction and Logging

So, how do we solve this? Blocking access to AI tools is akin to blocking the internet in the late 90s; it stifles innovation and encourages employees to find dangerous workarounds.

Instead, organizations must balance innovation with risk. We must enable employees to use these powerful tools while wrapping them in a layer of protective governance. To do this, we should focus on two core control principles: Inline Prompt Redaction and Ethical Logging.

1. Inline Prompt Redaction

This is the technical guardrail that protects the “Helpful Negligent” employee from themselves.

Inline prompt redaction sits between the user and the AI application. It functions similarly to a Data Loss Prevention (DLP) filter but is optimized for the conversational nature of LLMs. When an employee prompts an AI tool, the system scans the input in real-time for sensitive patterns—API keys, PII, credit card numbers, or specific project code names.

If sensitive data is detected, the system automatically replaces it with a token (e.g., [REDACTED]) before the prompt is sent to the AI model.

Why this works:

• Security: The proprietary data never leaves the corporate boundary. The AI provider never sees the secret.
• Usability: The employee can still use the tool for logic, formatting, or ideation, but the specific sensitive context is stripped away.
• Education: It serves as a “just-in-time” coaching moment, alerting the user that they attempted to share sensitive data.

2. Ethical Logging

Visibility is the precursor to control. However, in an era of heightened privacy concerns, monitoring employee activity must be done ethically. We are moving away from “spying” on employees toward “monitoring for risk.”

Ethical logging in the context of AI involves capturing the intent and the outcome rather than just keystrokes.

• Contextual Analysis: Instead of flagging every interaction, security systems should analyze the context. Is the user asking the AI how to bypass corporate firewalls? Are they asking the AI to de-obfuscate code?
• Anonymized baselines: Establish a baseline of normal AI usage for different roles. If a marketing intern suddenly starts uploading gigabytes of data to an AI tool at 2:00 AM, that is a behavioral anomaly that warrants investigation.

Ethical logging provides the forensic data required to reduce that 81-day detection window down to hours or minutes, without creating a culture of fear.

Here is the rewritten section. I have integrated the specific technical details from the Splunk article (Local LLMs, Model Context Protocol, and specific ATLAS TTPs like Cost Harvesting and Prompt Injection) into the narrative.

Structuring the Defense: The MITRE ATLAS Framework

While ethical logging gives us the raw telemetry we need, data without context is just noise. To effectively combat the insider threat in the age of AI, we need a map of the territory.

For years, the MITRE ATT&CK framework has been the de facto standard for security operations, providing a common language for describing how adversaries attack enterprise networks. But as the geometry of the battlefield changes, so too must our maps.

Enter MITRE ATLAS (Adversarial Threat Landscape for Artificial-Intelligence Systems).

Modeled after the original ATT&CK framework, ATLAS is a knowledge base specifically designed to categorize the tactics, techniques, and procedures (TTPs) used to compromise AI systems. It moves the conversation from vague anxieties about “AI risk” to specific, actionable threat scenarios.

Operationalizing ATLAS: From Theory to Detection

The challenge for most organizations is that unlike Windows or Firewall logs, LLM logs are often unstructured and messy. You cannot simply “turn on” security logging for a Large Language Model and expect a clean JSON output.

To build effective detections, we are seeing a shift toward advanced simulation using Local LLMs (such as Llama running on Ollama) and the Model Context Protocol (MCP). By creating a controlled “sandbox” environment, security teams can execute Red Team simulations—using tools like promptfoo—to attack these local models and generate the raw telemetry needed to build high-fidelity alerts.

This process allows us to validate specific ATLAS techniques that are otherwise invisible to traditional security tools:

• Prompt Injection (AML.T0051): By parsing unstructured logs for keywords like “ignore previous instructions” or “act as,” we can detect when an insider is attempting to jailbreak the model to bypass safety filters.
• Cost Harvesting (AML.T0034): We can monitor for anomalous resource spikes (GPU/CPU usage) that indicate an insider is hijacking the model for crypto-mining or unauthorized, compute-heavy tasks.
• Denial of Service (AML.T0029): Through the Model Context Protocol, we can spot “timeout callbacks” and connection floods designed to degrade the AI service for legitimate users.

How Deepwatch is Leveraging ATLAS

At Deepwatch, we are actively exploring incorporating the MITRE ATLAS framework into our detection engineering lifecycle to ensure our customers aren’t just protected against yesterday’s threats, but are resilient against tomorrow’s.

We use ATLAS as a blueprint to validate our detection coverage. Our detection engineers observe the “messy” raw logs from an AI interaction; they can then create parses to organize the data into structured formats to map activity directly to ATLAS techniques. This will allow us to move beyond generic alerts and provide our customers with high-fidelity context—identifying exactly whether an alert is a Resource Exhaustion attempt or a Model Theft scenario.

This standardized language bridges the gap between data wranglers and security analysts, ensuring that when an insider threat emerges, we don’t just see “anomaly”—we see the adversary’s exact move on the map.

Building a Culture of Balance and Awareness

Technology alone cannot solve the insider threat problem. The final, and perhaps most important, layer of defense is culture.

We are currently living through a technological shift that rivals the introduction of electricity. Just as electricity brought immense power but required us to install circuit breakers and insulate wires, AI requires safety mechanisms.

Unmanaged adoption will be catastrophic. But heavy-handed restrictions will slow innovation.

Successful organizations will build a culture where employees feel empowered to act as the first line of defense. This requires a shift in how we view “security training.”

• Move beyond compliance: Stop treating security training as a yearly checkbox.
• AI Literacy: Teach employees how LLMs work. Explain that “chatting” with a bot is actually “publishing” data to a third party.
• Clear Guardrails: Publish an Acceptable Use Policy (AUP) specifically for AI. explicitly state which tools are green-lit (Enterprise versions) and which are red-lit (Consumer versions for sensitive data).

Conclusion: The Path Forward

The insider threat is not new, but the tools available to the insider are more powerful than ever. The collision of rapid cloud elasticity and AI democratization has created a perfect storm for data loss. However, this is not a reason to retreat. It is a call to adapt.

By implementing technical controls like inline prompt redaction and ethical logging, and pairing them with a culture of transparency and education, organizations can harness the revolutionary power of AI without sacrificing their security posture.

The goal is not to stop the flow of data, but to ensure it flows only where it is supposed to. In the age of AI, trust is your most valuable currency—spend it wisely, but verify it relentlessly.

*https://www.ibm.com/think/insights/83-percent-organizations-reported-insider-threats-2024

↑