The AI Feature Nobody Audited

Companies bolt an LLM chatbot onto their product and nobody pen-tests it — "it is just the AI feature." But the AI is a new untrusted user wired into your app: its output flows into your XSS/SQL/RCE sinks, and its plumbing and agency bypass your access control. The overlooked attack surface — for bug hunters, engineers and dev teams — with real breaches (McHire, Lenovo Lena), practical payloads, a hunting methodology and the fixes.