AI Man-in-the-Middle: The Trust Problem Hiding in Plain Sight

ai man in the middle blog
emma-stevens-bio-portrait
Written by Emma Stevens
Threat Intelligence Researcher

I remember the days when merely saying “AI” was enough to earn glares for bringing up such a taboo subject, almost equivalent to saying “Voldemort.” Now, AI is at the center of many people’s daily lives and certainly at the center of business operations. I find myself using AI for everyday tasks. Unfortunately for security teams, the bad guys are using it too.

AI is sitting in the middle of everything. It sits between employees and the tools they use every day, between developers and the code they write, between security teams and the alerts they triage, between vendors and the services they deliver, and between data and decisions. Increasingly, it is connected to the data that makes those decisions possible, including emails, documents, tickets, code, customer records, security findings, vendor information, documents, and more. This is hugely important: when AI becomes the middle layer and has access to so much of our data, it does not just create a productivity opportunity. It creates a trust problem.

One useful way to think about that trust problem is AI man-in-the-middle, or AI MITM.

What is AI man-in-the-middle?

Most people are familiar with the idea of a man-in-the-middle attack (i.e. when an attacker gets between two parties that think they are communicating directly). From there, they can intercept information, steal credentials, manipulate a transaction, or change the outcome.

AI MITM is not exactly the same thing, but the concept is similar. In this case, the “middle” might be an AI assistant, an agent, a plugin, an integration, or an AI-enabled vendor workflow. It is the system sitting between a person and an action, between a question and an answer, or between a business process and the data it depends on. This is where things get interesting. Or uncomfortable. Probably both.

AI tools are no longer just chatbots answering random questions. They are being connected to real systems: email, calendars, documents, ticketing platforms, code repositories, cloud environments, CRMs, security tools, vendor portals, and customer data. Once AI has access to those systems, it is participating in the workflow as opposed to just generating content. And when something participates in the workflow, security teams have to care about how it can be manipulated if it were to end up in the wrong hands. 

A malicious prompt hidden in a document could influence what an AI assistant summarizes or shares. A compromised plugin could abuse permissions that were approved months ago and never revisited. An AI coding tool could read an attacker-controlled issue or package and suggest unsafe code. A vendor could add AI to a platform your company already uses, quietly changing how sensitive data is processed or shared.

This is not theoretical, science fiction, killer robots, or AI “going rogue.” It poses a very practical question: what happens when we put a powerful, connected, fast-moving intermediary between people, systems, and decisions, and then assume it can be trusted?

AI is also changing the attacker’s workflow

There is another side of this, too. AI is not just sitting in the middle of our workflows; it is also starting to sit in the middle of the attack itself. Threat actors can and are using AI to move faster through the messy parts of an attack, such as writing lures, adapting messages, triaging stolen data, identifying what is valuable, and deciding what to do next. AI allows attackers to take mass amounts of data and quickly sort through it to decide what is valuable in an attack. In other words, AI can become the attacker’s analyst. That sentence should make all of us pause for a second. Attackers are using AI in the same way we do, just with different goals. 

It is also why Adversary-in-the-Middle, or AiTM, attacks matter here. AiTM phishing kits sit between the user and a legitimate service, often capturing session tokens after the user successfully completes many common forms of MFA. The attacker is not always trying to break into the endpoint first, rather they are trying to intercept trust after the user has already authenticated, allowing them to bypass MFA.

AI makes this broader trend more urgent. It can increase the speed and adaptability of attacks. For defenders, that compresses the timeline. The window between exposure, compromise, triage, and impact gets smaller.

What Bitsight Threat Intelligence is seeing

This is where threat intelligence becomes more important, but also more complicated. AI-related signals are noisy. A search for “AI in the middle” can surface everything from legitimate AI research to irrelevant pastebin chatter to actual adversary infrastructure. The value goes beyond just finding mentions of AI to instead understanding which signals matter, which are benign, and which could point to real exposure or attacker behavior. Prioritization, if you will. 

Bitsight Threat Intelligence shows exactly why that distinction matters. In one Bitsight Threat Intelligence search for AI MITM and AiTM-related language, we saw results across a range of sources, including dark web chats, invite only messaging channels, underground forums, paste sites, and criminal marketplaces. Some results were clearly irrelevant. One pastebin result, for example, discussed AI in climate and weather modeling. It mentioned “AI in the middle” in a completely benign context.

ai man in the middle blog figure 1

For security analysts, there isn’t time to sort through this kind of noise. Security folks need contextualized and prioritized data at their fingertips. It shows why defenders cannot stop at keyword matching. A raw mention of AI does not equal a threat. A raw mention of AiTM does not automatically mean a campaign is targeting your organization. Context is everything.

