Sr. Content Developer at Microsoft, working remotely in PA, TechBash conference organizer, former Microsoft MVP, Husband, Dad and Geek.
157760 stories
·
33 followers

Even Microsoft couldn’t make Windows 11 work well on 8GB of RAM

1 Share
A Microsoft 13-inch Surface Laptop with performance monitoring in Task Manager open, showing the amount of memory in use.
Memory anxiety. | Photo: Antonio G. Di Benedetto / The Verge

Last year, Microsoft's 13-inch Surface Laptop quickly became one of my favorite thin-and-light Windows notebooks. At $900, it was easy to recommend to anyone wanting MacBook Air-like build quality and battery life on Windows - I even convinced my sister to buy one on sale.

But that was last year. This year, thanks to RAMageddon, that same laptop costs $950, and now that price gets you half as much RAM - just 8GB. It's the same great hardware on the outside, but it's not the same laptop on the inside.

It's been a long time since we tested a Windows laptop with so little RAM. We've been saying for years that 8GB isn't enough. But this is Mi …

Read the full story at The Verge.

Read the whole story
alvinashcraft
42 minutes ago
reply
Pennsylvania, USA
Share this story
Delete

Microsoft at Black Hat USA 2026: Defending trust in the age of AI and supply chain attacks

1 Share

Across the threat landscape, in this moment, one pattern sits at the center of the story: threat actors are following trust.

They are not only looking for vulnerable systems, but rather targeting the software, services, identities, tools, developer workflows, and AI systems that organizations already depend on.

A package can become a distribution path. A build pipeline can become an access path. A trusted tool can become or expand an attack surface. An AI agent with the wrong access can become a new way to reach code, data, or infrastructure.

While the surfaces may change, the goal for the majority of threat actors remains the same: find what is trusted, abuse it, and scale the impact.

At Black Hat USA 2026, Microsoft Security will walk through how we are seeing this shift unfold, how security teams can look for it earlier, and how threat intelligence, expert-led response, and security operations need to work together when campaigns move across software, identity, cloud, data, and AI systems.

On Wednesday, August 5, 2026, the day begins with David Weston’s keynote, The End of Rare: Defending When Offense Is Cheap, which looks at what defense requires when offensive capability becomes easier to access, automate, and scale. Later that afternoon, Aarti Borkar and Tanmay Ganacharya will resume the main stage for Poisoned at the Source: Inside the Hunt for Supply Chain Attacks, which offers a closer look at how Microsoft Threat Intelligence is hunting attacks across software ecosystems, developer workflows, and trusted services. This includes details into the ongoing attacks on npm (Node package manager). 

Together, these sessions frame the challenge security teams are facing now: when offensive capability becomes easier to scale, security teams need to understand the trust paths threat actors can abuse before those paths become open doors for attacks. 

At our booth, we’ll also showcase Microsoft Defender Experts Threat Intelligence, a new expert-led service delivering continuous, curated intelligence tailored to your organization, and Microsoft Defender Experts MDR, now extended with third-party and multicloud coverage.

From August 4 to 6, 2026, at Mandalay Bay in Las Vegas, you’ll find Microsoft Security on the Business Hall floor at booth #2144, and on Wednesday evening, join us at the Microsoft Security reception at Swingers at Mandalay Bay.

Weston on the future of defense 

At 9:15 AM PT on Wednesday, August 5, 2026, David Weston, CVP of Agentic Security, will examine what changes for security teams when offensive capability becomes easier to access, automate, and scale. 

The keynote sets up one of the central questions security leaders are facing now: how does the security operations center (SOC) and analysts adapt when threat actors can move faster, test more often, and reuse trusted paths across software, identity, cloud, and AI systems? Join the keynote Wednesday, August 5, 2026, then continue the conversation with Microsoft Security at booth #2144. 

Our latest intelligence (and response) on npm supply chain attacks

That same intelligence-to-action challenge is at the center of our main stage session at Black Hat. 

