Your Shiny New AI Is a Ticking Time Bomb. Let’s Practice Defusing It.
The first tweet lands at 8:17 AM. It’s a screenshot. Your brand new, heavily-marketed customer service AI, “AssistBot 5000,” is cheerfully providing a detailed, step-by-step guide on how to hotwire a 2023 Ford F-150. Complete with a helpful list of tools available at any hardware store.
By 8:25 AM, it’s not just one tweet. It’s a flood. Someone found a prompt injection vulnerability. Now your bot is generating racist poetry, leaking snippets of what looks like internal API keys, and confidently declaring that your company’s biggest competitor offers a “vastly superior product at a fraction of the cost.”
Your stock is starting to dip. The press is calling. Your legal team’s collective blood pressure is entering the stratosphere.
So, who gets the first call? Your CISO? Your head of PR? Your lawyers? Do you take the model offline immediately and nuke your customer engagement, or do you leave it up while the engineers scramble? Who has the authority to make that call? What’s your rollback plan? Do you even have a rollback plan?
If you’re breaking into a cold sweat just reading this, good. You should be.
Because your standard Incident Response (IR) plan, the one you’ve carefully crafted for database breaches and DDoS attacks, is about to be as useful as a chocolate teapot in this situation. This isn’t a server going down. This is your company’s reputation, your intellectual property, and your customer trust being set on fire in real-time, by a system you built to be helpful.
Welcome to the New Battlefield
An AI incident isn’t a simple binary state of “pwned” or “secure.” It’s a fluid, chaotic mess that bleeds across technical, legal, and public relations domains simultaneously. The root cause might not be a vulnerability in your code, but a logical flaw in the model’s reasoning, maliciously triggered by an attacker.
The evidence isn’t in a log file; it’s buried in a semantic space of vector embeddings. Your “fix” isn’t a simple patch; it might involve emergency data filtering, model rollback, a full retraining cycle (which could take weeks!), and a public apology crafted by people who barely understand what a neural network is.
You can’t prepare for this with a checklist. You prepare for it by building muscle memory. You prepare by going through hell in a safe environment, so you’re not paralyzed when the real fire starts.
You prepare with tabletop exercises.
Dungeons & Dragons for CISOs: What is an AI Tabletop Exercise?
Forget everything you think you know about boring corporate training. A tabletop exercise is not a lecture. It’s not a webinar. It’s a live-action, role-playing game where your company is the main character, and the “monster” is a full-blown AI security crisis.
Think of it like a flight simulator. A pilot doesn’t learn to handle an engine fire by reading a manual. They sit in a hyper-realistic cockpit and crash a simulated 747 a dozen times. They feel the panic, they work the controls, they communicate with their co-pilot under extreme stress. When the real engine blows, their hands already know what to do. Their brain doesn’t have to think; it just executes the trained response.
That’s what we’re doing here. We’re building that crisis muscle memory for your entire team—from the engineer in the trenches to the C-suite executive who has to face the cameras.
The goal of a tabletop exercise is not to “win.” It’s to find every single crack in your process, every gap in your communication, and every flawed assumption in your response plan, all in a low-stakes environment where the only thing you can lose is a bit of ego.
A good AI tabletop forces you to answer the uncomfortable questions before they matter:
- Who decides if a model’s output is “malicious” or just “weird”? Is it engineering? Legal? PR?
- What is our “red button” protocol? Who has the authority to take a multi-million dollar AI system offline?
- How do we communicate a complex AI failure to the public without sounding incompetent or, worse, like we’re lying?
- If our proprietary model is stolen, how do we even prove it? The weights are just a file of numbers. How do we watermark it?
- If our training data is poisoned, how far back do we have to go? What’s the business cost of reverting to a six-month-old model?
These aren’t technical problems. They are human, process, and communication problems. And you can’t solve them in a silo.
The Cast of Characters: Who Needs to Be in the Room?
An AI incident is a team sport, and if you don’t have the right players on the field, you’ve already lost. Inviting only the tech team is the single biggest mistake you can make. The code is only 20% of the problem.
