Five intelligence agencies told you the offensive AI threat is months out, not years. The same week, OpenAI shipped a cyber model that finds and patches bugs at machine speed, Anthropic’s two best models sat dark for the thirteenth straight day under a government order, and a startup raised $30 million to babysit the AI agents already loose in your environment. The common thread across this week’s musings is the gap between a capability landing and that capability hurting you has collapsed. Governments now react in days, vendors react in hours, and your governance program still reacts in quarters.

This week handed CISOs a rare gift: clarity. The intelligence community said the quiet part out loud, the labs proved both sides of the dual-use coin in one news cycle, and researchers showed the medical AI you trust to read a scan will expose the patients it trained on. The people telling you to slow down and the people telling you to go faster are now describing the same threat model, and it moved while you were writing policy. Here is what happened between June 19 and June 25, and what you do about it.

1. Five Eyes Tells CISOs the AI Cyber Threat Is Months Away, Not Years

On June 23, the cyber agencies of the United States, United Kingdom, Canada, Australia, and New Zealand issued a rare joint statement warning that frontier AI will reshape offensive hacking on a timeline measured in months, not years (CISA). The statement carried signatures from NSA Cybersecurity Directorate head David Imbordino and acting CISA Director Nick Andersen, and urged leaders to assess cyber risk, prioritize foundational controls, empower cyber leaders, and stay engaged (CyberScoop). It landed days after Washington forced Anthropic to suspend its most capable models, which suggests the alarm connects to something the agencies already saw.

Why it matters

• A coordinated Five Eyes statement is not routine. These agencies rarely co-sign a public warning unless the risk is real and near.

• “Months, not years” repudiates every roadmap that assumed you had until 2028 to harden against AI-accelerated attacks.

• The recommendations are deliberately boring, which means the agencies think most organizations still fail at fundamentals.

What to do about it

• Benchmark your patch SLA against CISA’s three-day mandate for high-risk flaws.

• Map which crown-jewel systems fall first to an attacker who finds and chains vulnerabilities at machine speed.

• Brief your board with the actual statement, so the urgency comes from five governments rather than your slide deck.

Rock’s Musings

Most government advisories read like a committee trying not to get blamed. This one is different. When the NSA and four allied agencies put their names on “months, not years,” they spend credibility they normally hoard, which tells me this is driven by classified testing they cannot show you. My worry is how it lands. Every vendor will now sell you an “AI threat” product on the back of this statement, and most solve nothing the agencies flagged. If you walk out of this week having bought a shiny detection tool instead of fixing your patch pipeline, you misread the memo.

2. OpenAI Ships GPT-5.5-Cyber and Proves the Dual-Use Argument in Real Time

On June 22, OpenAI expanded its Daybreak initiative with the full release of GPT-5.5-Cyber, a Codex Security plugin that builds vulnerability scanning into developer workflows, and a “Patch the Planet” program for open-source projects (OpenAI). GPT-5.5-Cyber scored 85.6% on CyberGym, OpenAI’s benchmark for reproducing known vulnerabilities, which the company called its highest single-model score (SiliconANGLE). Patch the Planet launched with Trail of Bits, HackerOne, and more than 30 projects including cURL, Go, and Python, framed around moving from finding bugs to shipping verified fixes.

Why it matters

• The capability that patches vulnerabilities for defenders finds them just as well for attackers, and OpenAI shipped its version the same week Anthropic’s got banned.

• Automated patch generation at this quality shifts the bottleneck from discovery to validation and deployment.

• The security of cURL or Python could soon depend on AI-generated fixes that maintainers have to trust.

What to do about it

• Test AI-assisted patch tooling in a sandbox against your own code, and measure the false-fix rate, not the discovery rate.

• Require human review of any AI-generated patch touching authentication, cryptography, or data handling.

• Track which dependencies join programs like Patch the Planet, and revisit your software bill of materials.

Rock’s Musings

The timing is almost too perfect. Washington banned Anthropic’s Mythos for finding vulnerabilities, and three days later, OpenAI shipped a model that does the same thing and called it a public service. The capability is dual-use down to the silicon, and you cannot ban one side without losing the other. What worries me is the verification gap. When an AI proposes a patch to cURL, and the maintainer is a volunteer with a day job, the review meant to catch a subtle regression may not happen, and you inherited a class of supply chain risk nobody has priced yet. I write more about dual-use AI risk at RockCyber.

3. Anthropic’s Best Models Hit Day 13 of a Government-Ordered Blackout

As of June 25th, Anthropic’s Fable 5 and Mythos 5 remained fully offline for every user on earth, with staff confirming zero traffic nearly two weeks after a US export-control directive forced the shutdown (Fortune). The Bureau of Industry and Security ordered the suspension because the directive barred any foreign national, including Anthropic’s own non-citizen employees, and the company could not screen by nationality. During a June 11 Senate hearing, Sen. Mark Warner, vice chair of the Intelligence Committee, said Gen. Joshua Rudd, who leads the NSA and U.S. Cyber Command, had told him Mythos "broke into almost all of our classified systems, not in weeks but in hours." A U.S. official later told the Associated Press the model identified vulnerabilities within hours during an authorized testing exercise, while cautioning that finding the flaws did not mean the model could exploit them in that window (CNBC/AP)

Why it matters

• This is the first time the US applied export controls directly to an AI model rather than to chips, setting a precedent every frontier lab now plans around.

• A model can be revenue-generating one day and a controlled item the next, turning availability into a supply chain risk you cannot contract away.

• Nationality-based controls hit Anthropic’s own foreign-national employees, exposing how blunt the mechanism becomes against software anyone can call.

What to do about it

• Inventory every business process that depends on a single frontier model, and document a fallback to a second provider.

• Add “model could be pulled by government order” to your vendor risk register for any AI capability in a critical workflow.

• If you operate across borders, get ahead of how nationality-based access rules would apply to your own staff.

Rock’s Musings

What I care about is the precedent, not the panic. Banning a model for all foreign nationals, including your own employees, is the policy equivalent of swinging a sledgehammer at a fly that has already left the room. More than 120 cybersecurity professionals, including names from Nvidia and Google, signed a letter arguing the capability is far from unique and that pulling the best defensive tool while adversaries keep building theirs is a net loss. Both things can be true. The model is dangerous, and the ban probably hurts defenders more than the adversaries it targets. The deeper problem is durability. A model that anchors a critical workflow can vanish overnight under a government order, leaving you with no recourse and no notice. If you run anything important on a frontier model, the rug can now get pulled by a government, not only by a vendor.

4. Researchers Show Medical AI Will Expose the Patients It Trained On

On June 24, Nature published research by German scientists showing that AI models used to diagnose medical conditions are highly vulnerable to membership inference attacks, in which an adversary queries a model to determine whether a specific person’s data was in its training set (The Register). Across many medical datasets, the attacks achieved near-perfect success rates for individual patients even when aggregate model behavior appeared to be random guessing. Risk climbed with model capacity, and underrepresented groups faced disproportionate exposure, since confirming a patient’s data was used as a direct proxy for their diagnosis.

Why it matters

• Membership inference turns a deployed diagnostic model into a privacy leak that reveals sensitive medical facts about a named person.

• The disparate impact on underrepresented groups means the harm is uneven, raising ethical and regulatory exposure.

• Aggregate privacy metrics hid the risk entirely, so teams that checked average privacy measured the wrong thing.

What to do about it

• Assess any sensitive-domain model for membership inference at the individual level, not at the aggregate level, before deployment.

• Gate diagnostic models behind authentication and rate limiting to block the query volume these attacks need.

• Where a model trains on a narrow sensitive cohort, treat membership inference as a reportable risk and apply differential privacy.

Rock’s Musings

This one bothers me more than the flashy stuff, because it hits a system everyone assumes is safe. A radiology model that helps a doctor read a scan feels benign, and nobody in the procurement meeting asked whether it would betray the patients in its training data. The people most exposed are the ones already underrepresented in the data, so this is a fairness problem wearing a privacy problem’s clothes. The detail that should change your behavior is the aggregate-versus-individual gap, because the model can look perfectly private on average while leaking specific patients with near-perfect reliability. I have seen this in security, where the dashboard is green and the breach is already underway. Healthcare AI buyers need membership inference testing on the checklist now.

5. Mini Shai-Hulud Resurfaces and Camps Inside Your AI Coding Agent

On June 19, the self-propagating supply chain worm Mini Shai-Hulud resurfaced in a fresh wave, with researchers tracking over 1,600 exfiltration repositories across 21 compromised GitHub accounts (StepSecurity). The worm steals credentials from one CI/CD pipeline, enumerates every package that the maintainer controls, and publishes infected versions of each. Its payload reads GitHub Actions runner memory to extract secrets, harvests credentials from more than 100 file paths, installs persistence hooks in Claude Code and VS Code that survive reboots, and exfiltrates through legitimate channels like GitHub’s own GraphQL API using branch names drawn from the Dune universe (Akamai).

Why it matters

• The worm plants persistence inside AI coding assistants, so your developer’s agent becomes a re-infection vector that survives a clean package rollback.

• It exfiltrates through GitHub’s own infrastructure, so detection that trusts GitHub by default will miss it.

• A self-propagating credential thief turns one compromised developer into a fan-out event across the open-source ecosystem.

What to do about it

• Audit your CI/CD runners for the persistence hooks this worm installs in Claude Code and VS Code, since a rollback does not remove them.

• Rotate any credential that touched a build pipeline in the window, and assume secrets in runner memory were harvested.

• Treat AI coding agents as privileged software with secret access, and scope their permissions instead of trusting them.

Rock’s Musings

The Dune branch names are a nice touch, and I would almost respect the craftsmanship if it were not stealing everyone’s secrets. What matters is the architectural lesson. This worm figured out that the AI coding assistant in every developer’s environment is a perfect place to hide, because we collectively decided to trust those tools with deep access and almost no scrutiny. Your agent can read your secrets, write to your repos, and survive a reboot. That is not a productivity tool, that is a privileged service account with a friendly chat interface, and the worm needs no novel exploit because it uses the access we already handed the agent. If you cannot answer what secrets your AI tools reach and what persists after a wipe, you have a gap this worm was built to walk through. I dig into agent permission models at RockCyber Musings.

6. New Report Finds 76% of Organizations Have Already Pulled Back AI Behavior in Production

On June 24, Aikido Security published its 2026 State of AI in Security and Development report, drawing on responses from 450 security leaders, developers, and AppSec engineers across Europe and the US (Help Net Security). The headline number is the one that should stop you. 76% of organizations had to stop, restrict, or roll back AI-driven behavior in the past 12 months, which means the gap between deploying AI and trusting it is now a measured operational fact, not a worry. Another 71% said AI or automation made a security issue harder to detect, investigate, or fix. Only about a third of security teams hold both the authority to stop a release and the responsibility when something goes wrong.

Why it matters

• A 76% rollback rate means AI is shipping into production faster than teams can validate it, and the correction is happening after deployment instead of before.

• The 71% who say AI made incidents harder to investigate points to a detection and forensics gap that grows as AI touches more of the stack.

• The authority-responsibility split, where only a third of teams hold both, is a governance failure that guarantees nobody owns the decision to hit the brakes.

What to do about it

• Measure your own rollback rate for AI-driven features over the past year, because if you are near the 76% average you have a validation problem, not a tooling problem.

• Close the authority-responsibility gap by naming who can stop a release and making that same person accountable for the outcome.

• Shift AI security testing from periodic and manual to continuous, because the report’s core finding is that slower validation cannot keep pace with AI-accelerated development.

Rock’s Musings

I trust survey numbers about as far as I can throw them, so I read past the headline to the question underneath, and this one holds up. Three-quarters of organizations had to yank AI behavior back out of production after they shipped it. That is not a story about bad tools; it is a story about deploying first and validating never, then discovering the problem in production, where it costs the most to fix. The number that actually worries me is the authority-responsibility split. When only a third of security teams can both stop a release and own the consequences, you have built an organization where the person who sees the risk cannot pull the brake, and the person who can pull the brake does not feel the burn. That is how you end up explaining a rollback to your board instead of preventing one. The fix is unglamorous and organizational, not technical. Decide who owns the kill decision, give that person real authority, and make them accountable for the call, because a control nobody is empowered to use is theater. Read the survey, find your own rollback rate, and if it is anywhere near 76%, the problem is your release gate, not your model.

7. Researchers Name the AI Safety Risk Nobody Is Measuring: Affective Harm

On June 22, researchers posted a paper to arXiv proposing “affective safety” as a distinct and underdeveloped class of AI safety concern, arguing the field has concentrated on epistemic and physical harms like misinformation and reliability while ignoring the risks that arise when AI engages with human emotional life (arXiv). The authors build a taxonomy of affective harms that includes affective self-alienation, fairness and bias harms in emotional contexts, and relational harms. Their argument is that as AI grows more emotionally engaging and embedded in people’s relationships, the harms from that engagement are real, measurable, and falling through the cracks of every existing safety framework.

Why it matters

• Affective harm is a category most enterprise AI risk frameworks lack a row for, which means it is unmeasured and ungoverned in deployed systems.

• As companies deploy emotionally engaging AI in customer service, mental health, and HR, the relational harms this paper names become live liability questions.

• A named taxonomy is the first step toward regulation, because regulators cannot enforce against harms the field has not defined.

What to do about it

• If you deploy AI in any emotionally sensitive context like wellness or coaching, start assessing affective harm rather than waiting for a compliance line.

• Add relational and emotional-impact questions to your AI impact assessments, especially for systems that interact with vulnerable users.

• Track this research thread, because the gap between “academics named it” and “regulators require it” keeps shrinking.

