Mandiant Warns of Security Risks in Serverless AI Functions

Mandiant Warns of Security Risks in Serverless AI Functions

The rapid proliferation of unauthenticated serverless functions used for generative AI chatbots has created a massive, often invisible attack surface that threatens the very core of modern cloud infrastructure. This trend is driven by the immediate need for businesses to deploy customer-facing tools without the overhead of traditional server management. However, this shift often leaves critical security protocols as an afterthought, allowing vulnerabilities to persist in production environments where they are most vulnerable to exploitation.

Because these functions are often ephemeral and designed for a specific task, developers may mistakenly assume they are isolated from the broader network. In reality, a single unauthenticated function can serve as a pivot point for a sophisticated adversary. The research highlights how easily application-level flaws can be transformed into infrastructure-wide breaches, especially when these functions are granted overly broad permissions to interact with sensitive internal datasets.

The Core Challenge: Exposed Serverless AI Workflows

The current landscape of cloud development is defined by a heavy reliance on “vibe coding” and low-code solutions that prioritize deployment speed over architectural rigor. This preference often leads to the creation of public-facing endpoints that lack robust authentication or input validation. Attackers recognize these exposed workflows as the weakest link in the chain, targeting them to bypass traditional firewalls that were never designed to inspect granular serverless traffic.

Once a function is compromised, the primary danger shifts from simple data theft to deeper environment penetration. Security teams struggle to monitor these transient environments because they lack the persistent logging and visibility found in traditional virtual machines. This lack of visibility creates a “blind spot” that threat actors exploit to maintain long-term access while remaining undetected by standard security information and event management systems.

Evolution and Importance of Serverless Architecture in the AI Era

Serverless computing has become the backbone of the generative AI boom, offering the agility needed to manage the high computational costs and unpredictable demand of modern models. These functions allow organizations to scale their AI capabilities instantly without worrying about the underlying hardware. As AI integration moves from experimental stages to core business operations, the volume of these serverless calls has reached unprecedented levels, making their security a strategic priority.

The shift toward serverless also represents a departure from the traditional perimeter-based defense models of the past. In an AI-native environment, data flows across multiple ephemeral instances, each of which must be secured individually. This evolution requires a more granular approach to identity and access management, where every function is treated as a potential entry point that must be strictly isolated from the internal network and sensitive administrative controls.

Research Methodology, Findings, and Implications

Methodology

The investigative process involved a systematic analysis of common serverless deployment patterns to identify systemic weaknesses in cloud-native configurations. Researchers simulated a series of remote code execution attacks against various function-as-a-service providers to determine the viability of lateral movement. This approach focused on the interaction between application code and the cloud metadata service, which is often the source of highly privileged service account tokens.

The team also evaluated the effectiveness of existing network hardening techniques, such as internal-only ingress rules and web application firewalls. By testing these defenses against modern exploit chains, the study provided a comprehensive look at where current protections fail. The research concluded with a deep dive into the risks associated with AI-generated software, specifically looking for vulnerabilities introduced by automated coding assistants.

Findings

The study revealed that local and remote file inclusion vulnerabilities remain alarmingly prevalent in serverless environments. These flaws allow an attacker to read local configuration files or execute malicious scripts directly within the function’s execution context. A significant discovery was the speed at which threat actors could pivot from an initial exploit to the exfiltration of bearer tokens from the metadata server, often completing the process in less than a minute.

Furthermore, researchers found that many serverless functions contained hardcoded secrets or were configured with excessive Identity and Access Management permissions. These misconfigurations allowed attackers to move laterally across the cloud environment, gaining access to storage buckets and databases that should have been unreachable. The research underscored that the ephemeral nature of these functions does not protect against persistent identity-based attacks.

Implications

The results indicate that a fundamental shift toward a defense-in-depth strategy is necessary to protect cloud-native AI workflows. Organizations must implement strict isolation policies, ensuring that public-facing services are hosted in dedicated projects with no direct access to the internal production network. Utilizing Layer 7 Load Balancers equipped with Web Application Firewalls is essential for scrubbing malicious traffic before it reaches the serverless function.

Moreover, the prevalence of vulnerabilities in AI-generated code necessitates a move toward a Secure Software Development Lifecycle that incorporates mandatory human review. Automated security scanning must be integrated directly into the CI/CD pipeline to catch common injection flaws before they reach production. Enforcing the principle of least privilege for every service account is no longer a best practice but a requirement for maintaining environmental integrity.

Reflection and Future Directions

Reflection

The analysis of current cloud security trends indicated that the tension between rapid innovation and rigorous control remained the greatest obstacle for security teams. While serverless functions offered incredible flexibility, their implementation frequently bypassed the manual security reviews that once protected the corporate perimeter. The data suggested that the velocity of cloud-native development had simply outpaced the ability of traditional security operations to keep up with the emerging threat landscape.

Past incidents involving serverless exploits highlighted the fact that many organizations lacked the automated response capabilities needed to stop a breach in its tracks. The research reflected a growing consensus that manual intervention was becoming an obsolete strategy for defending against automated scripts. It became clear that the security community needed to rethink how identity and network isolation are handled in a world of ephemeral compute.

Future Directions

Researchers suggested that the next phase of cloud security would likely involve the widespread integration of agentic AI within defensive operations. These systems would be capable of correlating signals across different cloud services and responding to threats at the same speed as the attacks themselves. Developing standardized, security-hardened sandbox environments for experimental AI projects was seen as a critical step in preventing future breaches.

Future explorations will need to focus on the long-term implications of low-code AI development and the security of third-party plugin ecosystems. There is a pressing need for better cross-cloud standards that define how metadata servers should handle credential requests from ephemeral functions. Strengthening these foundational elements will be essential as the complexity and scale of AI-native cloud environments continue to grow.

Building a Secure Foundation for AI-Native Cloud Environments

The investigation concluded that serverless functions, though essential for modern AI scalability, introduced a new class of risks that demanded immediate attention. Organizations successfully mitigated these threats by adopting proactive isolation strategies and strictly limiting the data egress from their cloud functions. By prioritizing identity-centric security and utilizing automated network controls, these businesses were able to leverage the power of generative AI without exposing their entire infrastructure to catastrophic failure.

Ultimately, the security of the cloud environment was found to be dependent on the maturity of the underlying software development lifecycle and the rigor of access policies. The transition to AI-native architectures required a commitment to continuous monitoring and the adoption of advanced defensive technologies. As the threat landscape evolved, the businesses that maintained the highest levels of digital trust were those that treated security as an integral part of the innovation process rather than a final checklist item.

Subscribe to our weekly news digest.

Join now and become a part of our fast-growing community.

Invalid Email Address
Thanks for Subscribing!
We'll be sending you our best soon!
Something went wrong, please try again later