On Wednesday, August 5, 2026, from 2:30 PM PT to 3:00 PM PT, Aarti Borkar, Corporate Vice President (CVP), Microsoft Security, and Tanmay Ganacharya, Vice President of Microsoft Security Research and Threat Intelligence, will share intelligence and insights into the ongoing supply chain campaigns impacting all areas of the threat landscape. The talk, Poisoned at the Source: Inside the Hunt for Supply Chain Attacks, will walk through Microsoft Threat Intelligence’s investigations into the ongoing npm supply chain attacks targeting software ecosystems, developer workflows, trusted services, and how organizations are handling the challenges associated with npm packages.

Follow the research in the Black Hat Briefings

Microsoft Security researchers will also present peer-reviewed technical research in the Black Hat Briefings. These sessions go deep into cloud, mobile, and software supply chain defense.

GitHub Can Tell You’re Being Hacked. You’re Just Not Listening: Building EDR for GitHub from Its Own Event Stream

  • Presented by Yossi Weizman, Principal Security Research Manager
  • Wednesday, August 5, 2026, from 10:15 AM PT to 10:45 AM PT

One Click to System: Exploiting Bixby’s Trust Model for Full Device Compromise

  • Presented by Dimitrios Valsamaras, Senior Security Researcher
  • Wednesday, August 5, 2026, from 12:00 PM PT to 12:40 PM PT

Handle With Care: Chaining Azure Automation Flaws for Cross-Tenant Identity Takeover

  • Presented by Shay Shavit, Senior Security Researcher
  • Wednesday, August 5, 2026, from 4:30 PM PT to 5:10 PM PT

Check the official Black Hat schedule for final room assignments and any timing updates.

Go deeper in Microsoft sessions

Microsoft experts will also lead sessions that give you a closer look behind the scenes, including:

Mind the Gap: Turning Threat Intelligence into Decisive Action with Expert-Led Defense

  • Presented by Wes Malaby, General Manager of Customer Success
  • Wednesday, August 5, 2026, from 5:00 PM PT to 5:20 PM PT

Cyber Defense Showdown

  • Presented by Fanta Kaba and special guest Jimmie Galaites
  • Wednesday, August 5, 2026, from 5:00 PM PT to 5:20 PM PT

Agentic Security: What’s Next

  • Presented by Naadia Sayed, Principal Product Manager
  • Thursday, August 6, 2026, from 11:15 AM PT to 12:00 PM PT

These sessions extend the main stage story into practitioner decisions: how teams move from intelligence to action, how defenders test their judgment under pressure, and how AI and agents are changing security workflows.

Visit booth #2144 for research, community, and hands-on defense

This year we are transforming the Microsoft Security booth into a community center. Click here to jump to the full schedule.

If the keynote and main stage sessions frame the largest challenges across the threat landscape, booth #2144 is where you can directly explore the workflows behind it: threat intelligence, incident response, AI security, security operations, partner solutions, and hands-on practice.  

You will find:

Connection circles, ask-me-anythings (AMAs), meetups led by industry influencers, and lightning talks

Short-form conversations with practitioners and experts on threat intelligence, incident response, AI security, identity, data protection, and security operations. If you swing by when the expo area opens, we’ll also fuel you up so you can skip the food court.

Partner presence

At Black Hat 2026, the Microsoft booth will feature 13 partners from the Microsoft Intelligent Security Association (MISA) who will showcase solutions built with Microsoft Security technology. Security Insider Conversations will feature MISA partners Critical Start (August 5, 2026, at 3:30 PM PT) and Huntress (August 6, 2026, at 2:00 PM PT) alongside Microsoft Security experts. Additionally, thank you to our Microsoft Security VIP Mixer sponsors: Ascent Solutions, Avertium, Devicie, Huntress, Illumio, Maureen Data Systems, and Security Risk Advisors. 

Demo our latest innovations

Explore connected experiences across defending with AI, securing AI, strengthening posture for AI adoption, using security intelligence in investigations and response, working with trusted partners, and connecting with Microsoft Defender experts.

Exclusive swag (featuring a surprise guest)

Spend some time with us at the experience we built around the booth and you’ll earn tokens that can be exchanged for custom patches and hats (because security experts have to wear many hats). Your favorite paperclip may be among the patches. Maybe.

Decompress with mini golf

The biggest Microsoft Security community moment of the week is our reception at Swingers at Mandalay Bay, hosted by Aarti Borkar.