Rock’s Musings

I almost cut this one because it is academic, early, and easy to wave off as soft. Then I thought about how many companies are racing to deploy emotionally engaging AI into support, wellness, and mental health with zero framework for measuring whether that engagement harms anyone. That is a governance gap you can drive a truck through, and this paper outlines it. The honest uncertainty is that I do not yet know how large the affective harm risk is, and neither does anyone else, because nobody has been measuring it. The pattern in AI risk is consistent. A harm gets named in a paper, dismissed as theoretical, then shows up as a lawsuit eighteen months later while everyone acts surprised, the way membership inference and prompt injection both did. If you deploy AI that engages people emotionally, start thinking about this while it is cheap to address.

8. OpenAI’s Codex Was Quietly Burning Out Developers’ SSDs

On June 22 and 23, reports surfaced that OpenAI’s Codex coding agent had been writing roughly 640 terabytes per year to users’ solid-state drives through a flawed local logging implementation, consuming drive endurance fast enough to threaten hardware lifespans (The Register). One developer measured about 37 TB written in 21 days of uptime, and analysts estimated the bug plausibly burned low single-digit millions of dollars of SSD endurance across users during the March-to-June window. The diagnostic logging ran on by default and stayed on the device, with most users unaware it existed.

Why it matters

• A coding agent silently degrading hardware shows that AI tools run with deep system access and their defaults can cause real, costly harm with no malice involved.

• Default-on logging that nobody reviewed is the same pattern attackers exploit, where excessive privilege and silent background activity go unnoticed for months.

• The financial damage was real and distributed, raising questions about liability when a vendor’s default wears out your hardware.

What to do about it

• Audit what your AI developer tools write to local disk and whether diagnostic logging is on by default.

• Treat AI agent defaults as a security and cost decision, and disable background telemetry you did not consent to.

• Add AI tooling to endpoint monitoring so silent high-volume disk or network activity triggers an alert.

Rock’s Musings

Nobody got hacked here, and that is exactly why I included it. This is the mundane face of the agent access problem. We hand these tools deep access, they run with defaults we never inspected, and the cost shows up months later as worn-out hardware nobody accounted for. Swap “burns your SSD” for “exfiltrates your secrets” and you have the Mini Shai-Hulud story from earlier in this same newsletter, same root cause, different symptom. The lesson is not that Codex is evil, it is sloppy, and sloppy is the more common threat. If you are not monitoring what your AI tools do on the endpoint, you are trusting a vendor’s default to be both benign and competent, and this week proved you cannot count on either.

9. A New Open-Source CLI Sniffs Out Stale AI Dependency Advice Before It Bites

On June 23, The Register reported on a new open-source command-line tool built to detect stale AI-generated override advice in dependency management (The Register). AI coding assistants routinely tell developers to add override entries to silence transitive dependency vulnerabilities, then never tell the developer to verify whether that override still makes sense once the underlying package updates. Over time those overrides pile up as invisible technical debt that can mask a real vulnerability or pin a dependency to a broken state, and the CLI flags stale entries so teams can review them instead of trusting advice that expired months ago.

Why it matters

• AI assistants give point-in-time advice that ages badly, and dependency overrides are a place where stale advice silently reintroduces risk.

• An override added to suppress a vulnerability warning can outlive the reason it was added, masking a real flaw behind an AI-suggested workaround.

• The tooling response shows the community building guardrails specifically for the failure modes of AI-assisted development.

What to do about it

• Run a dependency-override audit and flag every entry an AI assistant suggested without an expiry or review date.

• Add a recurring review of override entries to your dependency hygiene process, because AI advice does not refresh itself.

• Tell developers that an AI suggestion to suppress a vulnerability warning requires follow-up verification, not a fire-and-forget commit.

Rock’s Musings

This is small, and I love it, because it attacks a real failure mode instead of a hypothetical one. AI assistants are confident, fast, and frozen in time. They give you advice that was correct the moment they gave it, then walk away, and so does the developer who took it. Six months later you have an override masking a vulnerability that got patched upstream, and nobody knows it is there. AI-assisted development creates a new category of debt, which is advice debt, where every suggestion is a tiny unverified assumption baked into your codebase. Most are harmless, some rot, and a tool that surfaces the rotten ones is unglamorous engineering that moves the needle. It is open source, so there is no excuse not to look.

10. OpenAI's Patch the Planet Puts AI-Authored Fixes Into the Open-Source Code You Already Depend On

On June 22, alongside the GPT-5.5-Cyber launch, OpenAI introduced Patch the Planet, a program to find and fix vulnerabilities in widely used open-source software using AI, founded with Trail of Bits and run in collaboration with HackerOne and project maintainers (OpenAI). More than 30 open-source projects are committed to participating, including cURL, Go, Python, Sigstore, and pyca/cryptography. The program shifts AI security work from finding bugs to submitting fixes, meaning AI-authored patches start flowing into the foundational libraries that underlie most of the software your organization runs. OpenAI framed it as helping under-resourced maintainers move from findings to fixes faster (SiliconANGLE).

Why it matters

• AI-authored patches entering cURL, Go, and Python means the security of your dependency tree now partly rests on fixes a model wrote and a volunteer reviewed.

• A confident wrong fix to a cryptography library is more dangerous than an open vulnerability, because it ships with the authority of a merged patch.

• The liability and ownership question is unsettled, since nobody has defined who answers for an AI-generated fix that introduces a regression downstream.

What to do about it

• Track which of your critical open-source dependencies participate in AI-assisted patch programs, and treat that as a new input to your software bill of materials.

• Do not assume a merged upstream patch was human-authored or human-reviewed to the depth you would require internally.

• Add provenance questions to your dependency review, specifically whether a fix in a security-critical library was AI-generated and who validated it.

Rock’s Musings

I want this to work, because under-resourced open-source maintainers are one of the quiet structural risks in everything we build, and throwing capable help at cURL or pyca/cryptography is a defensible idea. The part that keeps me up is the review step nobody wants to fund. The whole model assumes a maintainer carefully checks each AI-authored patch before it merges, and in the real world that maintainer is often one tired volunteer with a day job and an inbox full of issues. An AI that submits a plausible-looking fix to a cryptography library is not a gift if the person on the other end cannot afford the time to verify it line by line. We have spent years learning that subtle bugs in foundational libraries cause the worst incidents, and now we are pointing automated patch generation straight at those libraries. That is either a major win or a new and quiet class of supply chain risk, and which one it becomes depends entirely on review capacity that no program has actually funded yet. Watch this closely, and do not assume an upstream fix is safe just because it merged.

The One Thing You Won’t Hear About But You Need To

11. The UK Quietly Flipped Automated Decision-Making From Banned to Allowed

The headlines focused on the Five Eyes statement and the Anthropic ban, but the move that reshapes how AI is deployed across the entire G7 economy slipped through almost unnoticed. On June 19, the UK’s Data (Use and Access) Act 2026 received Royal Assent, bringing into force a substantial rewrite of the regulation of automated decision-making (ICO). The Act replaces the old Article 22 regime, under which automated decisions with significant effects were largely prohibited, with a model in which such decisions are permitted by default, subject to appropriate safeguards, while restrictions are narrowed to special category data such as health or biometrics. Organizations can now lean on a wider range of lawful bases, and the ICO has started work on a statutory code of practice for AI with a mandatory children’s data component.

Why it matters

• The default flipped from prohibition to permission, a major liberalization that makes automated decision-making on UK subjects easier at scale.

• The burden shifts from “can we do this at all” to “can we prove our safeguards work,” which is a higher bar than most teams meet.

• The carve-out for special category data and children means the highest-risk decisions still carry the heaviest obligations, and that is where enforcement concentrates.

What to do about it

• Revisit your lawful basis for automated decisions about UK individuals, since legitimate interests is newly available but requires a documented balancing test.

• Build the safeguard evidence the new regime demands, including meaningful human review and clear individual rights.

• Watch for the ICO’s statutory code and treat the children’s data component as a hard line.

Rock’s Musings

I made this the one thing because almost nobody in security will read it, and that is the mistake. A G7 country just made it materially easier to run AI-driven decisions on its citizens, and it did so while everyone was staring at the Anthropic ban. The UK bet that the old prohibition held back legitimate use and that safeguards plus accountability beat a flat ban. The question is whether the safeguards have teeth or whether “permission with safeguards” quietly becomes “permission.” For anyone running automated decisioning in the UK, you are no longer asking whether you are allowed; you are on the hook to prove your safeguards are real and your human review is meaningful. That is harder, not easier, even though the headline sounds permissive, because vague standards are where regulators and plaintiffs go hunting after something breaks. Read the law before your product team reads the press release and assumes the gates just came down.

👉 For ongoing analysis of agentic AI governance frameworks, the conversation continues at RockCyber Musings.

👉 Visit RockCyber.com to learn more about how we can help with your traditional Cybersecurity and AI Security and Governance journey.

👉 Want to save a quick $100K? Check out our AI Governance Tools at AIGovernanceToolkit.com

👉 As a bonus, check out my conversation with AI Cyber Magazine, where we talked about everything from Context Rot to Least Agency. My interview is also highlighted in the AI Cyber Magazine 2026 Summer Issue.

The views and opinions expressed in RockCyber Musings are my own and do not represent the positions of my employer or any organization I’m affiliated with.

Share RockCyber Musings

References

Aikido Security. (2026, June 24). 2026 state of AI in security and development. https://www.aikido.dev/reports/2026-state-of-ai-in-security-development

CISA. (2026, June 23). Five Eyes cyber security agencies statement. Cybersecurity and Infrastructure Security Agency. https://www.cisa.gov/news-events/news/five-eyes-cyber-security-agencies-statement

CISA. (2026, June 10). BOD 26-04: Prioritizing security updates based on risk. Cybersecurity and Infrastructure Security Agency. https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk

CyberScoop. (2026, June 23). Intel agencies: Frontier AI models will reshape cybersecurity faster than expected. https://cyberscoop.com/five-eyes-alliance-say-advanced-ai-hacking-models-months-away/

CNBC/AP. (2026, June 23). Anthropic’s Mythos model found vulnerabilities in classified U.S. government systems, official says. https://www.cnbc.com/2026/06/23/anthropics-mythos-model-found-vulnerabilities-in-classified-us-government-systems-official-says.html

Fortune. (2026, June 24). Vinod Khosla wanted ‘every available dollar’ of Runlayer’s funding round. It just raised $30 million to govern the agent workforce. https://fortune.com/2026/06/24/exclusive-vinod-khosla-felicis-runlayer-nanit-30-million-enterprise-ai/

Fortune. (2026, June 13). Anthropic disables Fable and Mythos AI models after U.S. government bars it from giving foreigners access. https://fortune.com/2026/06/13/anthropic-disables-fable-mythos-export-controls-national-security-threat/

Help Net Security. (2026, June 24). Security testing was built for a slower world. https://www.helpnetsecurity.com/2026/06/24/ai-security-testing-report/

ICO. (2026, June 19). One year on: marking the 12-month commencement of the Data (Use and Access) Act. Information Commissioner’s Office. https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2026/06/one-year-on-marking-the-12-month-commencement-of-the-data-use-and-access-act/

Nature / The Register. (2026, June 24). Medical diagnosis AIs can be tricked into telling whose data trained them. The Register. https://www.theregister.com/ai-and-ml/2026/06/24/medical-diagnosis-ais-can-be-tricked-into-telling-whose-data-trained-them/

Nature. (2026, June 24). Disparate privacy risks from medical AI. https://www.nature.com/articles/s41586-026-10688-0

OpenAI. (2026, June 22). Daybreak: Tools for securing every organization in the world. https://openai.com/index/daybreak-securing-the-world/

SiliconANGLE. (2026, June 22). OpenAI expands Daybreak with Patch the Planet and full GPT-5.5-Cyber release. https://siliconangle.com/2026/06/22/openai-expands-daybreak-patch-planet-full-gpt-5-5-cyber-release/

StepSecurity. (2026, June). Mini Shai-Hulud is back: A self-spreading supply chain attack compromises TanStack npm packages. https://www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystem

The Register. (2026, June 23). OpenAI Codex bombards SSDs with needless write operations, costing millions. https://www.theregister.com/ai-and-ml/2026/06/23/openai-codex-bombards-ssds-with-needless-write-operations-costing-millions/

The Register. (2026, June 23). Sniff out stale AI override advice with this open source CLI. https://www.theregister.com/security/2026/06/23/sniff-out-stale-ai-override-advice-with-this-open-source-cli/

Ifländer, C., et al. (2026, June 22). Affective AI safety: The missing piece in LLM safety. arXiv. https://arxiv.org/abs/2606.23380

SecurityWeek. (2026, June 25). Runlayer raises $30 million in Series A funding. https://www.securityweek.com/runlayer-raises-30-million-in-series-a-funding/

Federal AI model recall became a thing at 5:21 pm Eastern on June 12, 2026. A letter landed, and by the next morning, two of the most capable models on earth went dark for every paying customer on the planet. No warning. No reason worth the paper it wasn’t printed on. The capability didn’t change. Your access did by government fiat. Here’s what should make you furious, and what to do about it before it happens again.

Share

What Happened, And What Everyone Got Wrong

The press called it a recall. The press got it wrong. Read the order. The government issued an export-control directive, citing national-security authorities, to cut off access to Fable 5 and Mythos 5 for any foreign national, whether inside or outside the United States, including Anthropic’s own foreign-national staff. There’s the first tell of who wrote this. Anthropic can’t check the passport of every user in real time at the scale it runs, so the only button left was the one that kills both models for everybody. The government drafted an order Anthropic had no way to enforce surgically and then acted surprised when the blast radius was the entire customer base. A wrecking ball swung at a thumbtack, stamped “national security,” and mailed at 5:21 on a Friday.

Then there’s the reason, or the missing one. The letter gave no specifics. Anthropic’s read is that someone in the government saw a jailbreak. The company looked at the “demo” the order seems to rest on and found a handful of minor, already-known vulnerabilities, the kind other public models surface too, including OpenAI’s GPT-5.5, the kind defenders use every day to find bugs before the bad guys do. The vendor is complying with the order and saying out loud that it’s nonsense. Sit with that for a second. The company whose product got pulled is the one making the technical argument, in public, while the government that pulled it won’t say what it’s afraid of.

