What is the difference between AI safety and AI security?

These two terms get mixed in headlines and even inside companies, which makes the job market confusing for candidates. The clearest framing is that AI safety asks whether the model does what its developers intended (alignment, refusal of harmful requests, robustness under unusual inputs, honest reporting of capabilities), and AI security asks whether the model and its surrounding system can withstand an adversary who wants to make it do something else (prompt injection, jailbreak, training-data poisoning, model extraction). Both are growing fields; both pay above general engineering peers.

AI safety draws from machine learning research. The work is alignment training (RLHF per Ouyang et al. 2022, DPO per Rafailov et al. 2023, constitutional methods per Bai et al. 2022), evaluation against safety policies, capability elicitation red teaming, interpretability research (Anthropic's circuit-tracing work and Neel Nanda's published material), behavioral and capability evaluations (HELM, MMLU, ARC, MATH, Big-Bench), and the broader question of whether a more capable model can still be trusted in deployment. Frontier labs (OpenAI, Anthropic, Google DeepMind, Meta FAIR), academic groups (MILA, Berkeley CHAI, Oxford GovAI), and policy research organizations (RAND, GovAI, CSET) hire most of the AI safety roles.

AI security draws from cybersecurity practice. The work is protecting model weights (often hundreds of GBs of sensitive IP), securing inference endpoints, defending against prompt injection in retrieval and tool use, monitoring for model extraction, hardening training pipelines against poisoning, securing the supply chain of model artifacts and training data, and applying classic access control to the AI stack. Enterprises shipping AI features, cloud platforms (AWS, Azure, GCP), AI security vendors (Robust Intelligence, HiddenLayer, Lakera, Adversa AI, Protect AI), and traditional security vendors expanding into AI (Wiz AI Security, CrowdStrike Charlotte AI security, Palo Alto Prisma AIRS) hire most of the AI security roles.

There is real overlap. A prompt injection attack that exfiltrates user data is both an AI safety failure (the model behaved against developer intent) and an AI security failure (an adversary compromised the system). Many roles named AI Safety Engineer and AI Security Engineer share day-to-day work, especially at smaller organizations. The titles often signal where the role sits organizationally (Research org versus Engineering org versus Trust and Safety versus Security) rather than what the work is.

Frameworks and references differ but increasingly converge. AI safety leans on NIST AI RMF (NIST AI 100-1 plus 100-2 plus 600-1), the EU AI Act (which entered force August 2024), Anthropic's Responsible Scaling Policy, OpenAI's Preparedness Framework, the ISO/IEC 42001 AI Management System standard, and the published research from major safety teams. AI security leans on MITRE ATLAS (the AI-focused counterpart to MITRE ATT&CK), OWASP LLM Top 10 (v1.1 October 2023 with v1.5 in development), the CISA Joint Guidance on Secure AI System Development, and existing cybersecurity frameworks (NIST CSF 2.0, ISO 27001) adapted for AI workloads.

Compensation patterns differ slightly. AI safety roles concentrate at frontier labs and pay top-of-market: per Levels.fyi April 2026 data, frontier-lab AI Safety Researcher total compensation runs $400,000 to $800,000 plus for early-career and exceeds $1.5M for senior researchers, but the seats are scarce and the candidate filter is heavy on research credentials. AI security roles spread across more employers, pay competitively above general security engineering ($250,000 to $500,000 typical at large tech employers per Levels.fyi April 2026), and rely more on cybersecurity portfolio than research publications. Cybersecurity professionals transitioning into the convergence area find AI security a faster path; AI engineers transitioning find AI safety operations a more accessible entry than AI safety research.

Background fit matters when choosing. If you come from cybersecurity, AI security maps directly. The prompt injection, model extraction, and supply chain risks all rhyme with attacks you already understand. If you come from machine learning research or AI engineering with strong evaluation experience, AI safety maps better. The training and evaluation methodology overlaps with what you already do. If you come from policy, law, or audit, AI Governance (which spans both) is the natural target with IAPP AIGP as the credential signal.

Both disciplines are growing. Per BLS Employment Projections 2024, information security analyst employment (SOC code 15-1212) is projected to grow 33 percent from 2024 to 2034, which captures most of the AI security side. AI safety as a standalone job category is too new for BLS to track separately, but frontier-lab hiring patterns, government attention (UK AI Safety Institute, US AI Safety Institute under NIST, similar bodies in Japan, France, Singapore), and the EU AI Act's high-risk system obligations from August 2026 all suggest accelerating demand. NIST AI 100-1 and the EU AI Act both create regulatory pull for both disciplines.

If you want to work at the intersection, target the convergence roles directly: AI Safety Engineer, AI Red Team Engineer, AI Security Engineer, AI Governance Lead, Prompt Injection Defense Specialist, AI Evaluation Engineer, AI Threat Intelligence Analyst, AI-Powered SOC Analyst. DecipherU's Cybersecurity for AI area covers all 15 of these roles in detail, including the credential bridges from cybersecurity into each role family, sub-track compensation, and the public portfolio strategies that produce convergence-role interviews.