Join us Wednesday, August 5, 2026, from 6:00 PM PT to 9:00 PM PT for food, drinks, mini golf, partner activations, and time with the Microsoft Security team away from the show floor.

Come compare notes with peers, meet Microsoft researchers and responders, and connect with the broader Microsoft Security community.

Space is limited, so reserve your spot early.

Plan your week with Microsoft Security

You can find Microsoft Security at booth #2144 during Business Hall hours:

  • Tuesday, August 4, 2026: 4:00 PM PT to 7:00 PM PT
  • Wednesday, August 5, 2026: 9:00 AM PT to 6:00 PM PT
  • Thursday, August 6, 2026: 9:00 AM PT to 4:00 PM PT

Stop by early to see the booth schedule, find upcoming AMAs and connection circles, and plan which live sessions and hands-on experiences you want to attend.

Skill up before and after Black Hat

You do not need to be in Las Vegas to take part in the broader Microsoft Security Black Hat experience.

The Microsoft Black Hat Skilling Challenge begins July 20, 2026, and will help defenders build hands-on skills across Microsoft Defender, Microsoft Sentinel, and Microsoft Security Copilot. Attendees can use the challenge to prepare before the event, then bring questions to on-site experts and community sessions. Remote participants can follow along through Microsoft Tech Community, AMAs, recaps, and post-event resources.

See you at hacker summer camp

Threat actors are adapting around the systems organizations already trust. Security teams need to understand those trust paths before they become attack paths.

At Black Hat USA 2026, Microsoft Security will bring the research, expert perspective, and hands-on experiences to help practitioners see where attacker behavior is moving and how defense can adapt.

Add Poisoned at the Source to your schedule. Visit us at booth #2144. Join the skilling challenge. And register for the Microsoft Security reception on Wednesday night.

Microsoft Security booth #2144 experiences and schedule

Tuesday, August 4, 2026

TimeTitle
5:00 PM PT to 6:00 PM PTHow Practitioners Build Effective Security Playbooks
6:00 PM PT to 7:00 PM PTAgentic Security: What’s Next

Wednesday, August 5, 2026

TimeTitle
9:00 AM PT to 9:30 AM PTSecurity Communities Meet Up
10:00 AM PT to 10:30 AM PTUsing Offensive Security Research to Advance AI Security
10:30 AM PT to 11:00 AM PTThe Confused Deputy Strikes Back: How AI Agents Turn Into RCE Proxies
12:00 PM PT to 12:30 PM PTHunting in the Gray: When Nation-States and Cybercrime Collide
12:30 PM PT to 1:00 PM PTAI in Security Operations: What Actually Works and What Doesn’t
1:00 PM PT to 2:00 PM PTAI in the SOC: Lessons Learned from the Front Lines
2:30 PM PT to 2:30 PM PTMicrosoft Defender Challenge
2:30 PM PT to 3:00 PM PTFrom Alert Fatigue to Action: How Practitioners Prioritize What Matters
3:00 PM PT to 3:30 PM PTAgents in the Flow of Work: From Signals to Action
3:30 PM PT to 4:00 PM PTWill It Hold Up in Court? Forensic Defensibility of Microsoft 365 Evidence
5:00 PM PT to 6:00 PM PTZero Trust for the Agentic Era: An Interactive Discussion for Securing AI

Thursday, August 6, 2026

TimeTitle
9:00 AM PT to 9:30 AM PTThe Future of Microsoft Security and How Communities Can Support You
10:00 AM PT to 10:15 AM PTQuantum Is Here: What Practitioners Must Do Now
11:00 AM PT to 12:00 PM PTThe Next Era of Cyber Defense: Clarity, Control, and Response at Scale
12:00 PM PT to 12:30 PM PTLessons from the Field: What to Do When You’re Under Attack
12:30 PM PT to 1:00 PM PTWhen Browsers Become Agents: The Emerging Security Risks of AI‑Powered Browsers
2:30 PM PT to 3:00 PM PTSocial Engineering Always Matters
3:00 PM PT to 3:30 PM PTAI Runs on Data: Securing the Foundation of AI Adoption

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post Microsoft at Black Hat USA 2026: Defending trust in the age of AI and supply chain attacks appeared first on Microsoft Security Blog.