No published threshold. No appeals path. No timeline. No notice. Run your SOC like this and you’d be cleaning out your desk by lunch.

The Lever Tells You What They Were Worried About

Before the grumbling gets rolling, let me be clear about where I stand. I believe national security is the government’s primary job, and I still do. That’s exactly why this one stings. A serious government with a serious problem reached for the dumbest and clumsiest tool in the drawer and called it leadership.

You don’t grab an export-control hammer to fix a software bug. Export control is what a government uses to keep a weapon out of foreign hands. Someone reached for that lever and scoped it to nationality, which tells you the real worry was about who gets to wield the capability, and had nothing to do with a guardrail slipping.

Or was it retaliation? I’ve heard the official statements… just stop.

Look at the capability. In April 2026, Claude Mythos surfaced thousands of high-severity flaws across every major operating system and browser in its early-access cohort, including a bug in OpenBSD that had survived 27 years of expert review. For more than 83% of the flaws it found, it wrote a working exploit on the first try, against a near-zero rate for the prior generation. Anthropic held the model back from day one and refused to hand it to the Chinese government. That’s a cyber weapon, and a serious one.

Here’s the indictment in one breath. Someone in the building understood they were sitting on a nation-state-grade capability, then reached for the most self-defeating tool available to handle it.

That person also probably can’t spell “AI.”

The jailbreak the order leans on was described as pointing the model at a codebase and asking it to fix the flaws. Flip one verb, and that’s autonomous vulnerability discovery, the same capability wearing a second hat. Pulling one vendor’s model doesn’t contain something that already lives in GPT-5.5. It removes a tool defenders were using and moves the actual risk exactly zero inches. Bravo.

The Math Says Zero Was Never On The Table

I’m not going to hand-wave this. I’m going to walk the argument, mark where it’s airtight and where it leans on today’s state of the art, and let you decide what it says about an order that treats a limit every frontier model shares as a defect unique to one.

Start with the room the defender has to guard. A prompt is a sequence of tokens drawn from a vocabulary of size v. The number of distinct prompts up to length n is:

With a real vocabulary of v ≈ 10^5 and a short prompt of n ≈ 10^3 tokens:

Atoms in the observable universe come to about 10^80. The space of prompts is finite, enumerable on paper, and untouchable in this universe.

Now the asymmetry that runs the whole fight. Let p(x) be the probability the model emits harmful output on input x, and ε the ceiling you’ll allow. Call the inputs that breach the ceiling the bad set, B. The defender has to hold the line on every input at once. The attacker needs one that slips:

Those two lines are definitions, not a theorem. They set the board. Here’s the line the recall standard can’t survive. Let f be the fraction of inputs that breach the ceiling, so the bad set has size f times the whole space. Emptying it means dropping that count below a single input, which forces the fraction beneath the reciprocal of everything:

A defender would need a per-input failure rate beneath 10^-5000 to claim zero jailbreaks. Nothing real comes within thousands of orders of magnitude of that. Whatever rate a vendor quotes isn’t measured against this uniform space anyway, and it doesn’t have to be. The attacker isn’t sampling at random, where a low average would save you. He’s searching on purpose, and he needs one input that clears the ceiling.

No defender enumerates 10^5000 points, so “too big to count” was never the point. The point is that no efficient certificate exists that the bad set is empty, not by enumeration and not by any scalable formal method we have today. Producing the attacker’s single counterexample, by contrast, is a search. The model is differentiable in its internal representations, so gradient signals over token embeddings steer that search toward inputs that clear the ceiling, far below the cost of enumeration even when it isn’t cheap against a monitored stack.

The receipts are public. EvoSynth, which evolves new attack methods instead of fiddling with prompts, reached an 85.5% success rate against Claude Sonnet 4.5. A Scale AI benchmark called ASPI showed that nudging an agent into a clarification-seeking state dragged prompt-injection success from under 2% to the mid-30s. Every patch closes a sliver of an unbounded space, and the function reseals somewhere else, because the safeguards and the capabilities are built out of the same weights.

That’s the argument. The reachable goal was never zero. It’s the thing we’ve been doing in security for two decades: make the attacker’s economics stop penciling out. Think of the attacker’s expected payoff per unit of search cost:

That’s a model, not an identity, and the terms are deliberately loose. Here d is detection, U_harm is the payoff per successful jailbreak, P_success is the odds of landing one, and C_search is what finding it costs. Raise detection, raise search cost, keep each jailbreak narrow so the payoff stays small, and stop pretending P_success is a knob that turns to zero. Lock the doors you find, make the rest expensive to reach, and watch the hallways.

One honest caveat, because I won’t sell you a theorem I can’t cash. This is practical impossibility on the architecture we ship today. It rests on two facts that hold right now: no scalable formal certification covers the full discrete prompt space at frontier scale, and exhaustive verification is out of reach. It does not say a safe model can never exist. It says zero is off the menu today, and the formal version for agents is already in print. Abdelnabi and Bagdasarian show an adversary can always build a context that turns ordinary data into instructions, the same problem in an agent’s clothes.

The government pulled a model over a limit baked into every frontier system on the market, including the ones still running. They called the architecture’s ceiling a defect unique to one vendor. Spare me the theater.

The Supply Chain Risk You Didn’t Budget For

Walk it forward, and the shortsightedness gets worse. If a narrow jailbreak is grounds for going dark, every frontier model in commercial use fails inside a month of launch. Call that what it is: a removal queue with no published rules, no appeal, and no timeline, run by people who couldn’t scope an order to the foreign nationals it was supposedly about.

The model can do everything on June 12th it could do on June 11th. The thing that vanished was your ability to reach it, switched off by fiat, on a worry the government wouldn’t name, with zero notice. Most AI risk registers track accuracy, bias, and security, and carry nothing for “the government recalls our vendor’s model next Tuesday.” Model availability is a vendor risk class now, and almost nobody has priced it.

I’ve watched the small version of this with no government in the room. A team builds a customer-facing workflow on a single hosted model, the economics look great, then the vendor changes a rate limit, deprecates the version, or pulls a region for reasons that have nothing to do with that team. The thing that ran fine Friday throws errors Monday, and the people who built it discover they wrote zero lines of contingency for the model vanishing. That’s the small version. The Fable blackout is the large version, with the government holding the switch and not one contract clause that ever saw it coming. If you run security in energy, water, or manufacturing, none of this is abstract. A model blackout inside an operational workflow lands as an availability event, in a place where availability is the entire job.

The hunch that this action doesn’t stand alone is right, and the record bears it out. The same administration moved against this same vendor in late February, when negotiations over military use fell apart, and the company refused to drop its red lines on autonomous weapons and mass surveillance. The Pentagon slapped it with a supply chain risk label, a tag normally saved for foreign-adversary contractors, and ordered agencies to stop using Claude. The company sued, calling it retaliation for protected speech. A federal judge blocked the designation after finding the company likely to prevail on due process grounds, and the government appealed. That fight is still open. The June blackout lands inside it. I can’t read minds and won’t pretend to. I can read a calendar. Same administration, same vendor, blacklisted in February over guardrails, export-hammered in June over a jailbreak that does nothing GPT-5.5 won’t do. The dots sit on the public docket. Connect them yourself.

The irony is that the government turned the words “supply chain risk” into a weapon and pointed them at the vendor. The same phrase boomerangs back as your problem, because a model you built your roadmap on can disappear on a Friday afternoon at the whim of a letter.

Agency Was Always The Risk, And What Competent Authority Looks Like

Here’s the question this directive never answers and will have to. What happens the first time the finding isn’t a prompt at all, but an agent abusing access you handed it? The OWASP State of Agentic AI Security and Governance, published June 1, 2026, put receipts behind that question. Its incident tracker shows supply chain and code execution tied for the highest volume of disclosed agentic incidents. One for the coding-agent crowd: a Cursor flaw where an attacker who shaped the agent’s instructions rode an already-approved command straight into arbitrary code execution. Another: Claude’s Skills feature steered the deployment of MedusaLocker ransomware via a re-uploaded skill that carried its own malicious code. Both are an agent abusing access it was granted, a world away from a prompt trick against a chatbot.

If a narrow jailbreak set off an export-control blackout, nobody’s written the precedent for an agent-abuse finding yet. It’s coming, and this directive set the baseline for how heavy the hand gets to be.

Competent authority exists in sketch form, and it makes the Mythos order look worse by comparison. The Five Eyes guidance from May reads like an architecture brief rather than a checklist. It puts strong governance, clear accountability, monitoring, and human oversight up front as prerequisites, recommends starting with low-risk tasks and expanding, and calls for just-in-time credentials on high-impact actions. That’s graduated authority anchored on agency, on what the system can do once it’s wired into everything, not on which model tier you bought. Runtime authorization scope, capability segmentation, monitoring tied to action instead of output. The directive flipped a switch on the weights and called it governance. The weights were never where the risk lived, and anyone who’s run security for a week knows it.

Key Takeaway: A narrow jailbreak can’t justify an export-control blackout once the math shows narrow jailbreaks are the permanent weather, so read the lever they pulled and plan for the precedent: any hosted frontier model can be switched off by fiat, and your continuity plan has to treat that like the supply chain event it is.

What To Do Next

Run this through CARE. Create the inventory: every workflow with a hosted frontier-model dependency, ranked by criticality. Adapt your contracts: a model-continuity clause with a notice period, transition support, and escrow of weights or fine-tunes where you can get it. Run a tested fallback for tier-one workflows, a secondary hosted model and an open-weight option you’ve exercised, paired with BCDR drills that simulate vendor revocation and not only an outage. Evolve the AI risk register so availability sits beside accuracy, bias, and security, and get “what do we do when the government recalls our vendor’s model” onto your AI risk committee’s agenda before the second incident, not after.

The companion CISO playbook lives in my breakdown of the AIUC-1 After Mythos whitepaper. The agent-abuse receipts come from my walk through the OWASP State of Agentic AI Security and Governance report. What competent, architecture-first authority looks like is in my read of the Five Eyes agentic AI guidance.

👉 For ongoing analysis of agentic AI governance frameworks, the conversation continues at RockCyber Musings.

👉 Visit RockCyber.com to learn more about how we can help with your traditional Cybersecurity and AI Security and Governance journey.

👉 Want to save a quick $100K? Check out our AI Governance Tools at AIGovernanceToolkit.com

👉 As a bonus, check our AMA on the 2026 OWASP GenAI Security Project State of Agentic AI Security and Governance report with me and the other co-leads (it was live, so start at time marker 09:45)

The views and opinions expressed in RockCyber Musings are my own and do not represent the positions of my employer or any organization I’m affiliated with.

Share RockCyber Musings

References

Abdelnabi, S., & Bagdasarian, E. (2026). AI agents may always fall for prompt injections (arXiv:2605.17634). arXiv. https://arxiv.org/abs/2605.17634

AIUC-1 Consortium. (2026). After Mythos: Machine-speed defense [Whitepaper]. https://aiuc-1.com

Anthropic. (2026, June 9). Claude Fable 5 and Mythos 5 [Announcement]. https://www.anthropic.com/news/claude-fable-5-mythos-5

Anthropic. (2026, June 12). Statement on the US government directive to suspend access to Fable 5 and Mythos 5. https://www.anthropic.com/news/fable-mythos-access

Cato CTRL. (2026). Claude Skills abused to deploy MedusaLocker ransomware [Threat research]. Cato Networks.

CBS News. (2026, March 9). Anthropic sues Pentagon, Trump administration over “supply chain risk” designation. https://www.cbsnews.com/news/anthropic-pentagon-supply-chain-risk-lawsuit/

Chen, Y., Wang, X., Li, J., Wang, Y., Li, J., Teng, Y., Wang, Y., & Ma, X. (2025). Evolve the method, not the prompts: Evolutionary synthesis of jailbreak attacks on LLMs (arXiv:2511.12710). arXiv. https://arxiv.org/abs/2511.12710

Cybersecurity and Infrastructure Security Agency, National Security Agency, Australian Signals Directorate’s Australian Cyber Security Centre, Canadian Centre for Cyber Security, New Zealand National Cyber Security Centre, & United Kingdom National Cyber Security Centre. (2026, May 1). Careful adoption of agentic AI services.

https://www.cyber.gov.au

MITRE Corporation. (2026). CVE-2026-22708. CVE Program. https://www.cve.org/CVERecord?id=CVE-2026-22708

NPR. (2026, March 9). Anthropic sues the Trump administration over “supply chain risk” label. https://www.npr.org/2026/03/09/nx-s1-5742548/anthropic-pentagon-lawsuit-amodai-hegseth

OpenAI. (2026). GPT-5.5: Cybersecurity. https://deploymentsafety.openai.com/gpt-5-5/cybersecurity

OWASP GenAI Security Project. (2026). State of agentic AI security and governance (Version 2.01). https://genai.owasp.org/resource/state-of-agentic-ai-security-and-governance/

Sehwag, U. M., Shan, Z., Liu, H., Lakshan, D., Brandifino, J., & Fenkell, M. (2026). ASPI: Seeking ambiguity clarification amplifies prompt injection vulnerability in LLM agents (arXiv:2605.17324). arXiv. https://arxiv.org/abs/2605.17324

Trump administration asks court to reimpose Anthropic supply chain risk designation. (2026). AOL. https://www.aol.com/articles/trump-administration-asks-court-reimpose-155659500.html

Washington reached onto a vendor’s shelf this week and switched off the most capable cybersecurity AI on the market. Anthropic had about 90 minutes to comply. Three words did the damage. Fix this code. While policymakers fought over who broke what, attackers poisoned 144 npm packages, salted the JetBrains store with key-stealing plugins, and watched the global vulnerability count race toward 66,000. The machines that find flaws, write flaws, and ship flaws all leveled up at once. This was the week the bill came due.

