AI Red Teaming Is Not Equal to Prompt Injection

Artificial Intelligence & Machine Learning , Governance & Risk Management , Next-Generation Technologies & Secure Development AI Red Teaming Is Not Equal to Prompt Injection Why AI and Traditional Penetration Testing Must Converge Rajiv Bahl • April 27, 2026     Get Permission Image: Shutterstock Artificial intelligence red teamers and classical pen testers can be likened to two painters. The former has access to an entirely new palette of colors, while the latter relies on a conventional palette that lacks these additions. On their own, neither fully meets the demands of the present threat landscape. See Also: AI Impersonation Is the New Arms Race-Is Your Workforce Ready? AI red teaming gained traction when prompts became easily accessible. As more security professionals started experimenting with prompt injection in their environments - to evaluate risk and assess security posture - attacks such as "do-anything-now," or DAN, anti-DAN, "strive-to-avoid-norms," DUDE, and Mongo Tom became commonplace. Techniques including storytelling, role play, context switching, and text transformations, such as ROT13 and Pig Latin, also proliferated. The barrier to entry was relatively low, given the abundance of publicly available knowledge. Prompt injection also became a focal point of attention. But prompt injection is just one technique. When mapped on an industry standard framework such as Google's Secure AI Framework, it primarily targets the model layer. Equally critical are attacks across other layers. For example, label flipping and clean label attacks affect the data layer, output manipulation and model reverse engineering target the model layer, and vulnerabilities in the MCP server fall within the application and systems layer. Most of these attacks and AI evasion attacks, such as FGSM and DeepFool, require a solid grounding in data science. Executing them effectively demands not only launching the attack but also monitoring model accuracy throughout. Data science is an essential addition to the modern tester's skill set. Classical pen testers need to acquire these capabilities to their repertoire. When it comes to MCP server attacks, strong traditional web application security skills are indispensable. Testing the MCP server for vulnerabilities, such as SQL injection, cross-site scripting or server-side request forgery, requires classical penetration testing expertise. Even identifying MCP endpoints, associated application programming interfaces and available resources, such as resource templates and tools, often requires strong foundational skills in traditional web security knowledge. AI red teamers must also expand their palette to include classical pen testing. We need to realize that attackers are not constrained to AI-specific pathways. They will pursue any means that enable initial access, facilitate lateral movement and compromise the crown jewels. A robust security posture evaluation, therefore, requires a blend of both classical penetration testing and AI red teaming skills. A comprehensive and effective assessment demands this blended approach. After all, attackers are not fixated on using AI alone, nor are they necessarily seeking the most sophisticated entry point. They will simply choose the path that delivers the fastest and most monetizable outcome.