Introduction
The 2026 Winter Games raise the stakes by putting AI systems directly into the operational loop. AI will help run the event at massive scale, which creates new ways for attackers to cause disruption without “hacking” in the traditional sense. The biggest risk isn’t outages or stolen credentials. It’s manipulated behavior, where carefully crafted inputs can push models to leak information, make bad decisions, or trigger automated actions.
More Than Just DDoS and Phishing
Global sporting events have always attracted cyber criminals. They’re the world’s biggest stages, and the upcoming Winter Games are just that. Between the 3 billion viewers and massive web of logistics, including everything from transport and hospitality to broadcast services, the digital footprint is enormous, and a very tempting target.
For years, the threat narrative has been consistent: phishing, ransomware, or maybe a DDoS attack to slow things down. Those risks are still there, but something else has entered the race:
AI is now an actual part of how large events like the Winter Olympics operate.
Whether it is chatbots handling spectator inquiries to automated scheduling, translation tools, fraud detection, and operational analytics, AI systems are increasingly trusted to make decisions or automatically execute tasks at scale. That shift creates a new set of risks that many security people are still learning how to address.
The Expanded Attack Surface
The thing about AI risk is that it doesn’t look like a misconfigured server or an unpatched bug. It’s better described as behavioral, not technical.
Think of it this way: LLMs and AI agents react to patterns and context. That’s what makes them so helpful, but it’s also what makes them so easy to exploit. Things like prompt injection (essentially just carefully worded inputs) can trick a model into leaking data or bypassing its own rules. These attacks don't need a stolen password; they just need a way to manipulate how the model interprets intent.
Meanwhile, the bad guys are using AI too. Phishing emails aren't as easy to spot anymore. They’re polished, localized, and context aware. They can scrape real schedules and names from public sources to make an impersonation attempt look totally legit. In a high-pressure environment like the Olympics, where everyone is moving fast and relying on automation, these tactics can actually work.
When "Small" Errors Become Big Problems
AI failure doesn’t have to be a massive, cinematic breach to cause chaos. Little errors, multiplied by scale, can have a massive impact.
We turned to F5’s field CISO, Chuck Herrin, who identified three possible attack scenarios:
- A support chatbot gets tricked into giving away internal escalation paths.
- A logistics AI could be convinced by a malicious input to send out wrong updates to thousands of people.
- An automated decision engine could act on fake information, bypassing the usual human checks.
None of these require a traditional hack, although they can be enabled by AI. They occur because AI systems are given authority without appropriate constraints. The principle of least privilege (one of the core tenets of information security) often seems to be an afterthought as organizations race to deploy AI applications.1 While the examples above may seem far-fetched, the world is already witnessing data breaches caused by AI applications with overly broad access to data and systems.2
Why the Old Rulebook Doesn't Work
Most of our security frameworks and controls were built to protect digital components like networks, systems, and identities, so they aren’t very good at governing behavior.
An AI doesn't fail because someone left a port open. It fails because it was allowed to reason in a way the designers didn't expect. Traditional testing checks if a tool works. It rarely checks how that tool behaves when someone is intentionally trying to confuse it.
As AI moves into critical roles, its security must be evaluated with the same rigor as traditional web applications and APIs: implement security controls and test their effectiveness. Trust, but verify.
In the world of web applications, a web application firewall (WAF) helps protect against zero-day (unknown) exploits, while regular penetration testing ensures the WAF is correctly configured and that vulnerabilities cannot slip through. The same principles apply to LLMs and agentic applications. For AI systems, guardrails serve a similar role to WAFs, while continuous adversarial testing plays the role traditionally filled by penetration testing.
Effective Guardrails
Guardrails are not simply about censoring bad words or blocking obvious misuse. They require hard, enforceable boundaries that distinguish permitted behaviour from adversarial “suggestions” designed to manipulate model behaviour. While many guardrail solutions claim high effectiveness, a recent F5 Labs AI Insights article covered academic research which highlighted a significant gap between claimed and real-world performance. In controlled evaluations using known or publicly documented prompts, guardrails often perform well. However, when tested against novel inputs (such as creatively structured, indirect, or poetic prompts) their effectiveness drops sharply. This disparity demonstrates that guardrails optimized for known threats frequently fail to generalize, allowing adversarial prompts to bypass controls without triggering obvious policy violations.
Adversarial Testing
Web penetration testing involves actively attempting to exploit a web application in the same way a real attacker would. It goes beyond vulnerability scanning to assess whether security controls can be bypassed and whether flaws can be chained together to cause real impact. The goal is to find and fix issues before they are exploited in the wild.
Adversarial testing applies the same mindset as penetration testing, but focuses on how AI systems can be manipulated through inputs rather than exploited through code. It probes for weaknesses such as prompt injection, instruction override, unintended data disclosure, and abuse of agentic workflows where AI systems are able to take actions or make decisions.
Because AI systems are not static, this testing must be ongoing. Model updates, new integrations, and evolving usage patterns can all change system behaviour in subtle ways. Continuous adversarial testing (often supported by AI-driven red-teaming tools) helps identify emerging weaknesses early, allowing guardrails to be refined and reinforced as part of an ongoing security feedback loop.
Conclusion
The Winter Games are just a higher-pressure, higher-profile version of what’s happening in every office and industry right now. The lesson isn't that AI is dangerous, it’s that AI without constraints creates massive blind spots and risk.
AI security isn't a theoretical ‘future’ problem anymore. It's an operational reality. When we trust a system to act, the question isn't just "Does it work?" It’s "How does it behave when someone is trying to make it fail?"
