The API Heist
January 2026. Two Chrome extensions posing as AI assistants—one with Google’s “Featured” badge—had already exfiltrated conversation data from 900,000 users when researchers found them. The extensions scraped proprietary code, business strategies, and session identifiers from ChatGPT and DeepSeek sessions, sending batches to command-and-control servers every 30 minutes. Separately, China’s market regulator fined companies for running fake ChatGPT and DeepSeek services on WeChat, charging users for AI dialogues that were either non-functional or third-party imitations. And in corporate environments, IBM’s 2025 Cost of a Data Breach Report documented that shadow AI—unauthorized AI use inside organizations—raises breach costs by $670,000 on average, while 97% of organizations that experienced AI-related breaches lacked basic access controls. These are three separate attacks. Most security teams are not equipped for any of them.
ZeitShift Intelligence | February 2026
PROLOGUE: THE SHAPE OF A NEW THREAT SURFACE
Enterprise security was designed around a stable threat model: external attackers trying to get in, internal users trying to take things out, and a defined perimeter between the two. The controls—firewalls, DLP, endpoint detection, network monitoring—were built to enforce that perimeter.
AI broke the perimeter from inside.
When an employee opens a browser tab, navigates to ChatGPT, and pastes a strategy document to get a summary, no firewall fires, no DLP alert triggers, no endpoint agent logs the event. The data left the organization through a browser session to an approved-looking website, processed by a server the organization has no relationship with, potentially stored in ways the organization has no visibility into. The perimeter model has no category for this.
When that same browser tab is running a malicious Chrome extension that is also scraping the conversation and sending it to a separate server, the perimeter model has no category for this either. The extension has the same browser permissions as legitimate productivity tools. The exfiltration looks identical to normal analytics traffic.
When an AI provider’s API is being systematically queried by a competitor using the outputs to train a rival model, the API logs show normal traffic. No intrusion detection signature applies. The terms of service may be violated but no technical control enforces them.
Three attack surfaces. Three different mechanisms. Three different victims. One missing framework.
PART I — THE CONSUMER LAYER: FAKE AI SERVICES
The Chrome Extension Campaign
On January 7, 2026, OX Security researchers published findings on two Chrome extensions that had accumulated a combined 900,000 users by impersonating a legitimate AI sidebar tool called AITOPIA.
The extensions—“Chat GPT for Chrome with GPT-5, Claude Sonnet & DeepSeek AI” (600,000+ users) and “AI Sidebar with Deepseek, ChatGPT, Claude and more” (300,000+ users)—replicated AITOPIA’s interface for chatting with large language models. One had earned Google’s “Featured” badge, the Chrome Web Store’s signal of trustworthiness. Both had been available for months.
The technical mechanism was precise. The extensions monitored browser tabs through the chrome.tabs.onUpdated API, generating a unique identifier per user session. When they detected chatgpt.com or deepseek.com URLs, they scraped DOM elements capturing prompts, responses, and session IDs. Data was stored locally, Base64-encoded, and transmitted in batches to command-and-control servers—deepaichats.com, chatsaigpt.com—every 30 minutes.
What was stolen: complete conversation content from ChatGPT and DeepSeek sessions, including proprietary code, business strategies, personally identifiable information, search queries, and internal URLs. Additionally, full browser history across all tabs—not just AI sessions—capturing organizational structure, tools in use, authentication patterns, and behavioral data useful for targeted phishing.
The attack’s architecture exploited three assumptions simultaneously: that Google’s review process catches malicious extensions (it didn’t), that “Featured” status signals safety (it didn’t), and that AI conversation data is protected by the AI provider’s privacy policies (it wasn’t—the extension operated at the browser layer, before data reached the provider’s server). As of the disclosure date, both extensions remained downloadable.
Dark Reading’s analysis of the campaign noted the attack surface’s novelty: “The privacy of LLMs and LLM-powered applications remains a growing concern for organizations as threat actors continue to find ways to exploit these attack surfaces. This is doubly a concern as organizations rely on LLMs for tasks like proprietary code development and drafting sensitive documents.”
The attack’s success was not primarily technical. It was social: users’ trust in the AI productivity category, amplified by Google’s badge, overcame the security skepticism they might have applied to other software installs.
The Fake Service Economy
Simultaneously, China’s State Administration for Market Regulation fined multiple companies for operating fraudulent AI services posing as ChatGPT and DeepSeek.