Read the whole story
alvinashcraft
42 minutes ago
reply
Pennsylvania, USA
Share this story
Delete

This Week in AI: A First for Agentic Ransomware

1 Share

Christina Stathopoulos, the data and AI evangelist behind Dare to Data, continued her run sorting the week’s most impactful stories into a handful of themes we’ve been watching play out over the past month: more firms investing in the compute AI runs on, more concerns about who controls a model’s borders, and more AI-generated code posing challenges to scaling AI enterprise-wide.

Christina also quickly shared two updates from the frontier labs that we won’t get into below. First, OpenAI finished rolling out GPT-5.6, its family of models tuned for different workloads with an option to dial reasoning up or down, and launched ChatGPT Work, an agent workspace that connects the model to Slack, calendars, documents, and other enterprise tools. Anthropic, meanwhile, published research describing a hidden internal workspace it’s calling the “J-space” that suggests that Claude organizes and manipulates ideas before producing a response. It isn’t proof of anything like consciousness, as Christina was quick to note, but it’s one of the clearer steps yet toward inspecting what a model is actually doing between input and output. That kind of visibility is critical for catching problems like deception or unsafe behavior before they show up in an answer.

More AI labs are turning into chip companies

Last week, Christina covered the opening moves in an AI hardware race, with research from IBM and NVIDIA and a joint OpenAI and Broadcom project. Now there’s news that Chinese company DeepSeek is developing its own inference chips to cut its dependence on NVIDIA and Huawei, and Anthropic is in early talks with Samsung to build a custom AI chip. And as we saw with IBM’s sub-1 nanometer tech, chips are getting denser. Researchers in South Korea have developed a manufacturing technique that stacks more than 10 ultrathin memory chips, packing about four times the density of today’s commercial high-bandwidth memory into the same footprint. The layers align within about six micrometers, roughly a tenth the width of a human hair. The short distances between layers mean the signal doesn’t have to travel as far, making the whole stack run faster and more efficiently.

For AI companies, owning more of the stack is a way to control the cost and performance of running models once they’re built. As chip access becomes a lever in trade and security policy, it’s also a way to circumvent obstructions related to a supplier’s roadmap or a rival’s export policy.

A new security threat underscores the broader geopolitical stakes

JADEPUFFER is the first documented ransomware attack in which an AI agent carried out the entire operation end to end. A human chose the target, then the agent took over, exploiting a known vulnerability, searching for passwords and API keys, moving into the production database, encrypting it, and even writing its own ransom note, all without a person directing each step. Security teams have been bracing for this kind of sophisticated AI-driven attacks. JADEPUFFER is likely the first of many.

That growing threat surface was one reason why AI security took up so much of the conversation at the recent NATO summit in Ankara, where leaders discussed how AI is reshaping cyberattacks, drone warfare, disinformation, supply chain risk, and the speed at which leaders are expected to make high-stakes decisions. Paralleling US restrictions on who can access domestic models, China may also be moving to limit overseas access to its own frontier systems, and Alibaba is banning US-made models for its own employees. We’ve been tracking this story since May, when the US government’s on-again, off-again restrictions on Anthropic’s Fable and Mythos models offered an early sign that frontier model access was becoming of national interest. Christina shared findings from Our World in Data that show just how much the market share of Chinese models has grown from a year ago: Per data from OpenRouter, Chinese model usage at US-based companies, measured in tokens, is approaching parity with US model usage. For technical leaders, that’s a reminder that model choice is now as much a supply chain decision as a technical one, and it’s increasingly one with geopolitical repercussions.

Two challenges to watch for as enterprises scale AI

Now that code is effortlessly simple to generate, the real engineering work is making sure that AI-created code is correct, secure, and safe to run in production. As many in the field are now realizing, that’s easier said than done. A recent study of nearly 200,000 pull requests across more than 800 developers found that AI nearly doubled coding productivity, and reviewers couldn’t keep pace. Each reviewer is now responsible for roughly twice as many pull requests as they were in the years before widespread AI adoption, and the share of pull requests getting human review fell from 89% to 68%, with automated reviews filling the gap. It’s part of the same story Matt Palmer told on the show a few weeks ago when he compared running a team of agents to managing a mid-size team of human developers: “You’re just sending messages all the time, and you’re checking in to make sure things are being done,” he explained. The increase in velocity sets up a real risk of cognitive fatigue and burnout.