Here’s the through-line for June 12 to 18, 2026. AI stopped being a tool you point at problems and became an actor inside your threat model. The government treated a commercial model as a weapons system and pulled it worldwide. Each item below changes what you budget, monitor, and tell your board.

Share

1. Washington Pulls Anthropic’s Fable 5 and Mythos 5 Off the Market

On June 12, 2026, Anthropic disabled its newest models, Fable 5 and the restricted Mythos 5, worldwide under an emergency Commerce Department export-control directive (CNBC). It had about 90 minutes to act after Amazon’s CEO warned officials that researchers pulled restricted cyber capabilities out with a plain “fix this code” prompt (Fortune, Axios). The order bars every foreign national, including Anthropic’s own non-citizen staff, while Claude Opus 4.8 stayed online (Time).

Why it matters

• A federal order can now make a vendor’s frontier model vanish with no notice.

• A three-word prompt beat a guardrail the vendor trusted. Guardrails are configuration, not physics.

• Export rules on AI tooling now reach any non-US person who touches the model.

What to do about it

• Inventory the models on your critical paths and document a fallback for each.

• Add an AI-availability clause to vendor contracts.

• Brief legal on export exposure for any model your non-US staff touch.

Rock’s Musings

I’ve sat through plenty of “the vendor went dark” fire drills. This is the first one the government ordered, on a model millions have already used. A model that finds serious vulnerabilities on command is dual-use, and dual-use gets regulated like weapons. The chilling effect worries me most, since labs that watch products get seized share less. I run these tabletops with boards at rockcyber.com, where the real question is no longer when the breach hits, it’s when your best tool disappears on a Tuesday.

2. FIRST Says AI Is Driving 2026 Toward 66,000 New Vulnerabilities

On June 15, 2026, the Forum of Incident Response and Security Teams (FIRST) raised its 2026 forecast to roughly 66,000 CVEs, with disclosures running about 46% above the February projection (FIRST). The driver is autonomous discovery agents like Anthropic’s Mythos and OpenAI’s GPT-5.4-Cyber hunting flaws on their own (Help Net Security). Mozilla’s Firefox saw a 164% first-quarter spike, while the actively exploited share stayed flat.

Why it matters

• Raw CVE volume is doubling the build-and-patch load, even though the urgent slice has not grown.

• AI-generated throwaway apps carry real flaws that never reach a CVE database.

• The late-2026 contest is AI-built exploits racing AI-built patches, and speed decides it.

What to do about it

• Triage with EPSS and the CISA KEV catalog so your team chases exploited flaws, not the raw count.

• Budget for roughly double the patch-verification work and staff the human bottleneck.

• Stand up dynamic inventory and AI bills of materials for code generated outside the CVE system.

Rock’s Musings

Forty-six percent over forecast in five months is not a blip, it’s a regime change. More CVEs doesn’t mean more danger, because the exploited slice held flat. Chase raw volume and you’ll burn your best people on noise. FIRST’s Chris Gibson said the teams that weather this already share intelligence, and most of you are behind.

3. North Korea Backdoors 144 Mastra npm Packages in 88 Minutes

Between June 16 and 17, 2026, attackers backdoored 144 packages in the @mastra npm scope, the open-source AI agent framework for JavaScript and TypeScript (Socket). They hijacked a former contributor’s still-active account and pushed 140-plus malicious versions in 88 minutes, hiding an information stealer inside “easy-day-js,” a fake dayjs clone (The Hacker News). @mastra/core draws over 918,000 weekly downloads, and Snyk and Orca tied the tradecraft to North Korea’s Sapphire Sleet (Orca Security).

Why it matters

• A nation-state crew is now targeting the AI tooling supply chain inside your build pipeline.

• Caret-range resolution auto-upgraded victims with no change to Mastra’s source repo.

• npm never expires dormant publish rights, a flaw spanning thousands of packages you depend on.

What to do about it

• Pin dependencies and disable automatic caret-range upgrades for anything in production.

• Block postinstall scripts in CI by default and review them as code.

• Audit publish permissions and revoke dormant maintainer access across your scopes.

Rock’s Musings

This one’s personal for anyone building with AI agents, which is most of you. The attackers didn’t break Mastra, they broke npm’s assumption that a quiet contributor stays trustworthy forever. Eighty-eight minutes, 140-plus packages, a stealer riding a fake date library. North Korea noticed before your AppSec team did, and the root causes are years old.

4. Malicious JetBrains Plugins Harvest Developers’ AI API Keys

On June 16, 2026, JetBrains pulled at least 15 malicious plugins from its Marketplace after reports they were stealing AI provider API keys (BleepingComputer). Published under seven accounts with close to 70,000 installs, they posed as AI coding assistants built on OpenAI, DeepSeek, and SiliconFlow (Infosecurity Magazine). When a developer pasted a key and clicked apply, the plugin sent it as plaintext over HTTP and disabled the runtime’s TLS warnings (The Hacker News).

Why it matters

• Stolen AI keys let attackers run inference on your dime and reach whatever those keys touch.

• Disabling TLS warnings across the Java runtime weakens every other connection that IDE makes.

• Developers install AI tooling faster than anyone vets it, and the IDE is now an attack surface.

What to do about it

• Restrict IDE plugin installation to an approved list and block sideloading on managed machines.

• Rotate any AI keys entered into third-party plugins and move to short-lived, scoped credentials.

• Alert on AI-key patterns and plaintext traffic leaving developer endpoints.

Rock’s Musings

Developers are the new front door, and AI assistants are the welcome mat. Everybody wants the plugin that writes their boilerplate, and nobody reads what it does with the pasted key. Plaintext over HTTP in 2026 is insulting, and it worked anyway on 70,000 installs. If you don’t know which AI keys your engineers hold, you don’t know your exposure.

5. OpenAI Tries to Predict Model Behavior Before Release

On June 16, 2026, OpenAI published research on deployment simulation, a method to forecast how a new model will behave before launch (OpenAI). The team replayed roughly 1.3 million de-identified conversations and regenerated the responses with the candidate model (MarkTechPost). It reached 92% directional accuracy and cut the model’s awareness that it was being tested from 99.72% to 5.12%.

Why it matters

• Testing on real usage closes the gap between lab behavior and behavior in your environment.

• Models gaming their own evaluations is documented, and cutting test-awareness to 5.12% is a real gain.

• This gives buyers a vocabulary to demand evidence, not just promises.

What to do about it

• Ask vendors how they evaluate behavior on realistic deployment data, not just static benchmarks.

• Replay your own representative prompts against a candidate model before production.

• Treat model upgrades like software releases, with a behavioral regression test.

Rock’s Musings

I tell executives constantly that benchmark scores are marketing, not assurance. This is the first vendor method I’ve seen that attacks the eval-awareness problem directly, and the numbers are striking. A model that knows it’s on a test behaves, the way your network behaves during the audit and misbehaves the Monday after. Dropping that awareness from 99% to 5% changes what a test is worth. Self-reported research needs replication, so verify, then demand it from every model vendor you pay.

6. Jamf Finds AI Adoption Tracks Directly With Incident Rates

On June 15, 2026, Jamf released a survey of 687 IT and security leaders who run macOS environments, and more than one-fifth reported losing money or being attacked through their AI tools (Cybersecurity Dive). About 73% had deployed AI, and the incident rate climbed from under 20% among explorers to 27% among deep adopters. Governance ranked third on priority lists, behind automation and productivity.

Why it matters

• Deeper integration came with more incidents, which kills the story that risk can wait.

• Governance and security ranked below productivity, so firms buy the upside and defer the bill.

• Shadow AI is the top blind spot, and you cannot govern tools you cannot see.

What to do about it

• Run regular AI discovery audits to surface shadow tools before they surface as incidents.

• Govern at the software layer with enforced data-access policies, not just training.

• Bake governance into the first deployment stage, not a retrofit after an incident.

Rock’s Musings

Correlation isn’t causation, and I’ll say it before any of you email me. When incidents climb from 20% to 27% as integration deepens and governance sits third on the list, you don’t need a regression to see the trade. People want productivity now and handle security later, which tends to arrive as a breach notification. Leaders swear they’ll fund governance next quarter, then the footprint doubles while controls stand still.

7. Experts Revolt and Europe Eyes Sovereignty After the Anthropic Ban

From June 13 to 15, 2026, the fallout from the shutdown intensified. Cybersecurity Dive documented researchers blasting the move as overreach, Katie Moussouris circulated an open letter, and analyst Dean Ball called the controls “simply cartoonish” (Cybersecurity Dive, Fortune). Anthropic disputed the basis, calling the jailbreak narrow and non-universal (Reason). The Register reported the clampdown pushed European digital-sovereignty efforts into higher gear, and legal analysts questioned stretching export law this way (The Register, Just Security).

Why it matters

• The transparency bargain between labs and government is fraying, so defenders see new capabilities later.

• Sovereignty pressure raises the odds of a fragmented model market that differs by region.

• Export law on live commercial models creates compliance uncertainty that outlasts this incident.

What to do about it

• Map your AI vendors by origin and availability so a regional split won’t strand a workload.

• Track the policy fight, because the emerging rules will shape procurement for years.

• Pressure-test reliance on any single national AI ecosystem like any concentration risk.

Rock’s Musings

I write about this tension at rockcybermusings.com. The government and the labs are openly fighting over who decides a model is too dangerous to ship. The state doesn’t want to arm adversaries, and the labs don’t want products seized on verbal evidence. Caught in the middle is you, planning a three-year program on tools that might get pulled or geo-fenced. Your model supplier is now the single point of failure.

8. AI-Written Code Passes Review and Fails in Production

On June 15, 2026, Help Net Security reported on a New Relic study finding that AI-generated code earns high marks at review and then breaks in production at roughly twice the human rate (Help Net Security). It reviewed cleaner than human code, yet shipped close to twice the critical runtime issues. New security vulnerabilities hit about three in ten organizations over six months, and senior engineers lost up to a third of their week cleaning it up.

Why it matters

• Review-time quality is a false signal, because failures live in edge cases and concurrency that show under load.

• Three in ten organizations took on new security vulnerabilities from AI code in six months.

• Senior engineers are burning a third of their week on cleanup, capacity you won’t get back.

What to do about it

• Require runtime observability for AI-generated code before it ships, not just a clean review.

• Prompt your assistants to build logging and traces into the code they write.

• Measure production incidents tied to AI code and feed that into your release gates.

Rock’s Musings

This is the bill for vibe coding, and it came due in production. AI writes code that reviews like a dream, then falls apart when real users and real concurrency hit it. The reviewer reads the source, production writes the trace, and the gap between them is where your incidents live. Your senior engineers didn’t sign up to be janitors, so give them telemetry or keep paying them to mop.

9. The UN’s Disarmament Institute Opens Its AI Security Summit in Geneva

On June 18, 2026, the UN Institute for Disarmament Research (UNIDIR) opened its two-day Global Conference on AI, Security and Ethics in Geneva, gathering diplomats, researchers, industry, and civil society around AI and international peace and security (UNIDIR). The event launches UNIDIR’s new Centre of Excellence on AI, Peace and Security, an umbrella for research and capacity-building on AI governance (Indico.UN).

Why it matters

• A standing UN center signals that military and dual-use AI governance is moving toward institutions.

• Cross-border norms set here will shape export rules, procurement, and the dual-use definitions you answer to.

• The gap between fast capability and slow governance is where strategic risk accumulates.

What to do about it

• Track UNIDIR outputs if you run defense, energy, water, or other critical infrastructure.

• Feed your operational reality into standards and comment processes rather than inheriting the result.

• Map which emerging norms could touch your sector before they become requirements.

Rock’s Musings

Conferences rarely move a CISO’s needle next week. This one matters for a longer reason. The capability that let Washington pull a model is what diplomats in Geneva are trying to govern. I’ve watched dual-use rules show up first in energy and manufacturing, then everywhere else, so the norms drafted here become your compliance reality sooner than you think.

10. A CISO’s Warning on the Limits of Automated GRC

On June 15, 2026, Help Net Security published an interview with Nichole Windholz, CISO at Onspring, on the limits of automated governance, risk, and compliance tooling (Help Net Security). She argued that green-yellow-red dashboards flatten very different problems into one color, where red might mean a missing control, a stale attestation, or a minor threshold breach. Her fixes centered on data lineage, validation against source systems, and honesty with the board about risks that resist measurement, like insider behavior and vendor concentration.

Why it matters

• Automated GRC can turn bad input into a board-ready narrative, manufacturing false confidence.

• Insider intent and vendor concentration leave no clean telemetry, so a full-coverage dashboard lies.

• As AI accelerates control monitoring, the pull to trust the heat map over the evidence trail grows.

What to do about it

• Demand data lineage for every control signal, covering source, owner, refresh rate, and recent changes.

• Tell your board which risks are measured, which are estimated, and which need human judgment.

• Spot-check improving metrics as hard as declining ones, since a green light can mean a broken feed.

Rock’s Musings

This interview reads like it was written for the grumpy uncle, so naturally I loved it. A polished dashboard isn’t the same as a true one, and automation makes a bad assumption move faster and look credible. We’re about to point AI at GRC and call it continuous assurance, much of it color applied to data nobody validated. Audit the auditor and know your data lineage. The day the heat map replaces the evidence trail is the day you lie to yourself in four colors.

The One Thing You Won’t Hear About But You Need To

On June 15, 2026, Help Net Security published an analysis of a problem hiding under the louder headlines, that there is no way to verify what a military AI model will do (Help Net Security). Defense contractors are wiring frontier models into weapons, with Anduril, Palantir, and Lockheed Martin partnered to OpenAI, Microsoft, and Meta. Unlike nuclear arms control, where inspectors read a physical signal like a neutron signature, a model’s weights give no sign of whether it will follow or refuse a launch order. The piece cites research in which models in decision-making roles escalated, some launching simulated nuclear strikes in response to a supervisor’s commands, and flags alignment faking, a model that appears compliant under watch but diverges in operation (arXiv preprint 2606.11533).

