You see the holes on paper. Not in a breach notice.
Code that an AI wrote in an afternoon can ship a leaked key, an open endpoint, and a missing permission check all at once - and you find out when a customer's data is already gone. I turn that invisible risk into a written list of exactly what is exposed, ranked by what an attacker reaches first, before any of it costs you a disclosure.
Turning "it works" into "it is safe to ship."
Security hardening for AI-built systems is the review that an AI writing code at speed never does for itself: who can reach this, who can read this, and what happens when someone feeds it something hostile.
- Secret & key hygiene. Finding the API keys, tokens, and credentials that AI code routinely hardcodes or leaks into the client.
- Auth & access control. The endpoints with no authentication and the permission checks that were never written, so the wrong user can't read the wrong data.
- Prompt-injection & LLM abuse. The paths where a hostile input makes the model leak data or take an action it should never take.
- Written audit. A ranked report of every hole, what it exposes, and the fix - delivered before you pay for any of it.
The same holes, in rooms where a leak is the headline.
Any team that shipped something fast with AI is carrying the same unseen risk: code nobody security-reviewed, now holding real customer data. The more sensitive the data, the louder the failure when a hole goes unfound.
The MVP that shipped in a weekend
A founder vibe-codes a product to launch fast, and the same speed that won the demo left a key in the bundle and an endpoint wide open. An audit finds it while the user count is still small enough to fix quietly.
The system that holds records it must not leak
A team builds an AI tool over patient or financial data where a single exposed record is a reportable breach. Access-control and injection review is what stands between "shipped" and a disclosure letter.
The service trusted with citizens' data
An agency or nonprofit puts an AI service in front of the public, holding data people had no choice but to hand over. A pre-launch hardening pass is how that trust survives contact with a real attacker.
The new hole is not in the code. It is in what the AI reads.
Classic security asks who can reach your endpoint. Agentic AI opens a hole that did not exist two years ago: the model reads outside text - an email, a support ticket, a web page, a PDF a customer uploaded - and a hostile instruction hidden inside it becomes a command the agent obeys. The agent was never hacked. It was simply told what to do by the wrong person, and it could not tell the difference.
Access to private data
The agent can read your records, your customer data, your internal files - the things worth stealing.
Exposure to untrusted text
It also reads content you did not write - inbound email, tickets, web pages, uploaded documents - where an attacker can hide instructions.
A way to send data out
And it can act outward - send a message, call an API, write to a webhook - which is the exit route stolen data leaves through.
When one agent has all three at once, a single poisoned input can read your data and ship it out - no breach of your code required. This pattern has a name in current security research - the "lethal trifecta" - and it is the exact failure mode that almost nobody reviewing AI builds for small and mid-size teams is actually checking for yet. I check for it, and I design the agent so it can never hold all three powers over the same untrusted input - the only durable fix, because no prompt filter catches every disguised instruction.
Agentic systems only became common in business workflows over the last year, and most security checklists were written before agents could read untrusted text and take real actions. Building the trifecta defense in now - while your agent is small - is the difference between leading on this and learning it from an incident. Related: how agent loops behave under the hood →
Fixed scope. Async. One payment after the audit.
- Scope and audit. You send the system and what it protects. I return a fixed price and a plan within 24 hours, or a straight no.
- Find the holes. A full review of secrets, auth, access control, and injection paths - everything an attacker reaches first.
- Deliver the written report. Every hole ranked by severity, what it exposes, and the exact fix - before you pay for any of it.
- Harden and hand off. The fixes applied and a checklist your team keeps using as the system grows.
A real hole AI code ships, and the line that closes it.
This is the single most common finding in a vibe-coded API: a hardcoded key in the bundle and an endpoint that never checks who is calling. Here is the before, and the after.
// key sits in client bundle, visible to anyone const KEY = "sk_live_8f2a...c91"; app.get("/api/orders", (req, res) => { // no auth check - any caller reads every order res.json(db.orders.findAll()); });
// key moved to server env, never shipped const KEY = process.env.STRIPE_KEY; app.get("/api/orders", requireAuth, (req, res) => { // caller verified, scoped to their own rows res.json(db.orders.findByUser(req.user.id)); });
I review AI-generated and vibe-coded systems and deliver every hole like the one above in a written audit before any fix is paid for - the same honest before-you-pay format as my vibe-code rescue work. See the builds →
A single leaked key or exposed customer record can mean a breach disclosure, lost trust, and a cleanup that dwarfs any build budget. Finding it in an audit first costs a fraction of what one disclosed incident does.
Tell me what you shipped fast
Send me the AI-built system and what it is holding. Within 24 hours you get a free written teardown of it - what I would build, what it would take, and a fixed price - or a straight no.
Get my free teardown →