Last year, a multinational bank rolled out an AI agent authorised to approve vendor invoices below a defined threshold. The agent was efficient — and, for about three weeks, completely compromised. A red team demonstrated that a single line of hidden text in a supplier PDF could re-route every payment above the threshold to an attacker-controlled account. The bank contained the attack before funds moved. The simulated loss: USD 18 million in a single quarter.
That incident did not make the news. Most AI security incidents do not. What has surfaced paints a consistent picture: the OWASP-documented record includes more than 150 confirmed LLM exploitation incidents, with total financial impact exceeding USD 2.3 billion, and the Cloud Security Alliance and Zenity's 2026 joint survey found that 47% of organisations deploying AI agents had experienced at least one security incident in the preceding twelve months.
For boards, founders, and CISOs, the strategic question is no longer whether AI applications will be attacked. They are being attacked continuously. The question is what that exposure is worth in dollar terms — and what the economically rational defence budget looks like.
The Three Cost Buckets
Most AI security budgets fail because they optimise for one cost bucket while ignoring the other two. The full picture has three components, and the largest is often invisible to procurement.
Direct incident losses. Fraudulent transactions, regulatory fines, customer remediation, legal fees, incident response. A single payment-redirection attack on an autonomous AP agent can move seven figures in days. A successful exfiltration of a customer database triggers PDPA or GDPR notification within 72 hours, with fines that scale with record volume.
Operational slowdown and the shadow-AI tax. When an organisation lacks a credible AI security posture, the only safe response is to throttle AI deployment. Internal teams route around approved tools to ungoverned services. Security teams add manual review queues. Every hour of human-in-the-loop verification on a task the model could have completed autonomously is a productivity tax — often equivalent to hiring one or two full-time reviewers per quarter of delay. For a 500-person company scaling AI across functions, that compounds into the low seven figures annually.
Reputation, trust, and lost deals. Enterprise procurement teams increasingly require AI governance documentation as a vendor qualification. The MAS-proposed AI Risk Management Guidelines for Financial Institutions (consultation closed January 2026, guidelines finalising in 2026) require vendor assessment and audit rights for AI components. The EU AI Act's high-risk adversarial robustness testing takes effect August 2026. Companies that cannot produce a credible security posture for their AI products are being removed from RFP lists before the demo call.
The buckets compound. A company that experiences a public incident pays direct losses, slows deployment for a year, and loses deals for two years. A company that prevents incidents but cannot evidence its defences pays the slowdown and lost-deals tax while the procurement landscape catches up. A company that invests proportionally in evidence-based defences pays only the defence cost — and recovers it within the first incident prevented.
What Defences Actually Cost in 2026
AI security controls are now a mature procurement category. A baseline defence stack for a mid-sized enterprise:
Input-layer injection detection. A pre-LLM filter that scans every prompt — including indirect-injection vectors from RAG documents, web pages, email content, and MCP tool responses — for known attack patterns. Annual cost for 10–50 million model calls per month: USD 30,000–80,000. The line item that closes the largest gap, and the one most teams skip because it is invisible in the product UI.
Output-layer DLP and action governance. Scanning model outputs for sensitive data, with policy-decisioned allowlists for tool calls and external actions. Build cost: USD 50,000–150,000 in-house. Buy cost: USD 40,000–120,000 per year depending on scale.
AI red-team and continuous testing. A quarterly adversarial test cycle exercising the LLM application with current attack techniques, including lethal-trifecta patterns documented in 2026 incident reports. Per-cycle cost: USD 15,000–40,000.
Governance and policy layer. Documentation, audit trails, model cards, vendor assessments aligned to ISO 42001, IMDA MGF, MAS guidelines, and EU AI Act. Often delivered as a consulting engagement: USD 25,000–60,000 for the initial framework.
Total Annual Budget
USD 160,000–450,000 for a mid-sized enterprise
Large in isolation. Small when set against the three cost buckets above — a single prevented incident typically pays for the entire programme.
