Why does Mandiant's 22-second figure matter for AI security specifically?

The 22-second handoff window applies to the entire attacker decision loop. AI traffic compresses the data-exfiltration step into a single API call inside that loop. An attacker who reaches an authenticated session can move sensitive data to a model provider's API in the same window as a lateral handoff. Detection-after-the-fact runs out of time at this tempo.

Is inline enforcement slower than detection?

Production measurements put enforcement overhead under 50 ms at p99 against LLM inference latency of 500 ms to 5 seconds. The overhead is invisible relative to the model's response time. Detection latency is irrelevant to the user experience; what matters is whether the data was already exfiltrated by the time the alert fired.

What happens when policy is ambiguous?

The enforcement layer fails closed. The request is denied. The user receives a structured rejection that names the policy, the classification result, and the appeal path. The audit record captures the deny decision with the same fidelity as an allow decision.

Does inline enforcement require changes to applications calling the model?

The enforcement layer sits between the application and the model as a proxy. The application points its model client at the proxy endpoint. The application does not need to know whether the proxy is in line; it sees the same API contract. Identity context is passed through standard headers or middleware.

How does this work for agents and copilots?

Agents and copilots issue model calls the same way applications do. The enforcement layer treats every call the same way: evaluate identity, classify the prompt, apply policy, record the decision. The agent or copilot's principal identity is the input to the policy decis

22-Second Breach Windows: Why AI Enforcement Has to Be Inline

Q: How does inline enforcement interact with the SOC?

The enforcement layer produces structured per-decision audit records. Those records feed the SOC for cross-environment correlation, investigation, and reporting. The SOC is not the prevention layer; the SOC is the investigation layer. Both layers are part of a defensible architecture.

Google Mandiant's M-Trends 2026 report, based on 500,000+ hours of frontline incident response, found that the median time between initial access and handoff to a secondary threat group collapsed from over 8 hours in 2022 to 22 seconds in 2025. AI-enabled attack tooling has compressed the attacker decision loop into the seconds range. Foresiet reports AI-enabled attacks rose 89% year-over-year in early 2026, including an incident where an autonomous AI agent compromised 600+ FortiGate firewalls across 55 countries with zero human operator involvement. IBM launched an Autonomous Security Service on April 15, 2026 specifically to counter machine-speed threats.

The 22-second window is the structural limit. Any architectural pattern that depends on a human, a queue, a downstream rule evaluation, or a triage cycle to complete the response runs out of time. I want to walk through what machine-speed actually demands of enterprise AI architecture, where most deployments fall short, and how the math of inline enforcement plays out in production.

AI deployments as high-value targets

The same AI tools that compress the attacker decision loop also raise the stakes inside the deployer's environment. A prompt sent to a model carries the full payload of whatever the user composed: source code, financial models, customer data, internal documents, PHI. The prompt is HTTPS POST traffic to the provider's API. Once the request lands at the model, the data has left the regulated environment.

Three properties make AI traffic a high-value target. The data leaves in plain text inside an authenticated TLS session, so network DLP cannot inspect it. The traffic is one-shot in the exfiltration direction; there is no caching layer to scrub or reverse. The cost per incident reflects the data category that AI users tend to paste; IBM Cost of Data Breach found shadow AI breaches cost $670,000 more than the all-breach median.

For an attacker who has compromised an authenticated session, the path to data exfiltration is now a single API call. The 22-second handoff window applies inside the enterprise the same way it applies between threat groups.

How most organizations handle AI traffic today

Most enterprise AI deployments operate on a detect-then-respond posture. The model API call is made, the application emits a log, the log lands in a SIEM, a detection rule fires if the prompt content matches a pattern, an analyst triages the alert. The cycle time is measured in minutes at best.

This architecture works for many traditional security problems. For AI traffic it has three structural failures.

The prompt has already left

By the time the SIEM rule fires, the prompt has reached the model. The model has processed the content. The provider's logs have a copy. The model may have learned from it on a fine-tune path that the deployer does not control. The detection is forensic, not preventive.