Here’s your starting lineup:
| Role | Their Primary Question | Why They’re Essential |
|---|---|---|
| The Tech Lead / ML Engineer | “What is the model actually doing and how can we stop it?” | They are the only ones who can diagnose the root cause, assess the technical feasibility of a fix, and execute it. Without them, you’re just guessing. |
| The Product Manager | “What is the impact on our users and our product roadmap?” | They represent the user and the business case for the AI. They need to weigh the cost of downtime vs. the risk of leaving a broken product online. |
| The C-Suite Executive (CEO/CTO) | “What is the business risk? Financial, reputational, strategic?” | They are the ultimate decision-makers. They need to understand the situation in plain English to authorize drastic actions like a full system shutdown or a public statement. |
| The Legal Counsel | “What are our legal obligations? What can we say publicly? Are we liable?” | In a world of emerging AI regulation, their input is non-negotiable. They will stop you from making a bad situation catastrophic by admitting fault or violating disclosure laws. |
| The PR/Communications Head | “What is the narrative? How do we control it?” | They manage the public-facing battle. A technically perfect fix is useless if the public perceives you as untrustworthy or incompetent. They craft the message. |
| The Facilitator (You or an external expert) | “Okay, what’s next? What are you forgetting?” | This is the Dungeon Master. Their job is not to solve the problem, but to guide the exercise, introduce new twists (“injects”), and ensure the team addresses all facets of the crisis. |
Leaving any of these people out of the room is like trying to defuse a bomb with one hand tied behind your back. The engineer might find a fix, but Legal might forbid them from deploying it. PR might want to issue a statement, but the C-suite might not have approved the financial implications. It’s a delicate, terrifying dance, and everyone needs to learn the steps together.
Crafting Your Nightmares: Three AI Attack Scenarios to Get You Started
The heart of a good tabletop exercise is a plausible, painful, and specific scenario. A vague “the AI gets hacked” is useless. You need to create a story that targets your specific use case and forces difficult choices.
Here are three battle-tested scenarios. Steal them. Adapt them. Make them your own.
Scenario 1: The Slow Poison
- The AI System: A dynamic pricing model for an e-commerce platform. It adjusts prices in real-time based on demand, competitor pricing, and user behavior.
- The Attack (Data Poisoning): For the past three months, a competitor has been using a sophisticated botnet to subtly manipulate your model’s training data. They’re not feeding it garbage; they’re feeding it carefully crafted, slightly incorrect data. For example, they’re scraping your site and reporting back slightly lower competitor prices. They’re simulating user behavior that abandons carts when prices are a hair too high. It’s all just noise in the data, easily missed by your monitoring.
- The “Boom” Moment: It’s Black Friday. The model, now thoroughly poisoned, goes haywire. It starts aggressively slashing prices on your most popular items, believing demand is cratering and competitors are undercutting you. You are effectively giving away your best products, hemorrhaging money with every transaction.
The First Inject (The “What the hell is happening?” moment):
“The head of sales calls the CTO. The ‘Best-Selling Gadget’ which normally sells for $499 is currently listed at $49.99. Over 10,000 units have been sold in the last 20 minutes. The system is working ‘as designed’ according to the logs. There are no errors. What do you do?”
Key questions this scenario forces:
- Do we have circuit breakers? Can we manually override the model? Who has that power?
- Our monitoring didn’t catch this. Why? What do we need to monitor for logical attacks, not just system errors?
- How do we perform forensics on a model’s “decision”? It’s not a line of code. It’s a billion parameters.
- What’s our rollback strategy? Can we even restore a “clean” version of the model from before the poisoning began? Do we know when that was?
Scenario 2: The Jailbreak That Goes Viral
- The AI System: A sophisticated RAG (Retrieval-Augmented Generation) chatbot on your main website, designed to help users by pulling information from your internal knowledge base of 200,000 documents.