But Bitsight Threat Intelligence also found much more relevant activity. In one underground forum example, a user asked for an AiTM service similar to known 2FA-bypass phishing kits. The same user also expressed interest in logs containing payment-card verification data for major retail sites, incredibly relevant to PCI DSS. In the replies, another user offered to build AiTM, BiTM, or MiTM systems, while a separate reply pointed toward tooling associated with cookie and session theft. Remember, they just need to get the right cookie or the right session to bypass the MFA. This shows visible demand for adversary-in-the-middle tooling and related credential, cookie, and session theft capabilities.

ai man in the middle blog figure 2

 

ai man in the middle blog figure 3

 

ai man in the middle blog figure 4

 

In another Bitsight Threat Intelligence result, an underground forum post advertised custom reverse-proxy and AiTM systems for major cloud, email, retail, advertising, and identity platforms. The seller described capabilities such as credential and cookie capture, evasion features, session handling, dashboards, notifications, and compatibility with antidetect browser workflows. Again, the details matter less than the pattern. This is not just one-off experimentation. AiTM capabilities are being discussed like a product. That should get the attention of any security or risk team.

Bitsight Threat Intelligence also surfaced threat actor names in discussions related to AiTM, AI-enabled activity, or adjacent threat activity, including Secret Blizzard, APT28, Forest Blizzard, Cordial Spider, ShinyHunters, Scattered Spider, Fancy Bear, Turla, and Evasive Panda. The immediate takeaway should not be panic. It should be prioritization.

Actor names appearing in search results are not the same thing as confirmed attribution. They are signals to investigate. Which mentions are meaningful? Which are just noise? Which are tied to known tactics, infrastructure, victims, or exposed assets? Which ones connect back to your organization, your vendors, or your industry? That is where threat intelligence earns its keep: not by showing every mention, but by helping teams understand which ones matter.

Why this is bigger than AI security

This is why AI risk cannot be treated like some neat, separate category that lives in its own little box. It touches identity, data governance, vulnerability management, vendor risk, attack surface management, and business resilience. And, of course, it does not stop at your perimeter. We have seen time and time again that threat actors are shifting towards large-scale blast radius attacks. They are targeting your critical vendors in order to increase pressure for a ransom payment. Bitsight heavily discussed this topic in our recent 2026 State of the Underground report

AI is everywhere within your supply chain. Do you know where, how it's utilized, how your data is ingested or connected to various AI platforms? If you don't, you should. Having visibility into vulnerabilities, supply chain, and who is targeting you and your network will play a pivotal role in prioritization and protecting your assets. 

How Bitsight can help

You cannot manage AI risk if you cannot see the ecosystem it lives in. Bitsight helps organizations understand cyber risk across their own attack surface, third-party ecosystem, and threat landscape. AI is not being adopted in one neat, centralized place. It is showing up across tools, vendors, workflows, attacker tradecraft, and business processes.

Bitsight Threat Intelligence helps security teams monitor and contextualize activity across open, deep, and dark web sources. That context matters when AI-related signals range from benign research chatter to underground forum posts advertising AiTM services.

With Bitsight, security and risk teams can move beyond point-in-time assumptions and build a more continuous view of where cyber risk exists, how it is changing, and which relationships, assets, actors, or exposures need attention first.

The goal is not to scare people away from AI. That ship has sailed. AI is going to be part of how we work. In many places, it already is. The goal is to make sure we are not adding speed, access, and automation to business-critical workflows without also adding visibility, governance, and accountability.

The bottom line

At the end of the day, AI MITM is really a trust issue. We are putting AI between people and systems, between vendors and services, and between data and decisions. Attackers can use AI in the middle of their own workflows too. While that can create enormous value, it can also create blind spots. When AI has unprecedented access and permissions, we lack the visibility into several critical, interconnected layers of security and operations. 

The organizations that handle this well will not be the ones that ban AI or blindly embrace it. They will be the ones that ask better questions: Where is AI sitting in our workflows? What can it access? What can it do? Who governs it? Which vendors are using it? Where could it introduce risk we cannot currently see? And which threat signals actually matter to us? Because AI may be new, but the security lesson is not: you cannot protect what you cannot see. AI is an incredibly powerful and useful tool that organizations should leverage, they should also ensure the right guardrails are in place to protect assets.

Bitsight cta background color
SOTU 2026 Image

Report: Exposed AI Services Surged 360% In 2025 & more

The attack surface is expanding as AI becomes more embedded in enterprise and attacker workflows. Get the full picture on AI exposure, exploit pressure, and the underground trends security teams need to watch.

 

Get the report

Bitsight cta background color