Here’s another challenge enterprises are facing as they scale AI: They’re connecting more and more of their data, workflows, content, and business processes to a single AI provider. As we already learned in the data space, the more attached you become to that provider, the harder it is to switch down the line. The solution to this vendor lock-in is to build an AI stack and the workflows around it that keep you in control of your data and ensure you can swap models as the technology evolves. Enterprises that treat model choice as a one-time decision are setting up the same dependency problem that OpenAI’s GPT-5.6 and Anthropic’s chip talks are trying to avoid, just one layer up the stack.

Whats next

Christina will return next week with another sweep of AI news, including a first look at Apple’s lawsuit against OpenAI, New York’s pause on new hyperscale data centers, and a landmark ruling in Germany holding Google accountable for misinformation generated by AI Overviews, plus updates on DeepSeek’s IPO plans, OpenAI’s first AI hardware device, and Anthropic’s new enterprise deployment unit. Join her live on the O’Reilly learning platform or catch up after the fact on YouTube, Spotify, Apple, or wherever you get your podcasts.

And if you want to keep learning between episodes, check out our new weekly show Zero to Agent in 30 Minutes, our AI Codecon live event on August 31, and The Agentic Enterprise now in early release on O’Reilly. Christina’s also hosting the AI Superstream on AI harnesses next week on July 23. Hope to see you there for this four-hour deep dive on turning models into agents and running them securely at scale.



Read the whole story
alvinashcraft
42 minutes ago
reply
Pennsylvania, USA
Share this story
Delete

It May Take Longer to Review a PR Than It Takes to Write It

1 Share

Olena Babenko, Staff Software engineer at Aiven, cut straight to the uncomfortable truth in a recent interview I had with her in London.

The oversight model collapses the moment the person approving the output can no longer reliably tell whether it’s good, bad, or just convincingly wrong.

She pointed to a growing mismatch between how fast code is being generated and how slowly it is actually being checked.

AI is speeding up code creation, but review can’t keep up

Olena says she keeps running into the same cycle, that looks like this “a steady stream of announcements about how the newest model will change software engineering, followed almost weekly by another company unveiling its most powerful release yet”.

Then someone actually turns the model on and gives it a simple task, and it hallucinates, a lot.

She sees this happen often enough that the pattern itself has become the story. The industry isn’t there yet, she says, at least not in the systems she works with.

Photo: Marin Pavelić

The real problem, in her view, shows up one step later in the pipeline: engineers are spending less time writing code and more time reviewing it, and the incentive structures around that shift have not caught up.

Therefore, I asked her what that imbalance looks like:

We have an ability to generate code very, very fast, thousands of lines of code, and without thinking how people perceive that code, how readable it is, how good it is, how simple it is to understand, but code reviewing, scaling, and automation is not on that same level yet.

As a result, you can create a PR, and a person who actually reviews it took much more time to review it than you spent writing it. This means that the problem, at least according to Olena, is structural, not just technical:

The current system and a lot of managerial tools are made on KPIs, they are made on individual contributions of code writing, so if you look at the GitHub contributions or Jira tickets, they are praising writing code, finishing tasks, creating PRs, while the people who do the PR reviews, their jobs are not valued that much.

Add unusually verbose AI-generated code into that mix, and reviewing takes even longer than the writing did.

The review burden has always been there, but it’s getting worse

Olena is careful to point out this isn’t new. She says that a reviewer burden existed even before all this and AI is just amplifying this problem.

She describes a colleague’s experience at a previous company: engineers spending two weeks on an issue, then dropping a thousand-line PR on a reviewer who was, realistically, expected to just hit merge, not actually engage with the work.

Photo: Marin Pavelić

The fix, in her view, is not more automation but earlier communication, smaller PRs, and separating refactoring from actual logic changes, paired with management that treats reviewing as real work worth rewarding:

This is a question of management.

