Skip to content
All writing
AI SecurityMay 14, 2026 · 8 min read

The Cost Curve of Defending AI Systems

Model providers optimize for the marginal cost of a token. Attackers optimize for the marginal cost of a successful prompt. These curves are not moving in the defender's favor. We look at why securing AI systems behaves less like traditional software security and more like fraud prevention, where cost scales with adversarial creativity rather than with users, and what that means for the margins of companies building in this category.

In traditional software security, the defender's costs are largely fixed. You write the input validation once, you patch the vulnerability once, and the marginal cost of defending the ten-thousandth request is effectively zero. That property is what made security a tractable engineering discipline: bounded surface, deterministic behavior, and defenses that amortize across every user.

AI systems break that assumption. The attack surface is the space of natural language, which is unbounded, and the system's behavior is probabilistic rather than deterministic. There is no single input to validate and no single patch that closes the class. Every new jailbreak, every novel prompt-injection payload, is a fresh probe against a model that will respond a little differently each time. The defender is no longer amortizing a fixed cost across users; they are paying, over and over, to keep up with adversarial creativity.

That is why securing AI looks less like application security and more like fraud prevention. Fraud teams never 'finish.' They run continuous detection, they retrain on new patterns weekly, and they accept that the adversary adapts as fast as they do. The economics are defined by an ongoing arms race, not by a one-time hardening. Companies building AI security should expect the same shape: recurring model and rule updates, human-in-the-loop review for the long tail, and a cost structure that scales with the sophistication of attackers rather than with the number of customers.

For founders, the strategic implication is about where the durable margin sits. It is not in any single detection — those decay. It is in the data flywheel and the response loop: the proprietary corpus of real attacks, the speed of turning a novel exploit into a shipped defense, and the tooling that lets a small team supervise a large volume of adversarial traffic. We look for teams who understand that they are underwriting an ongoing process, and who have built the machinery to make that process cheaper every quarter.

The views above are those of Sentinel Ventures and are for informational purposes only — not investment, legal, or tax advice.

Apply

Ready to raise on institutional terms?

Start with an Investor Ready Audit. We'll show you exactly how an investor sees your company today — and what to fix before you go to market.