Enterprises have deployed AI faster than they’ve learned to secure it. Agents, RAG pipelines, inference APIs, and tool-calling servers are now production infrastructure yet most teams have no inventory of these assets and no monitoring over them. EASM, CSPM, and DAST were built for a different layer and don’t observe this one. This talk walks through the attack surfaces specific to AI infrastructure and the failure modes already being exploited: MCP servers with weak authentication that turn one compromise into broad access; inference endpoints leaking weights, system prompts, and training data; vector stores poisoned to corrupt retrieval; agentic workflows where hijacking one step becomes lateral movement; prompt injection pivoting into data exfiltration through connected tools; and model supply-chain risk from untrusted weights and fine-tunes. For each, I’ll cover why it evades traditional detection, what a realistic attack chain looks like, and what defenders can instrument today. The argument is simple: this is an enumerable attack surface—it just isn’t being inventoried or watched yet.