AI can make tests look good without actually making the code reliable

Olena also pointed to one of the first things AI tends to break in a codebase: unit tests. Writing them is boring, so people delegate it a lot, but AI can already game the system, making tests pass without making the code reliable.

By her account, models will patch internal implementations or hardcode expected outputs rather than genuinely verify behavior, leaving teams with high coverage numbers that protect against nothing – though the damage doesn’t show up right away.

They are not falling apart in one day. This is a process that’s eroding your system with a small step day by day until you realize that your new system is really unreliable, really something you’re not supposed to do in production.

By the time anyone notices, the damage started much earlier.

‘We are delegating too much thinking to AI’

Olena’s biggest long-term concern is skill erosion:

We’re delegating too much thinking to AI. But AI doesn’t become an expert just because we use it: it has no memory, it can’t really learn, and it can’t build experience. Humans can do that, at least for now. The problem is that we’re not really learning from the experience either, so our skills and critical thinking keep getting weaker.

That undercuts the standard reassurance that a human stays in the loop. “You might end up in a situation where you have a human in the loop, but those people do not have correct skills anymore”, Olena said.

A safety net only works if the person holding it still knows how to catch something.

Photo: Ivan Pelivanović

The post It May Take Longer to Review a PR Than It Takes to Write It appeared first on ShiftMag.

Read the whole story
alvinashcraft
43 minutes ago
reply
Pennsylvania, USA
Share this story
Delete

AI Red Teaming and Adversarial Testing – Building Enterprise AI Evaluation Frameworks (Part 6)

1 Share

In the previous article, we shifted our focus from prompt engineering to behavioral analysis. Rather than treating prompts as isolated interactions, we explored how experienced AI red teams develop hypotheses, construct prompt families, evaluate semantic consistency, and observe how conversational context influences large language model behavior. This represents a fundamental shift in perspective. AI red teaming is not about finding prompts that “work“; it is about understanding how and why an AI system reaches its decisions.

The next logical step is applying that methodology within an enterprise environment.

Most organizations are no longer experimenting with AI in isolation. They are deploying Microsoft 365 Copilot, custom copilots, Retrieval-Augmented Generation (RAG) solutions, AI-powered search assistants, customer support agents, developer assistants, and autonomous AI agents that interact with business systems. These solutions are connected to corporate data, governed by organizational policies, and increasingly involved in day-to-day business processes. As AI becomes more deeply integrated into enterprise environments, evaluating the model alone is no longer sufficient. The surrounding ecosystem becomes just as important as the language model itself.

Enterprise AI red teaming, therefore, expands its scope beyond the model to evaluate the complete AI solution, including identity, permissions, retrieval mechanisms, grounding data, plugins, APIs, business workflows, and governance controls. The objective is to determine whether the AI behaves safely, reliably, and consistently under realistic operating conditions while remaining aligned with organizational expectations.

Enterprise AI Is an Ecosystem

One of the biggest mistakes organizations make is treating enterprise AI as though it were simply a chatbot.

Modern AI solutions rarely consist of a standalone language model. Instead, they operate within a much larger architecture that may include Microsoft Graph, SharePoint Online, Microsoft Teams, Exchange Online, OneDrive, SQL databases, APIs, external knowledge repositories, custom plugins, workflow engines, and autonomous AI agents. Each component contributes information to the final response, and each introduces additional opportunities for unexpected behavior.

For example, Microsoft 365 Copilot does not contain copies of organizational documents. Instead, it retrieves information through Microsoft Graph while respecting the user’s existing permissions. A custom RAG solution may retrieve information from vector databases, SharePoint libraries, document repositories, or internal knowledge bases before providing that information to the language model. AI agents may go a step further by taking action, creating tickets, updating records, sending emails, or initiating workflows.

The attack surface therefore extends well beyond the model itself.

Professional AI red teams evaluate every stage of that process, asking questions such as:

  • Is the correct information being retrieved?
  • Are existing permission boundaries consistently respected?
  • Does the AI distinguish between retrieved facts and generated reasoning?
  • Are external data sources trustworthy?
  • Can retrieved content influence the model’s behavior?
  • Does the AI perform actions only when appropriate approvals are in place?

These questions are often more valuable than evaluating the language model in isolation.

