AI Model Theft Under the Spotlight: How OpenAI, Microsoft and NIST Are Raising the Bar in 2025

AI Model Theft Under the Spotlight: How OpenAI, Microsoft and NIST Are Raising the Bar in 2025

In 2025, OpenAI and Microsoft have tightened security controls around their AI infrastructure, while NIST formally lists “managing the risks of model theft” as a core objective for foundation models. Together, these moves confirm that protecting LLMs and GenAI pipelines is becoming a first-class security concern for every organization.

What has changed in 2025

• OpenAI tightens IP protection and internal security
  In July 2025, OpenAI reportedly introduced significantly stricter internal security controls to protect its intellectual property from corporate espionage – including more aggressive compartmentalisation (“tenting”), biometric access to sensitive labs, deny-by-default networking and partially air-gapped infrastructure for critical systems. 

• Microsoft documents AI threats, including model theft, and maps them to concrete controls
  In October 2025, Microsoft published its “AI Security Ideogram”, a detailed framework for securing GenAI workloads. Model theft appears explicitly as an attack scenario for both OpenAI-based and non-OpenAI LLMs, with recommended mitigations such as Azure AI Content Safety / Prompt Shield, Defender for AI, Private Link, hardened registries and secured CI/CD pipelines.

• NIST highlights model theft as a key risk to manage
  NIST’s AI 800-1 draft on managing misuse risk for dual-use foundation models includes “Manage the risks of model theft” as one of seven core objectives that model developers should address throughout the AI lifecycle. 

Why model theft matters

Model theft is not just an abstract research problem. It can involve:

• direct theft of model weights and artefacts;

• compromising MLOps pipelines, model registries or supply chain components;

• large-scale extraction or distillation of a proprietary model via its API;

• exfiltration of sensitive prompts, system instructions and tools through compromised agents or integrations.

The impact spans:

• loss of IP and competitive advantage;

• security exposure for data, keys and downstream applications;

• regulatory and contractual risk if safeguards are considered insufficient.

How the big platforms are responding

OpenAI

OpenAI’s recent efforts focus on stronger internal isolation, stricter access patterns and better monitoring for anomalous usage – particularly after concerns about rivals allegedly using model distillation techniques on ChatGPT outputs. 
Additionally, vulnerabilities affecting agents and autonomous features (such as zero-click flaws in the Deep Research agent) have been patched, with a growing emphasis on preventing silent data exfiltration. 

Microsoft

Microsoft is positioning AI security as a two-pronged strategy: Security for AI and AI for Security. Model theft appears explicitly in its mapping of attacks to controls:

• Content Safety and Prompt Shields to reduce prompt-based exfiltration and tool abuse;

• Private Link, managed identities, Key Vault and RBAC-secured workspaces to harden model pipelines;

• Defender for AI and Defender for Cloud to surface runtime alerts and anomalies in GenAI workloads;

• Sentinel and Defender XDR to correlate AI-layer signals with broader infrastructure incidents.

What organizations should do

For enterprises adopting LLMs and GenAI (via Azure OpenAI, other clouds or in-house models), the message is clear:

• Treat models and AI pipelines as critical assets, protected on par with core databases and business-critical apps.

• Strengthen API security and usage monitoring to detect extraction-style behaviour and abuse patterns.

• Manage prompt-injection and agent integrations as real exfiltration risks, not just “prompt games”.

• Align with emerging standards and guidance (such as NIST AI 800-1) that explicitly require managing model theft and misuse risk.

DIAMATIX Perspective

At DIAMATIX, we see AI model theft as a cross-layer risk that sits at the intersection of:

• classic cyber defence (identity, network, cloud, CI/CD, supply chain); and

• AI-specific threats (prompt injection, agents, RAG pipelines, model extraction).

Within our MDR and XDR services we help clients who use GenAI to:

• bring AI-related services (Azure AI, Azure OpenAI and others) into Shield SIEM/XDR visibility;

• monitor API usage for suspicious patterns and high-risk behaviour that may indicate extraction attempts;

• protect keys, identities and DevOps pipelines that underpin AI workloads;

• apply incident-response playbooks for suspected model theft or AI-pipeline compromises – from containment and forensics to hardening and continuous improvement.

Our goal is simple: enable organizations to innovate with AI while retaining control over their models, data and security posture.

Contact DIAMATIX

Sources:

• SiliconANGLE – OpenAI tightens internal security amid fears of IP theft by Chinese AI rivals.

• Microsoft Tech Community – AI Security Ideogram: Practical Controls and Accelerated Response with Microsoft.

• NIST AI 800-1 (Initial Public Draft) – Managing Misuse Risk for Dual-Use Foundation Models (objective: “Manage the risks of model theft”).

• ThreatDown (Malwarebytes) – analysis of a zero-click vulnerability affecting a ChatGPT agent (“Deep Research”).

Ready to go further?

Experience how continuous detection and response enhance compliance in action with MDR 360°.

→ Request MDR 360° Demo