Unit Economics: Cost Per Call Protected
The most useful framing for a board conversation is the cost per model call protected. A company processing 30 million model calls per month runs 360 million calls per year. A USD 300,000 annualised defence budget breaks down to less than USD 0.001 per protected call — one-tenth the cost of a single regulatory fine, and one-tenth the productivity tax of throttled AI deployment.
The numbers get more favourable as deployments scale. Fixed costs flatten; the variable cost of input detection is highly elastic. A company processing 300 million calls per month spends the same on output DLP and policy; per-call protection cost drops below USD 0.0001. Companies that delay defence investment to "wait for scale" are paying premium prices in the very period when their exposure is smallest.
The Three Investments That Compound
Not all defence spending is equal. Three categories produce returns that compound year over year.
Real-time input and output protection. The most directly defensive layer. Pays back in the first prevented incident. Compounds because the detection library grows with every novel pattern observed across the customer base, feeding every deployment simultaneously.
Architecture review at the design stage. Most lethal-trifecta exposures are introduced in the first three months of an AI product's design. A threat-modelling review at design time costs an order of magnitude less than retrofitting defences after launch.
Governance documentation as a sales asset. MAS, IMDA, EU AI Act, ISO 42001, and NIST AI RMF are converging on the same demand: documented, risk-based AI governance. The same document that closes compliance gaps closes enterprise deals.
Three Decisions That Should Land This Quarter
Adopt a written AI risk classification framework. Every model, agent, and AI feature in the portfolio classified by the lethal-trifecta test: does it have access to sensitive data, does it process untrusted input, can it take external action? The classification is the basis for proportional defence spending and the audit trail regulators will require.
Fund the input-detection layer as a non-discretionary line item. Treat it like email security or endpoint protection — a baseline capability, not a discretionary optimisation. The moment AI is in production, this is mandatory.
Commission a quarterly AI red-team cycle and demand the report at the board level. The threat landscape is moving faster than annual audits can track. Quarterly adversarial testing is the minimum cadence for organisations with material AI exposure.
The Honest Limit of This Calculation
The framework above is the best available synthesis of public incident data, vendor pricing, and regulatory trajectories as of mid-2026. The true incident rate is higher than disclosed figures suggest; the 47% figure from the CSA/Zenity survey is a lower bound. The regulatory cost curve is moving: MAS finalising in 2026, EU AI Act enforcement from August 2026, IMDA frameworks becoming procurement defaults. Defence pricing will compress 20–30% by 2027 as the category matures.
The numbers are best used as a sense of magnitude, not a precise forecast. The right reading is that defence cost is in the same order of magnitude as a single mid-sized sales hire, and downside exposure is in the same order of magnitude as a serious breach. For most boards, that ratio makes the decision.
The companies that treat AI security as a strategic capability in 2026 will move fastest on AI deployment, win the most enterprise deals, and face the smallest regulatory friction. The companies that defer it will find their AI programmes running at a fraction of their potential — protected from attack, but also protected from value.
Bottom Line
Defence is not a tax on AI deployment
It is the infrastructure that makes aggressive AI deployment economically rational.
Next Steps
Three actions will materially change your exposure profile in the next 90 days:
Run a lethal-trifecta assessment on every LLM application in production. Score each on the 0/1/2 framework. The 2/2/2 applications need architectural review this quarter.
Adopt a baseline input-detection layer. Choose a purpose-built prompt-injection detection engine, not a regex script and not a model-based classifier. The detection library should cover direct, indirect, multimodal, encoded, and chained attack patterns.
Schedule the first quarterly AI red-team cycle. The output is a board-level report, not a security-team document, and the basis for the governance documentation that enterprise procurement will require.
This article is part of Infinite Cybersecurity's ongoing coverage of AI governance, LLM security, and enterprise risk in Singapore and Southeast Asia. For a confidential conversation about your AI security posture, contact our team.
Need an AI Risk Assessment?
Our expert team helps Singapore businesses assess their AI security posture, align with MAS, IMDA, and EU AI Act requirements, and build the documentation that enterprise customers increasingly require.