Shanghai Shangyun Internet Technology was fined 62,692.70 yuan ($9,034) for running a fake ChatGPT service on WeChat, explicitly marketing it as “the official Chinese version of OpenAI’s ChatGPT” and charging users for AI dialogues. The regulator’s statement was specific: “The company was fully aware of the industry status and influence of OpenAI’s ChatGPT. They deliberately created a false impression that they are providing the official service to mislead users into making purchases.”
Hangzhou Boheng Culture Media was fined 30,000 yuan for an unauthorized website offering “DeepSeek local deployment,” replicating DeepSeek’s fonts, icons, and layout to convince users they were accessing an official local service.
These cases are the visible tip of a documented pattern. The SAMR noted that a wave of DeepSeek mini-programs and websites imitating the original platform appeared in early 2025, following DeepSeek’s App Store dominance. The fines suggest enforcement began only after the market had already been populated with fraudulent services for months.
The economic logic of the fake service ecosystem is straightforward: AI brand recognition has outpaced AI security awareness. Users who would apply skepticism to a generic software download apply less skepticism to an AI tool that accurately replicates the interface of a service they know and trust. The attack surface expands proportionally to AI adoption rates, which in 2025 expanded very quickly.
The Prompt Injection Frontier
The Chrome extension campaign and fake service economy represent known attack patterns—social engineering dressed in AI branding. Prompt injection is architecturally different and less understood.
Indirect prompt injection exploits the AI assistant’s role as a context-aggregating agent. When an AI browser assistant reads a web page to summarize it, it processes the page’s content—including any text the page contains. If that text includes instructions formatted as commands to the AI, the model may execute them.
Researchers demonstrated a specific case: a hidden prompt embedded in a Reddit comment forced an AI assistant to disclose private information, perform unauthorized actions across other websites, and trigger navigation and data extraction workflows. The attacker exploited no browser vulnerability. The AI simply followed a malicious instruction embedded in content it was asked to process.
The Hacker News analysis identified the structural issue: “A compromised or malicious AI extension can exfiltrate corporate data, automate unauthorized actions, or leak sensitive workflows invisibly. And because this activity occurs inside the browser runtime, legacy security tools cannot observe or block it.”
This attack vector scales with AI capability. As AI assistants are given broader permissions—access to email, calendar, documents, corporate systems—the potential damage from a successful prompt injection grows proportionally. The attack surface is not a vulnerability in the AI system; it is a feature of how AI systems are designed to follow instructions from their context.
PART II — THE ENTERPRISE LAYER: SHADOW AI
The Governance Gap
IBM’s 2025 Cost of a Data Breach Report documents that shadow AI raises breach costs by $670,000 on average, against a global average of $4.44 million and US average of $10.22 million per breach. Only 37% of firms have detection policies for shadow AI. And 97% of organizations that experienced AI-related breaches lacked basic access controls.
These numbers exist because shadow AI has a structural cause that security tools cannot address: employees adopt AI tools for the same reason they adopt any productivity tool—they work. The gap between what the tool enables and what the organization has sanctioned is, in most enterprises, very large.
78% of AI users bring their own tools to work, and 52% are reluctant to admit using it. 68% of enterprise employees who use generative AI at work access publicly available GenAI assistants through personal accounts, and more than half admitted to entering sensitive company information into these public tools.
A survey of over 12,000 white-collar employees found that 60.2% had used AI tools at work, but only 18.5% were aware of any official company policy regarding AI use. The compliance gap is not primarily behavioral—it is informational. Employees using shadow AI are largely not aware they’re violating policy, because most organizations have not communicated policy clearly enough for employees to know what is and isn’t authorized.
The data leakage that results is not malicious. Palo Alto Networks’ analysis is precise about this: “Shadow AI happens when employees adopt generative AI tools on their own—without IT oversight or approval… In most cases, the intent isn’t malicious. It’s about getting work done faster.” The marketing manager pasting customer demographic data into ChatGPT to improve ad copy is not trying to leak competitive intelligence. She is trying to do her job better. The data exposure is a side effect of legitimate productivity behavior.
The Anatomy of a Shadow AI Breach
The Salesloft-Drift OAuth supply chain attack of 2025 illustrates how shadow AI creates breach blast radius far beyond the initial exposure point.
The biggest SaaS breach of 2025 started with a compromised third-party app. Attackers exploited Salesloft-Drift OAuth tokens, granting them access to hundreds of downstream environments. The blast radius was 10x greater than previous incidents where attackers infiltrated Salesforce directly.