Building Reusable Prompt Libraries

One hallmark of a mature AI red team is the development of reusable prompt libraries.

Rather than creating prompts from scratch for every assessment, experienced teams organize prompts into reusable categories aligned to specific testing objectives. This improves consistency, enables comparisons across multiple AI deployments, and allows organizations to evaluate how behavior changes over time as models, prompts, or business systems evolve.

A typical enterprise prompt library might include categories such as:

  • Authorization and permission boundaries.
  • Information disclosure.
  • Hallucination and unsupported reasoning.
  • Retrieval accuracy.
  • Role-based access.
  • Prompt injection resistance.
  • Context accumulation.
  • Business policy compliance.
  • AI agent decision-making.
  • Source attribution and grounding.

Each category contains numerous prompt families that evaluate different aspects of the same behavioral objective.

For example, an information disclosure library may contain prompts designed to evaluate executive information, HR records, financial data, customer information, supplier contracts, intellectual property, and project documentation. While each scenario differs, the underlying hypothesis remains consistent: Does the AI disclose only the information that the requesting user is authorized to access?

Over time, these libraries become invaluable organizational assets, allowing assessments to be repeated after model updates, policy changes, or new AI deployments.

Evaluating Retrieval-Augmented Generation (RAG)

Retrieval-Augmented Generation has become one of the most common enterprise AI architectures because it allows language models to answer questions using organizational knowledge rather than relying solely on their training data.

While this dramatically improves accuracy, it also introduces new areas that require evaluation. Professional AI red teams typically assess three distinct components of a RAG system.

The first is retrieval accuracy.

  • Does the system retrieve the correct documents?
  • Does it select the most authoritative information?
  • Does it ignore outdated or conflicting documentation?

The second is authorization.

  • Does retrieval consistently respect existing permission models?
  • Can users discover documents they cannot directly access?
  • Does metadata reveal the existence of restricted content?

The third is the grounding quality.

  • Does the AI clearly distinguish between retrieved information and generated reasoning?
  • Can users identify which statements originated from organizational documentation and which were inferred by the model?
  • A trustworthy RAG solution should demonstrate consistency across all three areas.

Evaluating Permission Boundaries

Identity remains one of the most important security controls in enterprise AI.

Unlike public AI services, enterprise assistants operate within existing authorization frameworks. Whether those permissions originate from Microsoft Entra ID, SharePoint Online, Microsoft Teams, SQL databases, or line-of-business applications, the AI should never become a shortcut around established access controls.

Professional AI red teams therefore evaluate permission boundaries from multiple perspectives. They assess how the AI responds when users request information they are clearly authorized to access. They then evaluate adjacent scenarios involving information from other departments, executive teams, confidential projects, archived documents, or restricted repositories. Importantly, the assessment is not limited to whether the AI refuses access.

It also evaluates whether the AI:

  • Reveals unnecessary metadata.
  • Confirms the existence of restricted documents.
  • Summarizes information from inaccessible sources.
  • Combines authorized and unauthorized information.
  • Leaks contextual clues through conversation history.

These observations often provide greater insight than a simple allow-or-deny decision.

Testing AI Agents

AI assistants generate responses. AI agents perform actions. That distinction fundamentally changes how red teaming should be performed. When evaluating AI agents, the objective expands beyond information disclosure to include decision-making, workflow execution, and operational safety.

Suppose an AI agent is responsible for processing equipment requests. The assessment should evaluate questions such as:

  • Can the agent distinguish between routine and exceptional requests?
  • Does it verify required approvals?
  • Does it execute actions outside delegated authority?
  • Does it explain why decisions were made?
  • Can conflicting instructions alter workflow behavior?
  • Does it correctly recover from incomplete information?

Unlike conversational AI, where the primary risk may be inaccurate responses, AI agents introduce the possibility of incorrect actions that affect business operations.

Testing requires observing both the reasoning process and the operational outcome.

Measuring Evidence Instead of Success

Many organizations ask a simple question after AI testing:

“Did the AI pass?”

Professional AI red teams rarely answer in those terms. Instead, they measure evidence. A finding should explain:

  • What behavior was evaluated?
  • Which hypothesis was tested?
  • Which prompt family was used?
  • What observations were recorded?
  • Why did the behavior occur?
  • What business risk exists?
  • What remediation is recommended?