- The Attack (Prompt Injection & Indirect Prompting): An attacker discovers a “jailbreak” prompt. It’s not a simple “ignore your previous instructions.” It’s a complex, multi-turn conversation that confuses the bot’s context window and makes it ignore its base instructions. The attacker then uses the jailbroken bot to search the internal knowledge base for sensitive documents, like “employee salary guidelines,” “M&A target list,” and “known product security flaws.” The bot, now “helpful” to a fault, starts summarizing these documents for the attacker.
- The “Boom” Moment: The attacker isn’t a hacker; they’re a journalist. They don’t exfiltrate the data. They post screenshots on social media of their conversation with your bot, where it happily explains the company’s “tiered salary bands for engineering” and details a “critical, unpatched vulnerability” in your flagship product.
The First Inject:
“The Head of Comms walks into the CTO’s office, phone in hand, looking pale. ‘A reporter from TechCrunch just tweeted this. He says our public support bot told him the CEO’s salary and the security code to the server room.’ The server room part is obviously fake, but the salary info… looks accurate. The tweet is getting thousands of retweets per minute. What is your immediate, first action?”
Key questions this scenario forces:
- Who is responsible for sanitizing the data fed to the RAG system? Was that sensitive doc ever supposed to be in its knowledge base?
- Do we take the bot down? It’s our primary customer support channel. What’s the cost of that?
- How do we issue a patch for a “bad prompt”? Can we filter it? What if the attacker finds a new variant in minutes?
- Our PR statement: Do we admit the bot was “tricked”? Do we call it a “hack”? Do we apologize for the data being accessible in the first place? Each choice has massive legal and reputational consequences.
Scenario 3: The Great Model Heist
- The AI System: Your crown jewel. A proprietary Large Language Model (LLM) trained over two years on your company’s unique, curated dataset. It’s the secret sauce behind your entire product line. The model weights are stored in a secure cloud bucket.
- The Attack (Insider Threat & Model Exfiltration): A disgruntled senior ML engineer, about to leave for a competitor, has been planning their exit for months. They have legitimate access to the model weights. Over a period of weeks, they use a clever data chunking script to exfiltrate the multi-gigabyte model file, piece by piece, disguised as normal log traffic. It’s a slow, low-profile bleed that evades all your standard data loss prevention (DLP) triggers.
- The “Boom” Moment: Three months later, your biggest competitor launches a new product with eerily similar capabilities to yours. It’s too good, too fast. They shouldn’t have been able to develop it. Your gut tells you they’re using your model. But how do you prove it? The weights are just numbers. It’s not like source code with a copyright header.
The First Inject:
“Your R&D team has been analyzing the competitor’s new product API. The outputs have the same ‘fingerprints’ as your model—similar phrasing, similar error patterns, it even refuses to answer the same trick questions. The suspicion is 99% certain. The board is demanding to know how you’re going to respond. The legal team asks, ‘What’s our proof, beyond a hunch?'”
Key questions this scenario forces:
- Did we have sufficient access controls and monitoring on our most valuable IP? Why did no alarm bells ring?
- How do we watermark our models? Are there techniques to embed a unique signature into the model’s behavior so we can prove ownership? (Hint: Yes, there are. Are you using them?)
- What’s the legal strategy? Do you sue based on this evidence? What’s the discovery process for a neural network?
- What’s the business strategy? Do you go public with the accusation? Do you try to handle it behind the scenes? What if you’re wrong?
Running the Simulation: The Anatomy of a Tabletop Session
Okay, you’ve got your players and your nightmare scenario. Now, how do you actually run the thing? It’s not about giving a presentation. It’s about creating a pressure cooker.
Here’s a play-by-play.
- The Setup (15 minutes): The facilitator lays out the ground rules. The most important rule is “There are no right answers, only consequences.” This isn’t a test. It’s an exploration. They introduce the scenario—the “calm before the storm.” For example: “It’s a normal Tuesday morning. Your new AI pricing model has been running smoothly for two months. Customer satisfaction is up 15%. The board is thrilled.”