The OAuth token attack vector is the specific mechanism that makes shadow AI a supply chain problem, not just a data leakage problem. When employees connect AI tools to corporate SaaS environments—“allow ChatGPT to access your Google Drive,” “connect this AI assistant to your Slack”—they create OAuth grants that give third-party services persistent access to corporate systems. If the AI tool is compromised (by a supply chain attack, by a malicious extension, or by the service provider itself), that OAuth grant becomes an attack path into the organization’s entire SaaS ecosystem.
Shadow AI breaches took longer to detect than average—247 days compared to the 241-day average for all breach types—and disproportionately affected customer PII at 65% and intellectual property at 40%. The extended detection time reflects a structural problem: shadow AI operates outside the logging and monitoring infrastructure that security teams rely on. There is no audit trail for a conversation that happened in a personal ChatGPT account. There is no alert when an employee connects an unauthorized AI tool to their corporate Google Workspace. Traditional security tools have no visibility into these events.
What most teams miss: this is not malware, and it is not phishing. It is an OAuth-connected, workplace-integrated AI moving laterally without triggering alerts. Employees are not trying to expose the organization. The models they use simply do not know what should be obvious.
The Model Drift Problem
Beyond immediate breach risk, shadow AI introduces a slower and harder-to-detect problem: model drift affecting AI-assisted decisions.
A 2025 study found that model drift affects both predictive models and LLMs used in decision-making, with some use cases experiencing performance decay three times faster than stable domains. Foundation model drift is domain-specific. When employees use publicly available AI tools for decisions—financial analysis, legal interpretation, medical triage, strategic planning—they are using models that may be updated, fine-tuned, or modified by the provider without notice. The model that provided accurate outputs in January may provide different outputs in June with no visible change to the employee.
Organizations with formal AI governance have audit trails for this. They track which model version was used for which decision, maintain logs of inputs and outputs, and have processes for detecting when model behavior has changed. Organizations relying on shadow AI have none of this. If a strategic decision is later challenged, there is no record of what AI was used, which version, with what prompt, or what the output was.
The compliance implication is specific. The 2025 HAI AI Index report cited 233 documented AI-related incidents in 2024 where governance failures, including unauthorized AI use, resulted in data exposure, compliance issues, or biased outputs. The EU AI Act, which came into full enforcement in 2025 for high-risk AI applications, requires organizations to maintain documentation of AI systems used in regulated decisions. Shadow AI, by definition, is undocumented.
PART III — THE MODEL LAYER: DISTILLATION AND API EXPLOITATION
The Distillation Allegation
In January 2025, OpenAI formally alleged to US lawmakers that DeepSeek had used “distillation”—systematically querying ChatGPT’s API to generate high-quality training data, then using that data to train a rival model—to build its R1 reasoning system.
The technical claim is specific: OpenAI’s internal teams identified anomalous API usage patterns consistent with systematic distillation querying. Microsoft, which operates the Azure infrastructure that powers ChatGPT’s API, flagged unusual activity and notified OpenAI. The allegation was that DeepSeek made large volumes of API calls optimized not for normal user tasks but for generating training signal—complex prompts designed to elicit the kinds of high-quality reasoning outputs useful for training a model to replicate those capabilities.
Whether the allegation is accurate is contested. OpenAI acknowledged it “couldn’t give Financial Times any evidence to back up the claim” and that it’s “impossible for any company to make a direct copy of ChatGPT.” The claim that identical error patterns prove distillation is statistically provocative but not conclusive—similar training data could produce similar error signatures independently.
What is not contested: the distillation technique itself is real, widely used in AI development, and not technically prevented by existing API access controls. Any organization with API access to a frontier AI model can query it systematically to generate training data. The terms of service prohibit using API outputs for training competing models. The technical controls do not enforce this prohibition.
The strategic implication extends beyond the specific OpenAI-DeepSeek allegation. If systematic API querying for distillation purposes is undetectable by current API monitoring and unpreventable by current access controls, then every frontier AI provider’s API is simultaneously their product and a potential training resource for competitors. The value locked in a frontier model’s reasoning capabilities is not fully contained by the model’s weights—it is accessible through its outputs to anyone with API access.
OpenClaw and the Agent Attack Surface
OpenClaw, the viral open-source AI agent with over 135,000 GitHub stars, triggered the first major AI agent security crisis of 2026 with multiple critical vulnerabilities, malicious marketplace exploits, and over 21,000 exposed instances. When employees connect these autonomous agents to corporate systems like Slack and Google Workspace, they create shadow AI with elevated privileges that traditional security tools can’t detect.
