aisecurity.llc
Findings Index
Named findings, evidence themes, and action pathways for AI Security Engineering.
Catalog
All report findings
Talent and role-design crisis
The Frankenstein Role
AI Security Engineer role language often bundles five historically separate capability families into one requisition.
Title/substance mismatch
Skill Washing
AI-labeled security titles often outpace AI-specific control, testing, and evidence language.
Team-shaped requirements
The Unicorn Index
The market prices one role while frequently describing team-level capability breadth.
Systems reasoning shift
The Probability Pivot
AI security language reflects a shift toward probabilistic systems reasoning and ambiguity tolerance.
Governance-to-execution gap
The Evidence Gap
Governance language often appears before engineering evidence language such as eval outputs, telemetry, and remediation proof.
Delegated action risk
Agentic Anarchy
Agent security is delegated action security; chatbot framing is insufficient.
Mid-market exposure gap
The vCISO Vacuum
Some organizations are too small to hire the unicorn but too exposed to defer AI security.
Execution translation failure
Boardroom-to-Backlog Gap
Executive AI risk narratives often fail to translate into named controls, owners, and evidence artifacts.
Assessment maturity lag
Skills Validation Gap
The market asks for AI security engineering skills before it has standardized practical evaluation pathways.
Lifecycle control deficit
Model Supply Chain Blind Spot
Model artifacts, provenance, and deployment gates remain under-specified in many role definitions.
Talent supply crisis
Entry-Level Extinction
AI Security Engineering is being invented at the top of the org chart. The market is hiring senior-only into an unproven discipline, with almost no junior pathways.
Role language confusion
The Red Team Misnomer
"AI red team" is often used as a catch-all for governance reviews, product assessments, platform controls, and abuse testing rather than adversarial AI evaluation.
Legacy framework dominance
The Compliance Reflex
Legacy compliance frameworks dominate AI-security hiring language by roughly 108:1 versus AI-native governance frameworks.
Incumbent tooling lock-in
The Tool Incumbency Trap
Compliance automation incumbents appear in hiring language far more than AI-native security testing and evaluation tooling.
Early but accelerating risk surface
The Agentic Surface Emergence
Prompt-injection, function-calling, and tool-calling security signals are still under 0.3% of all postings, but rising quickly.
Academic vs market misalignment
The Research-to-Hiring Chasm
What researchers study and what the market hires for are systematically misaligned. arXiv concentrates 45% of AI security papers in prompt/generation security and 11% in agentic action — yet hiring language concentrates in governance, compliance, and red-teaming. Research emerging terms (jailbreak, autonomous agent, tool call, guardrail) all appear with zero prior-period count — when research energy catches up to market, there will be a rapid reskilling event.
Codification lag crisis
The Knowledge Desert
3 Wikimedia pages exist for a field with 2,730 arXiv papers and 2,500 GitHub repos. There is no canonical public reference for 'AI security engineering' as a practice. The codification lag — time from practice emergence to public knowledge entry — is extreme and unlike any established security domain. You cannot onboard juniors into a discipline that has no Wikipedia. This is the structural explanation for why Entry-Level Extinction and Skills Validation Gap exist: there is no codified curriculum to build on.
Open-source tooling gap
The Builder Vacuum
GHArchive tracking shows 99.4% of 2,500 tracked repos are unclassified — not AI-security-specific. Job descriptions demand 'AI-native security tooling,' but the open-source ecosystem barely exists. The Tool Incumbency Trap (30:1 legacy vs AI-native) isn't just preference or inertia: the alternative tools haven't been built yet. Practitioners are being hired to implement controls that don't have reference implementations. Incumbents stay dominant not by lock-in, but because the vacuum is real.
Media narrative vs operational reality
The Attention Deficit
613K+ media items analyzed. AI model research captures 5.65% of all media volume — 34,686 items. Agent security: 762 items (0.12%). AI red teaming: 34 items (0.005%). MCP tool security: 12 items. Supply chain: 25 items. The ratio of capability coverage to security coverage in industry media is approximately 45:1. This is a leading indicator, not a steady state. When a high-profile AI security incident becomes a mainstream story, that attention will correct rapidly — and the talent market, which follows media narrative, will not be ready.
Governance-implementation structural failure
The Framework Paradox
8 AI-native security frameworks tracked. 5 are document-only. Only 3 are machine-readable. 42 heuristic crosswalk rows across MITRE ATLAS, NIST AI RMF, and OWASP LLM Top 10 — none are natively integrated into CI/CD pipelines, security tooling, or automated evidence collection. The Compliance Reflex (108:1 legacy vs AI-native) is not stubbornness: it's structural. When AI-native frameworks exist only as PDFs with no automation integration and no audit-trail format, practitioners implement what they can actually implement. The standards bodies meant to displace legacy frameworks are too immature to do so.
Detection and monitoring deficit
The Telemetry Blind Spot
AI logging scores 1.4/5 in practitioner surveys — the single lowest-rated control category. arXiv puts only 2.45% of papers in detection and runtime monitoring — the second-lowest research bucket. In media, AI cyber defense barely registers. This is a four-signal convergence: the domain of AI monitoring and detection is simultaneously the lowest-maturity control, the least-researched academic area, and the least-covered media topic. You cannot respond to incidents you cannot detect. The industry is building attack surface faster than it is building monitoring infrastructure.
Untapped talent supply
The Adjacent Reservoir
Adjacent engineers — platform, DevOps, ML engineers without security background — represent the most realistic near-term supply of AI security talent. But hiring filters are calibrated to 'security professionals who've added AI,' not 'AI professionals who've added security.' Survey data shows adjacent engineers have moderate confidence in AI security but face specific, navigable barriers: vocabulary gaps and credential expectations rather than capability gaps. The market is filtering out its most viable near-term talent supply.
Active exploitation, not theoretical risk
The Exploited Present
3 AI-relevant CVEs have reached CISA Known Exploited Vulnerability status — meaning they are actively being exploited in the wild right now. The market debates AI security as a future risk while defenders are already remediating KEV-listed AI/ML vulnerabilities. The top vulnerability bucket is AI/ML framework and library vulnerabilities (378 of 1,458 CVEs). The tools practitioners are hired to use are the attack surface. AI security investment is not a strategic hedge; it is immediate operational exposure.
Research lead vs hiring lag
The Privacy Asymmetry
Privacy-preserving ML and differential privacy are the top research terms in arXiv's AI security corpus — 67 and 55 papers respectively, both surging in the last 12 months. Yet privacy appears in hiring language primarily as a compliance checkbox bundled with GDPR and data protection, not as an engineering capability. There is a 5+ year research lead in privacy-preserving AI techniques that the hiring market has not operationalized. Organizations that hire specifically for privacy-preserving ML engineering skills have first-mover advantage.