The log may not have the prompt

Application-emitted logs frequently redact prompt content for privacy, log only metadata to control volume, or fail to capture the prompt under load. The SIEM sees what the application reported, not what the application sent to the model. The gap between the two is uncontrolled.

The triage queue does not run at machine speed

An analyst triages alerts at human cadence, between three minutes and three hours per alert depending on complexity and volume. Mandiant's 22-second median attacker handoff outpaces every human triage workflow ever designed.

What enforcement at machine speed requires

Inline enforcement evaluates the request before the model sees it and the response before the user sees it. The decision is deterministic policy evaluation, not probabilistic guardrail behavior. The math has to work out at production load.

Sub-50ms overhead at p99

Enforcement overhead measured at production AI workloads averages under 50 milliseconds at the p99 tail. LLM inference latency averages 500 milliseconds to 5 seconds depending on the model and the prompt. The enforcement overhead is invisible relative to the model's response time. The user experience is identical to the unenforced path.

Fail closed on policy ambiguity

On ambiguity, the enforcement layer defaults to deny rather than allow. The cost of a denied legitimate request is a retry or a policy review. The cost of an allowed exfiltrating request is the breach cost. The math favors fail-closed.

Identity context at the request layer

The request carries verified identity context. The service credential identifies the application; the identity context identifies the principal acting through the application. Policy decisions depend on both. Without identity context, policy is reduced to allow-list-or-block-list operation, which fails at scale.

Per-decision audit record

Every decision produces a signed audit record bound to identity, classification, policy version, and outcome. The record is written by the enforcement layer. The record survives application crash, log redaction, and SIEM forwarding failures. The record is the system of truth for the AI decision.

Why log-and-alert is structurally insufficient

Detection-based architectures are valuable for cross-environment correlation, investigation, and reporting. They are not a prevention layer for AI traffic. Three architectural realities:

A blocked request never reaches the model. A blocked response never reaches the user. The enforcement decision is made at the AI request boundary, in line, before the data leaves the regulated environment.

A log-and-alert pipeline runs after the data has left. The alert may fire in three minutes, the analyst may triage in twenty, the containment may execute in two hours. The data has been in the model's possession for hours.

A SIEM rule that detects pattern X in AI prompts is operating on the application's log of the AI prompt. If the application logged a redacted version, the SIEM detects on redacted text. If the application failed to log, the SIEM detects nothing. The SIEM is downstream of the source of truth.

Regulatory framing

EU AI Act Article 12 requires automatic logging over the lifetime of high-risk AI systems. Article 19 sets the retention floor at six months and requires identity context in the log. Article 99 sets the high-risk penalty tier at €15 million or 3% of global annual turnover. The August 2, 2026 deadline applies. A log produced by the application that consumed the AI response is the application attesting to its own behavior, which is the self-attestation problem regulators routinely reject in other regulated industries.

NIST's AI agent identity and authorization framework splits agent security into three pillars. Pillar 2 is delegated authority, evaluated per request. Pillar 3 is action lineage, recorded per decision. Both live in the enforcement layer, not the application.

Fannie Mae Lender Letter LL-2026-04 requires disclosure on demand for AI used in mortgage origination. Disclosure on demand requires a record produced by the policy decision point.

DeepInspect

This is the gap DeepInspect closes. DeepInspect sits at the AI request boundary as a stateless proxy between authenticated users or agents and LLMs. Every request is evaluated against identity, role, prompt-level classification, and policy version before the request reaches the model. The enforcement decision is deterministic. The overhead at production load runs under 50 ms at p99. The audit record is signed, identity-bound, and written by DeepInspect rather than by the application.

DeepInspect is model-agnostic. The same enforcement layer covers OpenAI, Anthropic, Bedrock, Azure OpenAI, Vertex, and self-hosted endpoints. The pattern that survives Mandiant's 22-second handoff window is the same pattern that satisfies Article 12 record-keeping. The architecture pays off twice.

How exposed is your AI? Take the 3-minute readiness check.