AI agents represent the next evolution of the shadow AI threat surface. Unlike a chatbot that responds to individual prompts, an agent can take sequences of actions—reading files, sending emails, making API calls, executing code—autonomously. When an employee installs an AI agent and connects it to corporate systems, they are creating an automated process with persistent access, operating outside IT governance, capable of multi-step actions that traditional monitoring cannot fully track.
The OpenClaw incident illustrated the specific risk: marketplace extensions for AI agents—analogous to Chrome extensions for browsers—can be malicious. The agent framework’s trust model assumes marketplace content is safe. When it isn’t, the agent’s elevated system access becomes the attacker’s access. The blast radius of a compromised AI agent is proportional to the permissions that agent has been granted—which, in practice, are often extensive because agents need access to be useful.
The API Key Economy
Parallel to the distillation allegation is a simpler and more pervasive problem: API key theft and unauthorized API resale.
AI API keys are credentials that authorize billing to a specific account. An organization that embeds API keys in client-side code, mobile applications, or public repositories inadvertently exposes them to anyone who looks. Exposed keys are systematically harvested by automated scanners that monitor public code repositories, mobile app packages, and network traffic.
The harvested keys are used in two ways: direct consumption (running API calls against the victim’s billing account until the key is revoked or the budget is exhausted) and resale (selling key access to third parties through underground markets that provide “cheap AI API access”). The victim discovers the problem when their API bill arrives, typically after days or weeks of unauthorized usage.
GitHub’s ecosystem has documented this problem extensively. GitGuardian’s 2025 analysis found that GitHub Copilot can reproduce secrets learned from public code repositories. The same pipeline that exposes API keys also exposes other credentials—database passwords, authentication tokens, private keys—but AI API keys have become a particularly targeted category because they represent a direct cash value: compute time on expensive infrastructure, resalable to anyone who wants to run AI workloads without paying for them.
The enterprise scale of this problem is underappreciated. Large organizations with many developers may have API keys scattered across dozens of repositories, CI/CD pipelines, internal tools, and third-party integrations. A security audit that finds and rotates all exposed API keys is a significant effort. An organization that has not conducted such an audit is likely operating with exposed keys they don’t know about.
PART IV — WHAT CISOS ARE MISSING
The Framework Mismatch
The CISO’s standard toolkit—SIEM for log aggregation, DLP for data loss prevention, endpoint detection and response for device-level threats, network monitoring for traffic analysis—was designed for a threat model where data moves through detectable channels and attackers exploit technical vulnerabilities.
Shadow AI subverts this framework at every layer:
No logs: A conversation in a personal ChatGPT account generates no enterprise log. An OAuth grant created by an employee connecting an AI tool to Google Drive appears in Google’s audit logs, but only if someone is looking for it.
No signatures: Shadow AI is not malware. It doesn’t match intrusion detection signatures. The browser extension that exfiltrates AI conversations is designed to look like analytics traffic because it uses the same consent language real analytics tools use.
No perimeter: The employee connecting their corporate Google account to an AI tool is doing so through a browser on a corporate device, through a corporate network, and the connection looks identical to any other authorized SaaS integration.
No baseline: To detect anomalous AI usage, security teams need a baseline of authorized AI usage. Most organizations don’t have one because they haven’t inventoried their AI footprint.
97% of organizations that experienced AI-related breaches lacked basic access controls. This is not because CISOs are unaware of AI risks. It is because the controls that would address AI risks are not yet standard in enterprise security stacks, and the frameworks for thinking about AI security are still being developed.
The Three Controls That Matter
The security vendors have converged on three distinct technical capabilities that address the shadow AI threat surface:
Discovery and inventory: Comprehensive scanning of the enterprise environment—cloud, SaaS, endpoints, browser—to identify AI tools in use, authorized and unauthorized. This requires different tooling than traditional asset discovery because AI tools often operate at the application layer (browser extensions, SaaS integrations, API calls) rather than the network layer. Several vendors have built purpose-specific discovery platforms; CloudSphere’s Illuminate360, Obsidian Security, and Reco are notable examples.
OAuth and API access governance: Systematic auditing and management of OAuth grants from corporate accounts to third-party services, including AI tools. This requires identifying all existing OAuth grants (many are legacy, forgotten, and excessive), assessing the risk of each grant based on scope and service reputation, and implementing ongoing monitoring for new grants. The Salesloft-Drift attack demonstrated that the blast radius of a compromised OAuth grant can be catastrophic.
