This paper argues that traditional penetration testing is insufficient for AI-enabled systems because adversaries can alter behavior through prompts, data, or sensor inputs without compromising infrastructure. It reframes the practice as objective-driven behavioral evaluation, defining AI-enabled penetration as inducing behavior that violates operational objectives under a specific threat model.
- The authors define an AI-enabled system as one where learned models materially influence operational outcomes.
- Adversarial pathways include prompt injection, data poisoning, sensor manipulation, and agentic misalignment.
- A testing workflow is proposed to identify objectives, map behavior, analyze influence surfaces, and report evidence of objective violation.
- A running example using an AI-enabled security operations center assistant illustrates how penetration occurs through behavioral influence.
This framework provides a technical basis for evaluating adversarial success in deployed AI systems by focusing on operational outcomes rather than just infrastructure compromise.