News · Google's GTIG report separates APT misuse of AI from private-sector model extraction
Google's GTIG report separates APT misuse of AI from private-sector model extraction
A short update from Google names two distinct threats — actors using AI for attacks, and companies stealing models — and reports different responses to each.
Two threat categories, deliberately kept apart
The post does something most AI-security updates blur over: it draws a line between actors using AI to run attacks and actors attacking the AI itself. On the first, GTIG says it has observed threat actors using AI to gather information, create what it calls 'super-realistic' phishing scams, and develop malware.
On the second, the language is more precise. Google states it has not observed direct attacks on frontier models or generative AI products from advanced persistent threat (APT) actors. That is a specific, dated claim — a negative finding — and it matters because it tells you where the pressure is not coming from, at least in the window GTIG covered.
Model extraction is the threat Google chose to name
The concrete claim in the post is about model extraction attacks, which Google characterizes as a form of corporate espionage. It says it has 'seen and mitigated frequent' such attempts, and attributes them not to state-backed groups but to private sector entities all over the world.
we have seen and mitigated frequent model extraction attacks (a type of corporate espionage) from private sector entities all over the world — a threat other businesses' with AI models will likely face in the near futureMontana Labs
That framing is worth sitting with. The party trying to copy the model is, in Google's telling, often another company rather than a hostile government. And Google explicitly forecasts that any business operating its own models should expect the same pressure.
The responses are model-specific and account-specific
Google describes two kinds of action. First, disabling associated accounts to disrupt malicious activity — an operational lever tied to platform access. Second, strengthening both its security controls and its Gemini models against misuse, which points at changes to the models themselves, not just the fence around them.
The post gives no figures for how many accounts were disabled, how frequent 'frequent' is, or what the model hardening consisted of. Those details, if they exist, are deferred to the full report on the Google Cloud Threat Intelligence blog. This blog entry is a summary and a pointer.
What a self-hosted-model team should take from this
The implication for any organization that trains or serves its own models is the extraction warning. Google is telling operators that the weights and behavior of a deployed model are themselves a target for theft, independent of whether anyone is trying to jailbreak or poison it, and that the attackers may be commercial competitors.
Practically, that separates two defensive jobs many teams treat as one: guarding against abuse of the model's outputs, and guarding against reconstruction of the model itself through querying. Google says it mitigated the latter. The post does not say how, so the actionable takeaway is narrower than the headline — read the linked report before assuming the mitigations transfer to a smaller deployment.
Find this story relevant to you?
Contact us to find a unique solution
Need an AI engineering partner that can actually build?
We help businesses integrate AI, build AI-powered products, automate high-value workflows, and modernize the software systems behind them.
Related reading
More analysis around product delivery, operational AI, and the systems work that makes deployment hold up in reality.