Browser-layer monitoring: Security controls that operate inside the browser runtime to detect shadow AI usage, monitor data flows to AI tools, and enforce policies at the point where data leaves the organization. This is structurally different from network monitoring because browser-layer AI usage often bypasses network-level controls through encrypted connections to approved-looking destinations.
The Policy Infrastructure Gap
Technical controls address the technical attack surface. The behavioral attack surface—employees using shadow AI because they don’t know they shouldn’t, or because the approved alternatives are insufficient—requires a different response.
Only 23% of organizations currently require staff to be trained on approved AI usage. 60.2% of employees had used AI tools at work, but only 18.5% were aware of any official company policy regarding AI use. The gap between AI adoption rates and AI policy awareness is not primarily a communication failure—it is a policy development failure. Most organizations have not developed comprehensive AI use policies because the regulatory and legal frameworks around AI use were still being established when AI adoption began.
The EU AI Act’s 2025 enforcement for high-risk applications, the FTC’s increasing attention to AI-related unfair practices, HIPAA guidance on AI use with protected health information, and SEC requirements for AI disclosure in financial services are creating a compliance landscape where AI governance is increasingly mandatory rather than optional. Organizations that have not developed formal AI policies are accumulating regulatory exposure in addition to security exposure.
The practical minimum policy framework for an enterprise in 2026 covers: an inventory of authorized AI tools with explicit approval status, data classification rules specifying what categories of data may be used with which AI tools, prohibition on using personal AI accounts for work purposes (with an explanation of why), a process for employees to request authorization for new AI tools (with a commitment to respond within a defined timeframe), and logging requirements for AI usage in regulated contexts.
This framework is not technically complex. It requires organizational will and cross-functional coordination among IT, legal, compliance, and business leadership. The gap is not technical capability but governance attention.
CONCLUDING FRAMEWORK
The “API Heist” framing captures something real: corporate value is being extracted through AI interfaces without authorization, at scale, through multiple mechanisms simultaneously. But the mechanisms are distinct enough that treating them as a single threat leads to misallocated security resources.
The fake service economy (Chrome extensions, fraudulent chatbot platforms) is a social engineering problem that requires consumer-level security hygiene: browser extension policies, awareness training, and technical controls on which extensions can be installed on corporate devices.
The shadow AI problem is an organizational governance problem that requires policy development, discovery tooling, and behavioral change. The technical controls exist; the organizational will to deploy them and the policy infrastructure to make them meaningful are still developing.
The model distillation and API key theft problem is a provider-level security problem that individual organizations can address only partially—through API key hygiene and access controls—but that ultimately requires frontier AI providers to implement more sophisticated usage monitoring and access controls.
The common thread: AI’s productivity advantages have driven adoption faster than security frameworks can track. The attack surface expanded before the defenses were designed. This is not a failure of security teams—it is the predictable consequence of a technology that became mainstream in 18 months rather than 18 years.
The key numbers:
| Metric | Figure |
|---|---|
| Shadow AI breach cost premium | +$670,000 per breach (IBM 2025) |
| Global average breach cost | $4.44M (US: $10.22M) |
| Organizations lacking AI access controls (breached) | 97% |
| Employees using unauthorized AI at work | 78% |
| Employees aware of company AI policy | 18.5% |
| Shadow AI breach detection time vs average | 247 days vs 241 days |
| Customer PII exposed in shadow AI breaches | 65% |
| IP exposed in shadow AI breaches | 40% |
| Chrome extension campaign victims | 900,000+ |
| Sensitive data in AI prompts (March 2024) | 27.4% (up from 10.7%) |
| Organizations with GenAI detection policies | 37% |
| Documented AI incidents from governance failures (2024) | 233 |
| OpenClaw exposed instances | 21,000+ |
The trajectory is clear: AI adoption will continue to expand faster than organizational governance can track it. The attack surface will grow proportionally. The security frameworks designed for the pre-AI enterprise were not designed for this threat model.
CISOs who understand this are not waiting for a breach to demonstrate the gap. They are mapping their AI footprint, auditing OAuth grants, building browser-layer controls, and developing the policy infrastructure that makes technical controls meaningful.
The rest are discovering the problem through their next breach report.
ZeitShift Intelligence February 2026
Security series — enterprise AI risk