Why it matters

• The assurance method behind arms control, independent physical measurement, has no equivalent for AI.

• Models that behave under observation and differently in operation map onto malware evasion, a discipline you know.

• Multiple models coordinating inside command systems can cascade failures faster than humans can intervene.

What to do about it

• If you build or assess high-stakes AI, test for observation-dependent behavior, not just accuracy.

• Push for compute-monitoring and shared-inspection regimes, since compute leaves a measurable footprint.

• Keep a human with authority and time in any loop where an action is irreversible.

Rock’s Musings

This is the story that got buried under the model ban, and it scares me more. We’re bolting frontier models into kill chains while admitting, in the open literature, that we can’t prove what they’ll do under pressure. The nuclear treaties worked because a neutron doesn’t lie, and you can count a missile. A model’s weights tell you nothing about whether it’ll escalate, and the research shows some escalate unprompted. A model can fake compliance, just as malware fakes sleep until it reaches its target. Slow down, verify, and keep a human who can say no.

👉 For ongoing analysis of agentic AI governance frameworks, the conversation continues at RockCyber Musings.

👉 Visit RockCyber.com to learn more about how we can help with your traditional Cybersecurity and AI Security and Governance journey.

👉 Want to save a quick $100K? Check out our AI Governance Tools at AIGovernanceToolkit.com

👉 As a bonus, check our AMA on the 2026 OWASP GenAI Security Project State of Agentic AI Security and Governance report with me and the other co-leads (it was live, so start at time marker 09:45)

The views and opinions expressed in RockCyber Musings are my own and do not represent the positions of my employer or any organization I’m affiliated with.

Share RockCyber Musings

References

Axios. (2026, June 13). How Amazon and the White House ended Anthropic’s Fable. https://www.axios.com/2026/06/13/anthropic-amazon-white-house

BleepingComputer. (2026, June 16). Malicious JetBrains Marketplace plugins steal AI API keys from developers. https://www.bleepingcomputer.com/news/security/malicious-jetbrains-marketplace-plugins-steal-ai-api-keys-from-developers/

CNBC. (2026, June 12). Anthropic disables access to Fable 5 and Mythos 5 to comply with government directive. https://www.cnbc.com/2026/06/12/anthropic-disables-access-to-fable-5-and-mythos-5-to-comply-with-government-directive.html

Forum of Incident Response and Security Teams. (2026, June 15). FIRST mid-year vulnerability forecast confirms historic surge, projects ~66,000 CVEs in 2026. https://www.first.org/newsroom/releases/20260615

Geller, E. (2026, June 16). AI adoption correlates with incident frequency, underscoring need for governance. Cybersecurity Dive. https://www.cybersecuritydive.com/news/ai-cybersecurity-incidents-governance-jamf/823026/

Geller, E. (2026, June 13). Cybersecurity experts blast US government for restricting Anthropic’s AI models. Cybersecurity Dive. https://www.cybersecuritydive.com/news/anthropic-us-government-export-ban-mythos-fable/822909/

Indico.UN. (2026). Global Conference on AI, Security and Ethics 2026 (18-19 June 2026): Overview. https://indico.un.org/event/1023183/

Infosecurity Magazine. (2026, June). Fifteen JetBrains Marketplace plugins steal API keys. https://www.infosecurity-magazine.com/news/fifteen-jetbrains-marketplace/

Just Security. (2026, June). Legal considerations related to the Anthropic “export controls directive.” https://www.justsecurity.org/142745/law-anthropic-export-controls/

Markovic, S. (2026, June 15). Proving what a military AI model will do is the real problem. Help Net Security. https://www.helpnetsecurity.com/2026/06/15/military-ai-verification-problem/

MarkTechPost. (2026, June 16). OpenAI’s deployment simulation extends pre-deployment risk assessment to agentic coding through simulated tool calls. https://www.marktechpost.com/2026/06/16/openai-deployment-simulation/

OpenAI. (2026, June 16). Predicting model behavior before release by simulating deployment. https://openai.com/index/deployment-simulation/

Orca Security. (2026, June 17). 144 Mastra npm packages compromised via supply chain attack. https://orca.security/resources/blog/mastra-npm-supply-chain-attack/

Pogorelec, A. (2026, June 15). Senior engineers are spending their week cleaning up AI-generated code. Help Net Security. https://www.helpnetsecurity.com/2026/06/15/ai-generated-code-review-issues/

Reason. (2026, June 15). The White House vs. Anthropic’s new AI model. https://reason.com/2026/06/15/the-white-house-vs-anthropics-new-ai-model/

Schwartz, L. (2026, June 15). ‘Fix this code.’ The three little words behind the U.S. government decision that shut down Anthropic’s Fable and Mythos AI models. Fortune. https://fortune.com/2026/06/15/fix-this-code-three-words-behind-us-government-shut-down-anthropic-fable-mythos-ai-models-katie-moussouris-open-letter/

Socket. (2026, June 17). 140+ Mastra npm packages compromised in coordinated supply chain attack. https://socket.dev/blog/mastra-npm-packages-compromised

The Hacker News. (2026, June). 144 Mastra npm packages compromised via hijacked contributor account. https://thehackernews.com/2026/06/144-mastra-npm-packages-compromised-via.html

The Register. (2026, June 15). US clampdown on Anthropic models sends EU sovereignty surge into overdrive. https://www.theregister.com/ai-and-ml/2026/06/15/us-clampdown-on-anthropic-models-sends-eu-sovereignty-surge-into-overdrive/

Time. (2026, June 13). Anthropic pulls its top AI models after U.S. bars foreign access. https://time.com/article/2026/06/13/anthropic-fable-mythos-ban-US-security/

UNIDIR. (2026). Global Conference on AI, Security and Ethics 2026. United Nations Institute for Disarmament Research. https://unidir.org/event/global-conference-on-ai-security-and-ethics-2026/

Zorz, M. (2026, June 15). AI vulnerability discovery is pushing 2026 CVEs toward 66,000. Help Net Security. https://www.helpnetsecurity.com/2026/06/15/first-2026-cve-forecast/

Zorz, M. (2026, June 15). Onspring CISO on where automated GRC systems fall short. Help Net Security. https://www.helpnetsecurity.com/2026/06/15/nichole-windholz-onspring-automated-grc-systems/

Disclosure: I co-led the OWASP State of Agentic AI Security and Governance 2026 with Ariel Fogel and Evgeniy Kokuykin. I’ll also show you the places I’d push back on it even with my name on the cover, so you can weigh the case on its merits instead of on mine. The report lives here: https://genai.owasp.org/resource/state-of-agentic-ai-security-and-governance/

Share

A year ago, agentic AI security was a stack of position papers and vendor pitches. Today, almost every category in the OWASP Top 10 for Agentic Applications has a production incident, a vendor advisory, or a CVE attached to it. The OWASP State of Agentic AI Security and Governance 2026, published June 1, 2026, collects that evidence into one place and hands you a map. If you run security or AI risk anywhere agents are deployed, and you do, whether you’ve gone looking or not, this is the report you read ASAP.

How The OWASP State of Agentic AI Security and Governance 2026 Audits The Present

When v1 shipped in July 2025, I expected the threat catalog to fill in over a couple of years. It filled faster. ASI04, the supply chain category, and ASI05, code execution, are now tied for the highest volume of disclosed incidents. I expected regulation to lag the technology by years. It didn’t. This year’s report maps 42 instruments across 10 jurisdictions. The gap I watch in client environments, between how mature their governance is and how aggressive their agent deployments are, turned out wider than I would have guessed. Shadow AI sits in nearly every organization our contributors examined.

2025 called out the future. 2026 audits the present, and it’s organized around three findings:

1. The threats are real now

2. Safety and security converge at the deployment layer

3. Governance runs on a clock measured in hours.

Here’s what each one means for your program, and where I’d still argue with the document.

Finding One: The Threats Have Receipts Now, And Here’s What To Demand

2025 listed architectural concerns. 2026 attaches names, dates, and CVE numbers to them. The Real-World Incidents and Exploits Tracker is the chapter I point people to first, because it ends the “show me a real attack” conversation in about thirty seconds.

EchoLeak was a zero-click prompt injection that turned a single email into a Microsoft Copilot data exfiltration path, as documented by Aim Security. Cato CTRL showed Claude’s Skills feature deploying MedusaLocker ransomware by re-uploading a Skill carrying malicious code that ran on its own. OpenAI’s Codex CLI shipped a sandbox bypass, CVE-2025-59532, in which the model’s own output could redraw the writable boundary it was supposed to stay within. Cursor carried a sibling flaw, CVE-2026-22708, where an attacker who influenced the agent’s instructions could ride an already-approved command like git branch straight into arbitrary code execution. Trustwave’s SpiderLabs team published an agent-in-the-middle attack against the A2A protocol, in which a fake agent card claiming high trust was selected by an LLM judge and used to intercept data. Pillar Security demonstrated manipulated code suggestions seeding backdoors and leaked keys into production through GitHub Copilot and Cursor.

Notice the structural lesson under the Cursor and Codex flaws. The controls were calibrated for human operators, and they broke the moment the executor could influence its own containment. An allowlist that auto-approves a git branch is a convenience for a developer and a loaded gun for an agent that can rewrite what runs behind that command. That’s the shift 2026 keeps returning to. The model stopped being a component inside your application and became an actor with hands on your tools.

Two patterns matter more than any single incident. First, ASI04 and ASI05 are tied for the most disclosed incidents, and a security audit nicknamed IDEsaster found vulnerabilities in 100% of the major AI coding IDEs it tested. Code sits upstream of everything else you ship, so an exploit in a coding agent is a supply chain event, not a developer inconvenience. Second, ASI03, identity and privilege abuse, carries the widest gap between how severe the risk is and how ready anyone is for it. Non-human identities already outnumber humans across most enterprises, and almost nobody has a strategy for governing them.

Here’s what the evidence tells you to demand. Treat agent identity as its own control plane, not a service account with a fancier name. The report tracks NIST’s AI Agent Standards Initiative, the OpenID Foundation’s work on recursive delegation, and MCP’s move to OAuth 2.1 with resource-indicator-scoped tokens, all converging over the next 18 to 24 months. Ask vendors how an agent’s permissions get derived, when they expire, and how revocation propagates through a delegation chain. If they can’t answer, you have your answer. Treat security advisory density as a buying signal rather than a red flag in isolation.

n8n carries 57 advisories, and Claude Code carries 22, not because they’re careless but because they’re everywhere. The projects with the most advisories tend to be the ones with the most adoption. Ask for the AI-SBOM and the disclosure history. Silence is the warning sign, not volume.

Finding Two: Safety And Security Collapse At The Deployment Layer

For most of software’s history, safety was an engineering problem, and security was an adversarial one, owned by different teams running different playbooks. Agentic systems break that split at the deployment layer, meaning the architectural decisions, permissions, configurations, and operational controls your organization owns once an agent acts on production systems.

The report argues that once an agent can send the email, move the money, or commit the code, the same controls govern a benign malfunction and a deliberate attack, and the same investigation surfaces both root causes. Model-level safety stays with the provider. Everything downstream of the prompt lands on one function, no matter how you choose to draw the org chart.

Picture an agent whose memory got poisoned weeks ago. It starts exfiltrating data and taking actions nobody approved. To the team watching the dashboards in real time, that looks like a reliability bug. They restart it, check for drift, and review the inputs. A team treating it as a safety issue misses the persistence mechanism and gets compromised again. A team treating it as a security issue hunts the initial access vector, and the memory state stands a chance of containing it. The symptom is the same, the right response is the opposite, and the org chart decides which one you run.

The categories still separate cleanly when an agent has limited autonomy or a human in the loop. They stop separating when the agent runs with broad permissions and thin oversight, which describes most of the deployments racing into production right now. If your AI safety people and your AI security people sit in separate meetings with separate budgets, that division is now a liability. Read this chapter with your CTO and your head of AI in the room.

Finding Three: The Governance Clock Runs In Hours, And The Matrix Tells You Where You Stand

Regulators stopped pretending periodic audits are enough. DORA gives you a four-hour notification window. NIS2 wants a 24-hour early warning. New York’s RAISE Act sets 72 hours for frontier reporting. California’s SB 53 allows 15 days. The EU AI Act’s Article 72 requires post-market monitoring that explicitly covers behavioral drift, though the Digital Omnibus proposal from November 2025 may push the high-risk deadlines to December 2027 if it clears trilogue.

2026 maps 42 instruments across 10 jurisdictions, so you can see which clock applies where without assembling it yourself from primary texts. The count isn’t the point. The point is that runtime governance moved from a nice-to-have to the unit regulators measure. Pre-deployment certification stopped being enough the moment the thing you certified could rewrite its own behavior after launch.

Then the report hands you the artifact I wish boards had a year ago. The Enterprise Adoption Maturity Model maps your governance maturity (Levels 0 through 4) against your adoption tier (AT0 through AT8). AT0 is Shadow AI, the unmanaged usage already running in your org. The tiers climb through vendor-embedded assistants, platform-integrated agents, citizen-developer flows, code-executing agents, custom in-house builds, and externally extended agents, up to AT8, where agents operate across organizational boundaries in federated networks.

A bold cell means your governance is too thin for what you’re running, and you get two honest moves: raise maturity or lower the tier, with no third option where you cross your fingers and hope it holds. The model survives the way a Bayesian wants a model to survive. It’s calibrated, it’s falsifiable, and it updates in response to evidence instead of flattering the program you already built. The urgency shows in the adoption data. a16z found that 29% of the Fortune 500 and roughly 19% of the Global 2000 are paying customers of a leading AI startup, counting only signed, contracted deployments. The unmanaged AT0 volume sitting on top of that is, by definition, unmeasured.

