AI security: how to protect your organisation in the AI era

The three layers of AI risk in your organisation

The three-layer framing matters because security architectures designed for layer one (shadow AI) do not automatically handle layer two or three. Treating AI as one undifferentiated category produces partial protection.

Layer 1: shadow AI. Employees use public AI tools (ChatGPT, Copilot, Gemini) for daily work. The risk is data exposure: company data leaves the corporate boundary. The control point is at the endpoint and the network.

Layer 2: homegrown AI. The organisation builds applications with AI components: chatbots, recommendation engines, document processors. The risk includes training data leakage, prompt injection, model jailbreaking and overdelegation. The control point is at the application and the data pipeline.

Layer 3: agentic AI. AI agents act autonomously on systems: scheduling, communications, transactions. The risk includes runaway actions, indirect prompt injection through documents and unaccountable decisions. The control point is at the agent runtime and the systems agents interact with.

Layer 1: shadow AI, employees and public AI tools

The first layer is the most visible and the most active. Ninety percent of employees use AI tools daily; most usage is unsanctioned. We covered the strategy in our article on managing shadow AI; the summary version is: visibility, policy, safe alternatives, monitoring.

The technical control runs at the network and endpoint layer. SASE inspection identifies AI traffic; DLP redacts sensitive content before it reaches public models; policy redirects employees to corporate alternatives.

For most organisations this is where AI security starts because the exposure is immediate and the technical answer is mature.

Layer 2: homegrown AI, internal applications and models

Organisations are building AI into their products and internal tools at speed. Customer-service chatbots, document summarisation pipelines, sales-recommendation engines. Each is a new application with new failure modes.

Training data exposure. Sensitive data used to train or fine-tune internal models can leak through model completions. Without isolation, the training set becomes a covert disclosure channel.

Prompt injection. User inputs that manipulate the model into ignoring safety instructions or revealing system prompts. With external inputs (uploaded documents, web content), the injection vector is harder to control.

Overdelegation. Applications that give the AI more authority than necessary. A customer-service chatbot with database write access is a liability; one with read-only access scoped to the customer context is acceptable.

Technical controls for layer two include data classification at the pipeline level, prompt-engineering safety guards, output filtering and least-privilege model access. The Cato platform's role at this layer is securing the network paths between the AI components and the data sources, with DLP enforcing data classification policies across those paths.

Layer 3: agentic AI, autonomous workflows and agents

Agentic AI is the newest layer and the most uncertain in terms of risk. Agents are AI systems that take actions in the real world: scheduling meetings, sending emails, making API calls, executing transactions. They have authority; they make decisions; they have consequences.

Runaway actions. An agent that loops on a task or escalates without supervision can produce hundreds of unintended emails, transactions or API calls. Rate limiting and circuit breakers are mandatory but underapplied.

Indirect prompt injection. An agent reading an external document encounters injected instructions that change its behaviour. A customer-service agent reading a customer email with hidden instructions might leak data or take unsanctioned actions.

Accountability gap. When an agent takes an action that causes harm, who is responsible? The user who deployed it, the developer, the organisation? Legal frameworks are still catching up; technical accountability requires audit trails per agent decision.

The control points are at the agent runtime (sandboxing, rate limiting), at the systems the agent touches (least-privilege API access) and at the network layer (Cato observability of agent traffic patterns).

How Cato AI Security covers all three layers

Cato AI Security, launched in March 2026 as the first SASE-native AI security module, addresses all three layers from one platform.

For layer 1, it detects and enforces policy on shadow AI usage via traffic inspection and DLP. For layer 2, it secures the network paths in AI application pipelines and enforces data classification on flows between AI components. For layer 3, it provides observability and rate limiting on agentic traffic, enabling detection of anomalous agent behaviour before consequences scale.

The advantage of platform integration: one policy framework spans all three layers, one audit trail captures all AI events, one detection engine learns across the layers. Bolted-on AI security products handle one layer well; cross-layer correlation requires platform integration.

EU AI Act, NIS2 and GDPR: the compliance pressure

Three regulatory frameworks intersect on AI security and they tighten quarterly.

EU AI Act. Risk-based regulation of AI systems with stringent obligations for high-risk categories. Enforcement is phased through 2026 and 2027. The Act explicitly requires risk management systems and human oversight for high-risk AI.

NIS2. Indirect via the access control and incident detection obligations. AI tools that process data are part of the cyber security perimeter. We unpack this in our article on NIS2 compliance with one platform.

GDPR. Personal data processed by AI tools (including public ones via shadow AI) constitutes processing requiring legal basis, controller and processor agreements. The Autoriteit Persoonsgegevens enforces this in the Netherlands.

Momentum EMEA as AI security implementation partner

The three-layer model is technical; the implementation is organisational. As EMEA's leading specialised Cato implementation partner, Momentum EMEA delivers the Cato AI Security platform along with the governance framework that translates policy into operational reality: data classification standards, AI tool categorisation, agent registration and monitoring playbooks.