Q2 2024 exposed a pattern: large-scale automated credential attacks hit authentication endpoints using AI-generated inputs. Specific volumes are not confirmed. The attacks succeeded - not because of model sophistication, but because the systems lacked identity control enforcement at the authentication boundary. The targeted systems accepted every request in isolation. No rate limiting. No session state validation. No correlation to prior behaviour. Each request landed as if it were the first. Anomaly detection did not trigger - the system had no basis for distinguishing the thousandth request from the first. This is not an AI problem. This is trust boundary collapse. The mechanism is consistent: when a system processes external input without verifying identity, intent, and context at the boundary, it will fail against any sustained campaign - manual or automated. AI changes the throughput, not the attack surface. The surface was already open.…