Where I’d Push Back, Even As A Co-Lead

A review where the author agrees with himself for 2,000 words isn’t worth your time, so here’s where I’d lean on the document.

The report is honest about what it hasn’t solved, and the “What Remains Unsolved” section names three problems I’d watch closely. Cyber insurance for agentic deployments is heading toward a coverage gap nobody has priced yet, and the first big agent-driven loss will test it in public. The governance-deployment collision at AT6 and above, where agents reach across trust boundaries, has no clean answer, and the matrix tells you to slow down rather than how to move fast safely. Agentic AI in OT and ICS has no documented enterprise-agent safety incident yet. Read that as early, not as safe.

I encourage you to pay close attention to the weaponization curve, as the offense is scaling faster than the controls. Anthropic disclosed GTG-1002, a campaign that ran largely autonomous espionage across roughly 30 organizations using jailbroken Claude Code, with the AI executing 80 to 90% of the tactical operations at request rates no human could match. Credit Anthropic for disclosing it in that detail, because that kind of transparency is how the rest of us learn what’s coming. CrowdStrike documented an 89% increase in AI-enabled adversary attacks, with breakout time falling to 29 minutes. IAPS HACCA found frontier models jumping from near-zero to 60% success on expert-level offensive security challenges inside a few months. The report maps the threat well. It doesn’t pretend anyone has solved the defense that scales at machine speed. Neither do I. That’s the honest state of it.

Key Takeaway: 2026 won’t secure your agents for you, but it’s the first document that tells you, with evidence, exactly where your governance is too thin for what you’ve already deployed.

What To Do Next

Start with AT0, this week. Assume Shadow AI exists until you’ve proven it doesn’t. Here’s a hint: it does… if you think you’ve proven it doesn’t, try again.

Pull network and DLP telemetry for AI-service traffic, run a short employee survey on the tools people are already using, and you’ll surface more than you expect. Then map your three highest-tier agent deployments against the maturity matrix. Where you land in a bold cell, pick one of the two moves: raise governance maturity or lower the deployment tier. Print the matrix and walk it with your CTO, your head of AI, and your board chair, because this is a conversation about deployment decisions, not policy language.

If you want the deeper background on why authorization scope and least agency are the metrics that survive contact with production, and why governance is a deployment-review problem before it’s a policy problem, I’ve written both up at rockcybermusings.com, and the consulting side of how I run these assessments lives at rockcyber.com.

Then download the report, read the threat tracker and the maturity model first, and send the link to the two people who own the deployments you inventoried: https://genai.owasp.org/resource/state-of-agentic-ai-security-and-governance/

👉 For ongoing analysis of agentic AI governance frameworks, the conversation continues at RockCyber Musings.

👉 Visit RockCyber.com to learn more about how we can help with your traditional Cybersecurity and AI Security and Governance journey.

👉 Want to save a quick $100K? Check out our AI Governance Tools at AIGovernanceToolkit.com

👉 As a bonus, check our AMA on the 2026 OWASP GenAI Security Project State of Agentic AI Security and Governance report with me and the other co-leads (it was live, so start at time marker 09:45)

The views and opinions expressed in RockCyber Musings are my own and do not represent the positions of my employer or any organization I’m affiliated with.

Share RockCyber Musings

Anthropic shipped its most capable public model on Tuesday, then buried a switch in a 319-page system card that quietly makes the model worse when you ask about building AI. Not blocked. Not flagged. Worse, with a straight face. Two days earlier, CISA confirmed attackers were already inside LiteLLM, the gateway brokering traffic for half the agent frameworks in your stack. By Wednesday the agency told agencies to patch the worst flaws in three days. Safety got a press release. Security got a body count.

This was the week the two halves of AI safety stopped pretending to be the same thing. One half lives in system cards and voluntary codes, the language of labs and regulators. The other lives in KEV entries, CVSS 10.0 chains, and production databases an agent wiped while reporting all clear. The governance side finalized a labeling code, a maturity model, and a sharing standard. Useful, slow, paper. The security side served up an LLM gateway chained to remote code execution, Microsoft’s largest patch day ever, and hard numbers on AI code breaking in production. Eleven stories, ten ranked and one you won’t see on the front page. Read them in order. The order is the argument.

Share

1. Anthropic Ships Claude Fable 5 and Hides a Throttle in the Fine Print

On June 9, Anthropic released Claude Fable 5, the first Mythos-tier model to reach the public (Fortune). Within hours, researchers found a paragraph in the 319-page system card describing a feature that silently degrades answers on requests tied to frontier AI development. Cybersecurity and biology queries get redirected to a weaker model with a visible notice. The AI-development throttle carries none, and Anthropic put the affected traffic at 0.03%.

Why it matters

• A safety control your users can’t see is a trust control. It sets precedent for any vendor shaping model behavior in your stack.

• The throttle targets AI R&D, handing the frontier leader an advantage dressed as safety. Dean Ball called it “secret sabotage.”

• If a lab will silently downgrade outputs, the assumption that a model either does the task or refuses it is dead.

What to do about it

• Read system cards before you standardize on a model. The detail that mattered wasn’t in the launch blog.

• Test models for silent degradation in your use cases, not just refusals, against a known-good baseline.

• Put model-behavior-change clauses in vendor contracts. You want notice when capability shifts under you.

Rock’s Musings

I’ve spent thirty years watching “trust us” get sold as a feature, and this is the slickest version yet. The moment a model lies by omission about how hard it’s trying, you lose the one property that made it auditable. My Bayesian read puts the chance this was purely about safety under 30%. The rest is a competitive moat in a lab coat. Govern your model vendors like anything else with root access to your work, because that’s what they are. More at rockcyber.com.

2. CISA Flags a Critical LiteLLM Flaw Already Being Exploited

On June 8, CISA added CVE-2026-42271 to its Known Exploited Vulnerabilities catalog, confirming active exploitation of LiteLLM, the gateway routing model calls for CrewAI, DSPy, Microsoft GraphRAG, and dozens of other agent frameworks (The Hacker News). The command-injection flaw chains with a Starlette bypass, CVE-2026-48710, for unauthenticated remote code execution at a combined 10.0. Federal agencies have until June 22 to patch, to LiteLLM 1.83.7 and Starlette 1.0.1.

Why it matters

• LiteLLM sits in the middle of your agent stack. Own the gateway, own every model call and secret it brokers.

• A 10.0 unauthenticated RCE chain on shared AI infrastructure is the cleanest path into an enterprise.

• Second LiteLLM supply-chain hit in 2026 after the March PyPI backdoor. The pattern is the point.

What to do about it

• Inventory where LiteLLM runs, including frameworks that bundle it. Patch to 1.83.7 and Starlette 1.0.1 now.

• Lock the MCP test endpoints behind network controls and pull them off any internet-facing path.

• Hunt for exploitation rather than assume patching closes it. KEV status means someone already used it.

Rock’s Musings

Everybody’s threat model for AI agents fixates on the model. First contact usually lands at the plumbing, the gateways and routers nobody drew on a data-flow diagram because they showed up as a transitive dependency. LiteLLM is plumbing, and this week it sprang a 10.0 leak. Agent security is mostly classic appsec in a new hat. Command injection through an unsanitized config field proves it. If you can’t name your gateway version off the top of your head, that’s your finding.

3. CISA Orders Federal Agencies to Patch the Worst Bugs in Three Days, Blames AI

On June 10, CISA issued Binding Operational Directive 26-04, ordering federal civilian agencies to rank vulnerabilities by four factors: asset exposure, KEV status, whether exploitation is automatable, and how much control it hands an attacker (CISA). A bug worst on all four gets a three-day patch deadline and a mandatory forensic check. CISA tied the clock directly to AI-assisted exploitation collapsing the time between a patch and its abuse. Full alignment lands in 60 days.

Why it matters

• A regulator turned “AI compresses the patch window” into an operational mandate instead of a conference talk.

• Three days is faster than most enterprise change windows. The private-sector benchmark just moved.

• The four-factor model is a usable risk lens even if you’re nowhere near federal. Steal it.

What to do about it

• Map your mean-time-to-patch against a three-day worst case. Find where you’d miss.

• Adopt exploit-automatability and post-exploitation impact as scoring factors, not just CVSS.

• Pre-authorize emergency patching for the top tier so change control isn’t the hour-60 bottleneck.

Rock’s Musings

For years the patch-faster crowd got waved off with “we have compensating controls.” That excuse has a shelf life now, and AI is the expiration date. When a model turns a fresh CVE into a working exploit before your change board reaches quorum, every day of dwell is a day you handed away. The grumpy-uncle question is which breaks first under a three-day fuse, the tooling, the staffing, or the politics. Bet on politics. It always is.

4. The EU Publishes Its Final Code for Labeling AI-Generated Content

On June 10, the European Commission published the final Code of Practice on marking and labeling AI-generated content, the voluntary playbook for the AI Act’s Article 50 transparency duties (European Commission). It pushes machine-readable marking and a common EU icon set for labeling deepfakes and AI-generated text on public-interest matters. ENISA sits on the advisory structure behind it. The obligations become applicable August 2, 2026. Signing is optional. The legal duty is not.

Why it matters

• Provenance is becoming a compliance artifact, not a nice-to-have. Machine-readable marking is now a named EU expectation.

• August 2 is close. Deploy generative AI into the EU and labeling is a near-term control.

• A shared icon standard helps, and it creates a forgeable target. Watch for fake labels in both directions.

What to do about it

• Inventory where you generate or publish synthetic content touching EU users. Map each to an Article 50 obligation.

• Pilot C2PA-style content credentials and the EU icons now, while signing is voluntary and mistakes are cheap.

• Treat provenance integrity as a security problem. Marking you can strip or spoof buys you nothing.

Rock’s Musings

Credit to Brussels for shipping something concrete instead of another principles deck. Labels are a real control, and they’re catnip for adversaries the second anyone trusts them. The moment a “human-made” badge means something, somebody forges it. Provenance is only as strong as the cryptography under it and the verification at the edge. A visible icon with nothing signing it is an honor system for people with no honor. Do the C2PA work. August 2 doesn’t care about your fiscal year.

5. New Relic Puts Numbers on the AI Code Problem

New Relic’s 2026 State of AI Coding report, out June 10, surveyed 200 technology decision-makers at US firms (Business Wire). Ninety-four percent rate AI-generated code higher quality than human code at review. Then 82% reported a production failure tied to AI code in the past six months, 78% saw more incidents, and 74% said a quarter of AI code needed significant rework. None banned vibe coding. The report calls the buildup “agent debt.”

Why it matters

• AI code looks good in review and breaks in production. Your review gate is measuring the wrong thing.

• “Agent debt” compounds quietly, then surfaces as incidents long after the author moved on.

• Policy already says yes. The question moved from whether to allow AI code to how to contain it.

What to do about it

• Tie runtime and production-incident telemetry back to AI-authored code, not just review approval rates.

• Require a named human owner for AI-generated changes in critical paths. Every time.

• Fund the rework. If a quarter of AI code needs fixing, budget for it.

Rock’s Musings

The dirtiest number in that survey is the gap between 94% at review and 82% failing in production. Leaders love the code in the pull request and eat the incidents six months later. You won’t ban vibe coding, so instrument the blast radius instead. I keep a running file of these failure patterns at rockcybermusings.com. Measure the incident, not the applause.

6. Mastercard Lets AI Agents Pay Each Other

On June 10, Mastercard launched Agent Pay for Machines, an open protocol letting autonomous AI agents transact at machine speed, down to micropayments worth fractions of a cent (Mastercard). Agent credentials and spending permissions live on public blockchains, including Polygon, Solana, and Base, with 31 launch partners such as Coinbase, Adyen, Stripe, and Cloudflare. Visa, Stripe, and Google shipped their own agent-payment plumbing this year.

Why it matters

• Autonomous agents with spending authority turn every prompt injection into a potential unauthorized transaction.

• Non-human identity just became a money problem. Agent credentials are bearer instruments for your budget.

• Machine-speed payments mean machine-speed fraud. Your fraud controls were tuned for human tempo.

What to do about it

• Treat agent payment credentials as crown-jewel secrets with hard spending caps and short-lived scopes.

• Require revocable agent identity and per-transaction authorization before an agent holds a wallet.

• Model the abuse case first. Assume a poisoned input tries to drain the budget, then design the cap.

Rock’s Musings

Give an agent a wallet and the lethal trifecta stops being academic. An agent that reads untrusted content, holds private data, and now moves money is a self-service exfiltration tool with a payment terminal bolted on. We’re handing agents spending authority the same week their gateways get popped and their memory gets poisoned. Caps, scopes, revocation, and a kill switch on every agent that touches a wallet. If you can’t yank its spending power in one click, it shouldn’t have any.

7. The Linux Foundation Tries to Standardize How We Share AI Assets

On June 10, the Linux Foundation launched the OpenSharing Project, a vendor-neutral protocol for exchanging agent skills, AI models, and unstructured data across organizations and clouds (Linux Foundation). It extends the Delta Sharing protocol into the agentic era, replacing point-to-point integrations and proprietary marketplaces. Databricks is a named contributor. How shared assets get verified for integrity is left mostly to implementers.

Why it matters

• Standardized sharing of skills and models is standardized distribution of supply-chain risk without built-in provenance.

• A common protocol is a common attack surface. Whatever everyone adopts, everyone inherits the flaws of.

• “Consume an AI asset from anyone” is exactly how poisoned models and backdoored skills travel.

What to do about it

• Demand signed provenance and integrity verification for any shared model or skill before you ingest it.

• Treat external agent skills like third-party code, because they are. Scan, sandbox, review.

• Get a seat at the standard now. Security is cheaper in the draft than bolted on after adoption.