This approach produces findings that remain valuable long after the individual prompts have been forgotten.

For example, a report stating that Prompt 17 bypassed the model provides limited value.

A finding stating that The AI inconsistently enforced authorization boundaries when executive reporting scenarios were introduced, allowing cumulative disclosure of project ownership information across extended conversations provides significantly more insight into the underlying behavioral issue.

Good AI red team reports explain behavior, not prompts.

Building Repeatable Assessments

Perhaps the greatest strength of structured AI red teaming is repeatability.

  • Enterprise AI systems evolve continuously.
  • Models change.
  • Knowledge bases expand.
  • Retrieval indexes are rebuilt.
  • Permissions change.
  • Prompts are updated.
  • AI agents gain new capabilities.

Every one of these changes has the potential to alter the behavior of the overall system. Rather than performing isolated assessments, mature organizations develop repeatable evaluation frameworks that can be executed whenever significant changes occur.

A typical lifecycle may include:

  1. Define behavioral hypotheses.
  2. Select relevant prompt families.
  3. Execute structured conversations.
  4. Record behavioral observations.
  5. Compare expected and observed outcomes.
  6. Assess business impact.
  7. Recommend remediation.
  8. Re-test after implementation.

This approach transforms AI red teaming from an occasional exercise into an ongoing component of AI governance.

Lessons Learned

Organizations often discover that the language model itself is not the primary source of risk. Instead, weaknesses frequently originate from surrounding systems, including excessive permissions, inconsistent governance, outdated documentation, poorly structured retrieval pipelines, or unclear business processes.

Similarly, many observed AI behaviors initially appear to be model failures, but are actually symptoms of incomplete or conflicting organizational data. If multiple versions of the same policy exist, the AI may retrieve conflicting information. If SharePoint permissions are overly permissive, the AI may faithfully retrieve information that users should arguably never have been able to access in the first place. If documentation lacks clear ownership or version control, even the most capable language model cannot consistently produce authoritative answers.

These findings reinforce an important lesson. AI red teaming is not solely an assessment of artificial intelligence. It is an assessment of the entire enterprise ecosystem that supports that intelligence.

Organizations that embrace this broader perspective gain significantly more value from their assessments because they improve not only the AI itself but also the quality of their governance, identity management, documentation, information architecture, and operational processes.

Conclusion

Throughout this series, we have explored AI red teaming from its foundational concepts through to practical enterprise evaluation methodologies. We have examined why adversarial testing is necessary, how AI differs from traditional software, how structured exercises are designed, how professional AI red teams think, and how enterprise AI systems should be evaluated in realistic business environments.

The common thread running through every article is that AI red teaming is fundamentally an evidence-driven discipline. It is not about proving that an AI system can fail, nor is it about searching for isolated prompts that produce unexpected responses. Instead, it is about building confidence that an AI system consistently reaches the right decision regardless of how users interact with it, what information it retrieves, or how its surrounding environment evolves.

As organizations continue adopting Microsoft 365 Copilot, custom AI assistants, Retrieval-Augmented Generation solutions, and autonomous AI agents, structured AI red teaming will become an increasingly important component of responsible AI governance. Those organizations that invest in repeatable, hypothesis-driven assessments will be far better positioned to identify weaknesses before they become incidents, strengthen trust in their AI deployments, and ensure that artificial intelligence remains aligned with both technical requirements and business expectations.

Ultimately, successful AI red teaming is not measured by the prompts written or the responses generated. It is measured by the confidence an organization gains in understanding how its AI systems behave, why they behave that way, and how they can be continually improved as AI becomes an integral part of the modern enterprise.

Read the whole story
alvinashcraft
44 minutes ago
reply
Pennsylvania, USA
Share this story
Delete

Hands-on AI Workshop

1 Share
From: Fritz's Tech Tips and Chatter
Duration: 0:00
Views: 204

Let's learn about vibe coding and adding AI features to our applications

Read the whole story
alvinashcraft
44 minutes ago
reply
Pennsylvania, USA
Share this story
Delete
Next Page of Stories