Penetration testing for AI-enabled systems requires a fundamental shift in approach, moving beyond traditional exploit-based evaluations to consider behavioral objective violations. Adversaries can manipulate AI systems by influencing inputs such as prompts, training data, and sensor inputs, rather than simply exploiting software vulnerabilities. This new paradigm acknowledges that AI-enabled systems can be compromised through subtle manipulations that violate their intended behavioral objectives, rather than just exploiting traditional weaknesses. Researchers argue that the existing penetration testing framework is no longer sufficient for AI-enabled systems, as it focuses primarily on resource compromise rather than behavioral manipulation1. The implications of this shift are significant, as it requires testers to rethink their approach to evaluating the security of AI-enabled systems. So what matters to practitioners is that they must adapt their testing methodologies to account for the unique vulnerabilities of AI systems, or risk overlooking critical security flaws.