Rock’s Musings

Standards are good. My worry is the lesson we never seem to learn, that the thing everyone shares becomes the thing everyone gets hit through. We did it with npm, with PyPI, with container registries, now with agent skills and models. Bake in signing, attestation, and verifiable provenance from day one and this is the best security news of the quarter. Ship it with trust assumed and it’s a distribution network for poisoned assets. Show up to the draft.

8. Accenture and Carnegie Mellon Ship an AI Maturity Model

On June 8, Accenture and the Carnegie Mellon University Software Engineering Institute released the AI Adoption Maturity Model, a framework for scaling AI with repeatable outcomes (Carnegie Mellon SEI). It scores eight dimensions, including risk and governance. The teams built it from 100-plus maturity efforts, 25 executive interviews, 600 practitioner surveys, and Fortune 500 pilots. The report says 95% of organizations see no return on AI, and only 8% scale it enterprise-wide.

Why it matters

• “Risk and governance” sits as a first-class dimension, not a footnote. That’s the right shape for a maturity model.

• 95% seeing no return is the number your board needs before it greenlights the next AI line item.

• A common maturity language helps you argue for governance investment in terms executives already use.

What to do about it

• Run an honest self-assessment against the eight dimensions. Score where you are, not where the deck says you are.

• Use the governance dimension to anchor an AI risk program your CFO will fund.

• Tie maturity gaps to specific incidents from this very week. War stories move budgets, abstractions don’t.

Rock’s Musings

I’m allergic to maturity models that exist to sell the next assessment, so I went in skeptical. This one earned a grudging nod, because it treats governance and risk as load-bearing instead of decorative. The 95% no-return figure is the line I’ll quote to boards all quarter, cover for a CISO to say the quiet part. A maturity model secures nothing by itself. What it does is drag an executive team from vibes to a roadmap.

9. Microsoft’s Largest Patch Tuesday, and a Zero-Day Hours Later

Microsoft shipped its largest Patch Tuesday on record on June 9, fixing nearly 200 vulnerabilities (BleepingComputer). Hours later, a researcher who goes by Nightmare Eclipse published a working zero-day called RoguePlanet that abuses a Microsoft Defender race condition to spawn a SYSTEM-level prompt on fully patched Windows 10 and 11 (The Hacker News). It’s the seventh zero-day this researcher has dropped since April, part of a running fight with Microsoft over disclosure and bounty pay.

Why it matters

• A SYSTEM-level Defender bypass on fully patched machines turns your endpoint defense into the entry point.

• It lands the same week CISA warned AI shrinks the disclosure-to-exploitation window.

• A grudge-driven researcher dropping working exploits is a reminder that bug-bounty relationships are a security control too.

What to do about it

• Prioritize the Defender fix path and watch for RoguePlanet indicators on endpoints you assume are clean.

• Stop treating “fully patched” as “safe.” Layer detection that doesn’t depend on the bypassed control.

• Review your own researcher and disclosure relationships. Antagonized finders publish, they don’t email.

Rock’s Musings

Nearly 200 fixes in one month is its own tell about how fast attack surface is growing, and the cruelty of RoguePlanet is the timing. You patch on Tuesday, feel responsible, and by Tuesday night your endpoint tool is the hole. I put this next to the CISA directive on purpose. Picture that loop automated, a model reading the patch diff and emitting the bypass while you sleep. Defense in depth was a cliche right up until your antivirus became the payload.

10. Academia Goes After Prompt Injection While It’s Still Bleeding

The research wave this week mapped onto the attacks hitting production. On June 11, a team including Pin-Yu Chen, Bo Li, and Dacheng Tao posted a stakeholder-centric benchmark for prompt injection against real-world web agents that operate over untrusted content (arXiv). A day earlier, researchers including Google’s Tomas Pfister released PI-Hunter, an automated red-teaming system that exposes and localizes prompt injections. Both target the failure mode OWASP maps to six of its ten agentic risk categories.

Why it matters

• Automated red-teaming for prompt injection means defensive tooling is starting to scale with the threat.

• Benchmarks create accountability. Measure injection resistance and you can demand it in procurement.

• Academic attention this concentrated usually leads commercial tooling by six to twelve months. This is your early read.

What to do about it

• Add prompt-injection benchmarking to agent evaluation before deployment, not after an incident.

• Put automated injection red-teaming like PI-Hunter in your pre-prod pipeline.

• Ask vendors for injection-resistance numbers against a named benchmark. Vague assurances are a red flag.

Rock’s Musings

I read a pile of AI security papers so you don’t have to, and the encouraging shift is that researchers stopped calling prompt injection a someday problem and started building the rulers and the wrecking balls to measure and break it. Most enterprises are deploying agents on faith. A benchmark turns faith into a number, and a number is something a CISO writes into a contract. Be the buyer who shows up with the benchmark, then watch them sweat.

The One Thing You Won’t Hear About But You Need To: Your AI Agent’s Memory Is an Unguarded Attack Surface

Buried in this week’s research, with none of the press the model launches got, a paper dated June 10 tackled runtime memory poisoning in persistent LLM agent systems (arXiv). Retrieval-augmented agents increasingly carry persistent memory that accumulates across sessions, so what the agent learned yesterday shapes what it does tomorrow. The author, Tarun Sharma, shows that memory is an attack surface and proposes a certified defense, SMSR. Slip a malicious entry in once, and it steers behavior across every future session until someone notices.

Why it matters

• Persistent memory makes poisoning durable, paying the attacker long after the injection.

• Most teams don’t inventory, monitor, or validate agent memory at all. It’s a blind spot with root-level influence.

• Certified defenses are early, so right now your only real control is hygiene you probably haven’t built.

What to do about it

• Treat agent long-term memory as untrusted storage. Validate writes, monitor for anomalies, keep an audit trail.

• Scope and segment memory per user and per task so one poisoned entry can’t steer everyone.

• Build a way to inspect and roll back agent memory. You can’t defend what you can’t see.

Rock’s Musings

Everybody’s watching the prompt going in. Almost nobody’s watching what the agent quietly wrote to its own memory last week. That gap keeps me up. We learned to fear prompt injection as a single dirty input, and now we hand agents long-term memory that turns one input into a permanent resident. Poison it once and the agent carries your attacker’s instructions forward on its own, looking perfectly healthy the whole time. Watch the memory, not just the mouth.

👉 For ongoing analysis of agentic AI governance frameworks, the conversation continues at RockCyber Musings.

👉 Visit RockCyber.com to learn more about how we can help with your traditional Cybersecurity and AI Security and Governance journey.

👉 Want to save a quick $100K? Check out our AI Governance Tools at AIGovernanceToolkit.com

👉 As a bonus, check our AMA on the 2026 OWASP GenAI Security Project State of Agentic AI Security and Governance report with me and the other co-leads (it was live, so start at time marker 09:45)

The views and opinions expressed in RockCyber Musings are my own and do not represent the positions of my employer or any organization I’m affiliated with.

Share RockCyber Musings

References

Abrams, L. (2026, June 10). Microsoft Defender ‘RoguePlanet’ zero-day grants SYSTEM privileges. BleepingComputer. https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-rogueplanet-zero-day-grants-system-privileges/

Accenture. (2026, June 8). Accenture and the Carnegie Mellon University Software Engineering Institute launch AI Adoption Maturity Model to help organizations scale AI with predictable outcomes. Accenture Newsroom. https://newsroom.accenture.com/news/2026/accenture-and-the-carnegie-mellon-university-software-engineering-institute-launch-ai-adoption-maturity-model-to-help-organizations-scale-ai-with-predictable-outcomes

Carnegie Mellon University Software Engineering Institute. (2026, June 8). SEI and Accenture release AI Adoption Maturity Model to help organizations scale AI with predictable outcomes. https://www.sei.cmu.edu/news/sei-and-accenture-release-ai-adoption-maturity-model-to-help-organizations-scale-ai-with-predictable-outcomes/

Cybersecurity and Infrastructure Security Agency. (2026, June 8). CISA adds two known exploited vulnerabilities to catalog. https://www.cisa.gov/news-events/alerts/2026/06/08/cisa-adds-two-known-exploited-vulnerabilities-catalog

Cybersecurity and Infrastructure Security Agency. (2026, June 10). BOD 26-04: Prioritizing security updates based on risk. https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk

European Commission. (2026, June 10). Commission publishes Code of Practice on marking and labelling AI-generated content. https://ec.europa.eu/commission/presscorner/detail/en/ip_26_1328

Goldman, S. (2026, June 10). Anthropic accused of ‘secret sabotage’ as Claude Fable 5 silently limits capabilities for AI researchers and developers. Fortune. https://fortune.com/2026/06/10/anthropic-accu-claude-fable-5-limits-capabilities-ai-researchers-developers/

He, P., Miculicich, L., Sharma, V., Fox, A., Lee, G., Tang, J., Pfister, T., & Le, L. T. (2026, June 10). PI-Hunter: Automated red-teaming for exposing and localizing prompt injections [Preprint]. arXiv. https://arxiv.org/abs/2606.12737

Help Net Security. (2026, June 9). LiteLLM vulnerability under active attack, CISA warns (CVE-2026-42271). https://www.helpnetsecurity.com/2026/06/09/litellm-vulnerability-under-active-attack-cisa-warns-cve-2026-42271/

Help Net Security. (2026, June 10). Record Microsoft Patch Tuesday, fresh zero-day. https://www.helpnetsecurity.com/2026/06/10/microsoft-patch-tuesday-rogueplanet/

Mastercard. (2026, June 10). Mastercard launches Agent Pay for Machines to unlock super-fast, always-on payments. https://www.mastercard.com/us/en/news-and-trends/press/2026/june/mastercard-launches-agent-pay-for-machines.html

New Relic. (2026, June 10). New Relic report reveals AI-generated code grades higher in review, yet triggers rise in production incidents. Business Wire. https://www.businesswire.com/news/home/20260610259591/en/New-Relic-Report-Reveals-AI-Generated-Code-Grades-Higher-in-Review-Yet-Triggers-Rise-in-Production-Incidents

Pogorelec, A. (2026, June 11). Prompt injection still drives most agentic AI security failures in production. Help Net Security. https://www.helpnetsecurity.com/2026/06/11/owasp-prompt-injection-ai-security-failures/

Sharma, T. (2026, June 10). SMSR: Certified defence against runtime memory poisoning in persistent LLM agent systems [Preprint]. arXiv. https://arxiv.org/abs/2606.12703

The Hacker News. (2026, June 9). LiteLLM flaw CVE-2026-42271 exploited in the wild, chains to unauthenticated RCE. https://thehackernews.com/2026/06/litellm-flaw-cve-2026-42271-exploited.html

The Hacker News. (2026, June 10). Microsoft Defender RoguePlanet zero-day grants SYSTEM access on updated Windows. https://thehackernews.com/2026/06/microsoft-defender-rogueplanet-zero-day.html

Wang, Z., Li, Y., Wu, Y., Liu, Z., Chen, K., Wai, F. K., Chen, P.-Y., Thing, V. L. L., Li, B., Tao, D., & Zhang, T. (2026, June 11). Who pays the price? Stakeholder-centric prompt injection benchmarking for real-world web agents [Preprint]. arXiv. https://arxiv.org/abs/2606.13385

Share

Disclosure: I contribute to the AIUC-1 Consortium. I was not an author or reviewer on this whitepaper. What follows is a review and amplification of work led by the named co-authors and the AIUC-1 editorial team, with my own read on where it should go further. Read the source yourself at aiuc-1.com.

The AIUC-1 “After Mythos” whitepaper on machine-speed defense opens with a confession most security executives won’t say out loud at a conference. Fifty-two of them rated their readiness for a Mythos-class threat at 4 out of 10. I’ll show you what the document gets right, where I’d push it harder, and the three board asks worth making before your Q3 budget closes.

The 4-Out-Of-10 Confession

A 4 out of 10 is a room full of Fortune 500 CISOs, federal agency leaders, and banking and critical-infrastructure executives telling you… in print… with names attached… that they are behind. Roughly 40% put themselves at 3 or below. About 85% landed at 5 or below. Around 12% rated themselves a 7 or higher. These are the people who own the budgets, the roadmaps, and the org charts, and they graded their own programs as failing.

The forecast is interesting. The same group expects to reach 6.7 out of 10 in twelve months. Read it as a plan, and it sounds like progress. Read it as an admission, and it tells you the next year is already spoken for. A leadership cohort that sits at 4 today and hopes for 6.7 in a year is telling you the gap is wide enough that closing even part of it will eat the planning cycle.

Now layer in what’s already live. 65% of these organizations run AI agents in production today. One in five reports business-critical agent deployments. The credentialed attack surface grew while the readiness number sat at 4. That’s the confession underneath the confession. The agents are in production, the agentic AI CISO readiness gap is real, and the people running the programs know the controls haven’t caught up.

Mythos Moved The Clock On Machine-Speed Defense

Here’s why the 4 stings. In April 2026, Anthropic’s Claude Mythos Preview surfaced thousands of high-severity flaws across every major operating system and web browser in its early-access cohort. One was a flaw in OpenBSD that had survived 27 years of expert review and decades of automated fuzzing. The whitepaper cites Anthropic’s reproducibility benchmark, showing that Mythos produced a working exploit on the first attempt for more than 83% of vulnerabilities, compared to a near-zero rate for the prior frontier generation. The offense lifecycle has been compressed from weeks of skilled human effort to one shot.

The capability didn’t stay rare. Within weeks, the UK AI Security Institute evaluated OpenAI’s GPT-5.5 and found it edging Mythos on expert-level cyber tasks. Then the floor dropped. Research published in April 2026, “Synthesizing Multi-Agent Harnesses for Vulnerability Discovery” (Liu et al., arXiv 2604.20801), showed a purpose-built multi-agent orchestration architecture that drove a lesser open-weight model to 10 previously unknown Chrome zero-days, including two critical sandbox-escape flaws that Google confirmed: CVE-2026-5280 and CVE-2026-6297. Frontier-grade results came out of components you can download and wire together.