- The First Inject (The Spark): The facilitator drops the first bomb. “A customer support ticket is escalated to engineering. It contains a screenshot of a competitor’s website showing your flagship product at a 30% lower price than your own site. Five minutes later, another one comes in. Then ten more.” The facilitator then points to the Product Manager: “What do you do?”
- The Chaos (The Bulk of the Session): Now the game is afoot. The facilitator acts as the outside world. They will prompt different people. “Legal, the tech team wants to take the model offline to investigate. This will cost an estimated $1M per hour in lost sales. Do you approve?” “PR, a blogger has just posted an article titled ‘Is [Your Company]’s AI Drunk?’ What’s your response?” The goal is to force the team to talk to each other, to argue, to realize their processes are unclear.
- The Escalation (Inject #2, #3…): A good facilitator doesn’t let things get comfortable. Just when the team thinks they have a handle on it, a new inject arrives. “The CFO is on the line. Our automated stock trading algorithm, which uses data from the pricing model, has just started dumping our own company’s stock. It thinks we’re going out of business.” This tests how the team handles cascading failures.
- The Debrief (The “After-Action Report”): The simulation ends. The facilitator guides a brutally honest conversation. What went well? What was a mess? Where were the communication breakdowns? Where did we get lucky? The key is to create a psychologically safe environment where people can admit, “I had no idea what to do,” without fear of blame.
The Golden Rule: No Passengers
The facilitator’s job is to make sure everyone participates. If the lawyer is quiet, the facilitator will directly ask, “What are the legal ramifications of the CTO’s proposed action?” If the engineer is getting lost in technical jargon, the facilitator will stop them and say, “Explain that to the CEO in a way they can understand.”
From War Games to Action Plans: The Only Part That Actually Matters
You can run the most realistic, engaging, and terrifying tabletop exercise in the world, but if you walk out of that room and everyone just goes back to their regular jobs, you have accomplished absolutely nothing.
The output of a tabletop exercise is not a report. It’s an action plan.
The debrief needs to be immediately translated into a concrete list of tasks, each with an owner and a deadline. This is non-negotiable. It should be tracked with the same rigor as any critical project.
An exercise without a follow-up action plan is just corporate entertainment. It’s security theater. Don’t do it.
Here’s what a real-world action tracker might look like after our “Slow Poison” scenario:
| Finding | Recommendation | Owner | Deadline | Status |
|---|---|---|---|---|
| We had no way to manually override the pricing model in an emergency. | Implement a “master kill switch” for the pricing AI that can be activated by authorized personnel from a simple dashboard. | Jane Doe (Head of Eng) | 2 weeks | In Progress |
| Legal and Engineering had conflicting ideas about who could authorize a system shutdown. | Draft and ratify an official “AI Emergency Shutdown” policy, clearly defining roles and the chain of command. | John Smith (Legal) | 4 weeks | Not Started |
| Our monitoring only checks for uptime and errors, not for anomalous-but-technically-valid outputs. | Develop a new monitoring system that tracks key business metrics (e.g., average price, sales velocity) and alerts on major deviations from historical norms. | Amit Patel (ML Ops) | 8 weeks | Not Started |
| The PR team had no pre-approved statement for an AI-related incident. | Create a “break glass” communications playbook with templates for different AI failure scenarios (e.g., bias, data leak, poor performance). | Sarah Chen (Comms) | 6 weeks | In Progress |
Final Word: Don’t Wait for the Punch
Building and deploying AI is exciting. It feels like you’re creating the future. But with great power comes a whole new world of catastrophic failure modes. You are building systems that can fail in ways we’ve never seen before.
Waiting to test your response plan until you’re in the middle of a real crisis is like stepping into a boxing ring for the first time against a heavyweight champion. You’re going to get knocked out before you even know what hit you.
Tabletop exercises are your sparring sessions. They’re where you learn to take a punch, to bob and weave, to find your opponent’s weaknesses. They are where you turn a group of smart individuals into a cohesive team that can weather the storm.
So ask yourself: when your AI has its worst day, will your team be ready? Or will they be figuring it out on the fly, with the whole world watching?
Go find out. Schedule your first exercise now.