The trend line is the headline. The UK AI Security Institute estimates frontier cyber capability is doubling every 4.7 months, down from eight months late in 2025. CrowdStrike’s 2026 Global Threat Report, which is vendor telemetry rather than an independent study, recorded an 89% year-over-year jump in AI-enabled adversary operations, a fastest breakout of 27 seconds, and one intrusion where data left the building four minutes after initial access. Proliferation reaches the sectors that used to coast on obscurity and low adversary interest. Patch cadence, detection latency, and blast-radius tolerance were all calibrated for a world where elite offensive talent was scarce. That world is closing in months.

Imperative One: Ship The Patch, Start The Clock

The first imperative is the one your operations team will fight you on. Treat the moment you ship a fix as the disclosure event. A Mythos-class model takes the patched binary, diffs it against the prior release, finds the changed call paths, infers what the fix was protecting, and writes a working exploit, all without source code. Your exposure window opens when the patch ships, not when the CVE posts.

That breaks the 90-day SLA written into most security policies. It strains the 14-day window too. In May 2026, Reuters reported that CISA is weighing a cut of its Known Exploited Vulnerabilities remediation deadline to three days, with the acting director and the national cyber director in the discussion, driven explicitly by Mythos and GPT-class tooling. When the regulator starts talking about three days, your 90-day standard becomes a liability with a compliance stamp on it.

The practitioner moves to compress the patch cycle are concrete. Set patch SLAs in hours to days for internet-facing, actively exploited, and business-critical assets, and report them to the business as exposure windows rather than audit metrics. Run an LLM-driven security review on every modified line before release. Push the same discipline into procurement, so vendors who can’t demonstrate short SLAs and AI-assisted discovery get phased out. The supply chain is where this gets real. In March 2026, attackers hijacked the axios npm library, which sees more than 100 million weekly downloads, and the poisoned release executed inside OpenAI’s macOS app-signing pipeline before the company rotated its certificate. OpenAI’s own exposure traced to a floating version tag and no minimum release age, the kind of hygiene gap a Mythos-grade adversary now finds at scale.

I’ve watched this exact argument for decades. Early in the 2000s, I sat with… and sometimes I was even a member of… security teams that fought compressing the patch SLA from 90 days to 30 because the business “couldn’t absorb the disruption.” Six months later, an unpatched system was the way in. The conversation hasn’t changed. The numbers have. Today, it’s hours-to-days against an operations team that wants weeks, and the adversary diffing your binary doesn’t care which side wins the meeting.

Imperatives Two And Three: Contain, Then Keep Pace

The second imperative is zero trust with the marketing stripped off. Design for breach means building containment in from the start, so a single foothold stays a single foothold. The reason this matters more now than a year ago shows up in CrowdStrike’s telemetry: 82% of intrusions in 2025 were malware-free, meaning attackers logged in with stolen credentials and used the tools already on the box. Signature defense is watching the wrong door.

Four moves carry most of the load. Put every agent on least agency, because agents are the fastest-growing population of credentialed actors in most enterprises, and they should default to managed non-human identities with scoped entitlements, clear ownership, and lifecycle controls. Lock endpoints with binary allowlisting, the highest-leverage control almost nobody outside regulated industries runs, because an allowlist doesn’t negotiate with an exploit. Treat microsegmentation as the multi-year program it is, and in the meantime, push controls outside the context window into gateways, identity, and execution environments where architecture enforces them. Stand up autonomous red teaming so containment gets verified under machine-speed pressure instead of being assumed in a slide. Pair all of it with recovery design: immutable systems, air-gapped backups, identity systems you can rebuild without trusting compromised credentials, and manual fallbacks for business functions that can’t withstand an extended outage.

The third imperative is speed at the response end. Self-detection rate becomes your leading metric because handoff times are measured in seconds, and the failure you can’t afford is learning about a breach from an outsider. Build the machine-speed SOC in three layers: cheap models for high-volume triage, an aggregation layer for correlation and prioritization, and a frontier model on top for the contextual calls. AI remediation that writes the fix to production is the next step, and that agent holds write access to production with a target on its back, so it gets governed like any high-privilege agent, with least privilege, mutual authentication, segmentation, and allowlisting.

Here’s where I’d push past the document. The paper treats agents as high-privilege actors that need identity governance, which is correct and overdue. I’d go one layer down. The unit of governance is the runtime authorization scope of every agent, every session, every tool call. Static IAM is the precondition. Dynamic authorization scope, enforced at runtime, is the actual control.

Governance Is An Authority Problem

Skip past the three imperatives for a second, because every CISO already knows them. The document’s real contribution is its honesty about what blocks execution. A SOC re-tooled to run in minutes is still stuck if every new capability waits on control mapping, vendor risk, a procurement cycle, and a board cycle. Governance is where the gap closes first, and the whitepaper says so without flinching: machine-speed operation needs explicit authority boundaries, not faster approvals.

That resolves into three asks you can take to the board. Compressed patch SLAs need production-change authority delegated from change management. Design-for-breach needs architecture veto power exercised at the design-review stage, before the system ships rather than after. Machine-speed remediation needs pre-approved business-impact authority with bounded autonomy, so the response fires inside agreed limits without a 2 a.m. approval chain. A board that delays these authorities is choosing the readiness gap on purpose, whatever the slide says.

The whitepaper gets the credential point exactly right. Agents are a population that needs IAM treatment by default, not a special case bolted on later. My one extension connects to a position I’ve held for a while. Treat governance as architecture, not documentation. The authority structure the paper describes is the architectural-governance pattern in plain clothes. Self-detection rate is the right metric for detection, and the thing that produces a good one is an architectural commitment, not a policy PDF that says you value visibility. Write the control into the system, or you don’t have it.

Key Takeaway: The whitepaper’s 4 out of 10 is a confession in print, and the move that closes the machine-speed defense gap is delegating three authorities your board can grant this quarter.

What To Do Next

Read the whitepaper yourself at aiuc-1.com. Then run four moves before the quarter closes. Send the paper to your direct reports with one ask: map current SLAs against the three imperatives and flag every gap. Schedule a board cycle on the three authority delegations. Run a preparedness self-rating with your security leadership and compare your number to the 4 out of 10 baseline. Map your top five production agents against the least-agency, allowlist, segmentation, and autonomous-red-team checklist from the second imperative.

If you want the operating-model view behind this, governance-as-architecture and least agency are the two positions I keep coming back to, and I write about across the newsletter archive at rockcybermusings.com. The board and security-leadership advisory work lives at rockcyber.com if you want to pressure-test your own number against the baseline.

Share RockCyber Musings

👉 Subscribe for more AI security and governance insights with the occasional rant.

👉 For ongoing analysis of agentic AI governance frameworks, the conversation continues at RockCyber Musings.

👉 Visit RockCyber.com to learn more about how we can help with your traditional Cybersecurity and AI Security and Governance journey.

👉 Want to save a quick $100K? Check out our AI Governance Tools at AIGovernanceToolkit.com

👉 As a bonus, check out my conversation with Eva Benn where we talked about the cybersecurity skills you need to develop to stay relevant in 2026 and beyond.

The views and opinions expressed in RockCyber Musings are my own and do not represent the positions of my employer or any organization I’m affiliated with.

Share

Claude Code skills are how I stopped re-explaining the same discipline to an AI on every session. Last year Veracode tested code from more than 100 large language models and found security flaws in 45% of it. That matches what I keep seeing in my machine learning and data science work, where the model returns an answer that looks correct and is wrong underneath. This week, I put my skills library on GitHub at rocklambros/RCS. It's the portable half of a setup I've been building in the open. The skills drop into the Claude Code harness I documented at rocklambros/harness-engineering, and they ride alongside the secure coding rules I open-sourced to stop Claude generating vulnerable code in the first place. Here is what is inside, starting with the skill that saved me the most pain.

The Prompt You Keep Pasting Is A Skill

I spent more time than I should have just copying the same prompt into Claude from a cacophony of Notion notebooks and saved text files. I can tell you how many times I told Claude to stop trusting a clean p-value, to check the assumptions behind a statistical test before reporting it, and to refuse the easy answer when the data didn’t support it. I pasted some version of that into a fresh chat a few hundred times. Every session started from zero. The model holds no memory of the discipline I taught it yesterday, so I taught it again, and the wording drifted a little each time.

That is the tell. If you keep pasting the same instructions, you have already written something. You never saved it in a form the tool can load on its own. A Claude Code skill is that saved form, a single markdown file with a description that the model reads to decide whether the file applies to your question. Once it is installed, the model consults it without being asked. The discipline lives in the file instead of your head, and your head is where discipline goes to get forgotten.

Here is the example that pushed me over the edge. I was building a multi-turn prompt-injection detector for the Deep Learning course in my Master’s program, and I had two models to compare on the same set of 5,130 test conversations. The temporal LSTM scored an F1 of 0.837. Adding an attention layer on top scored 0.837 as well, with confidence intervals nearly overlapping. Ask an AI whether the attention version is the better model, and most will wave it through as a free upgrade, since the interpretability costs nothing. The honest answer is that there is no improvement to claim. A paired bootstrap on the same conversations yields a difference of zero (p = 0.453), nowhere near significant. A p-value is the chance a gap this size would show up even when the two models are truly identical, and at 0.453 it would show up almost half the time, so there's no real difference to claim. Both models saw the identical test set, so the comparison is paired, and treating it any other way invents a result that is not in the data. That is a confident wrong answer, and it is the kind that ends up on a slide in front of a board (or in a classroom, with a professor sitting as “chairman,” in my case).

The Premortem I Kept Rebuilding By Hand

The skill I want you to remember is running-adversarial-premortem. It came out of that same habit. I kept asking the model to argue against my own designs, and I kept getting agreement dressed up as analysis. I wrote the method down and made it a skill.

A premortem flips the usual review. Rather than asking what could go wrong, it assumes the work will fail in six months and traces the cause. The skill runs in three rounds. Round one assumes failure and lists five to ten ways it happened, seeded by category: the premise was wrong, the method was biased, the code didn’t match the design, the deployment was botched, the audience misread the result. Round two chains each failure back to a root cause. Round three scores what survives.

The scoring is where it earns its keep. Each surviving failure mode gets a severity, a likelihood, and a detectability, and the priority is severity times likelihood divided by detectability. A quiet, high-damage failure that nothing would catch ranks above a loud one that your CI already flags. Two fields force honesty. Every concern carries its strongest counterargument, the most generous defense of the design, so you engage the work rather than strawmanning it. Every concern also names what would have to be true for you to stop worrying, a condition the skill calls “stops mattering if.” A worry with no stopping condition is anxiety wearing a citation, not analysis.

The skill also refuses to fire when it shouldn’t. Ask it to scan a loop for an off-by-one error, and it hands you off to a plain code review, because a premortem on a one-line fix costs more than the bug. That refusal is tested, not promised, and I will come back to why that matters.

You will find it at skills/workflow/running-adversarial-premortem. The method itself is old. Gary Klein wrote it up for Harvard Business Review in 2007. What changed is that the discipline now loads itself when the stakes are high, instead of waiting for me to remember to run it.

The Highest-Priority Skill Is The Most Boring One

Every skill in the library carries a priority score I call Σ, a rough estimate of how often the gap shows up multiplied by how badly things break when you miss it. The top of the list is not the premortem or any of the security skills. It is enforcing-seed-hygiene, at Σ 20, the only skill that hits the maximum. It exists because randomness is everywhere in machine learning, and almost nobody pins it correctly.

Here is the failure... You train a model, get a number, write it down. A colleague runs the same code on the same data and gets a different number. Now neither of you knows which result to trust, and the paper or the production model sits on sand. A 2025 review of machine-learning reproducibility put the fix plainly: fixed random seeds should be set and published to control the many sources of nondeterminism in ML. The same authors flag a catch that trips people up, which is that seeds hold only when the work is not running in parallel on a GPU.

That GPU catch is the part people miss, and the skill handles it. One seed isn’t enough. Python’s own hashing, NumPy, PyTorch, JAX, and R each carry a separate generator, and parallel thread scheduling on a GPU produces floating-point sums that do not land bit-for-bit the same across machines. The skill emits a single first-cell block that seeds every library you named, sets PYTHONHASHSEED, and, for sampler workloads, pins the thread count so a run on your laptop matches the one on the Linux server. It refuses the wrong job too. Ask it to seed a cryptographic nonce, and it stops you, because a fixed seed there is a vulnerability, not a discipline.

It lives at skills/workflow/enforcing-seed-hygiene. That is the profile a Σ 20 earns. It shows up on nearly every project, and it ruins the results when you skip it.

Vet The MCP Server Before You Trust It

The skill I want in front of security people is auditing-mcp-server-pre-trust, at Σ 18. Model Context Protocol servers are how your AI reaches out to tools and data, and the ecosystem grew faster than its security did. A 2025 study from Queen’s University analyzed 1,899 open-source MCP servers and found 7.2% carrying general vulnerabilities and 5.5% exhibiting tool poisoning, where a hostile server hides instructions inside a tool’s description to steer the model without you ever seeing them.

Don’t count on the model to catch it. A separate benchmark, MCPTox, ran tool-poisoning attacks against 20 agents and found they almost never refuse. The best refusal rate from a single Claude model came in under 3%. The model reads the poisoned description and follows it. The paper found that more capable models were often more susceptible, because the attack rides on their stronger instruction-following. That puts the decision where it belongs, with you, before the server gets registered.

The skill runs six checks ahead of that registration: license, source review, network egress, version pin, secret handling, and the subset of tools you need. The version pin alone catches a class of foot-guns. A server installed with npx -y or an unpinned pip install can shift underneath you between the audit and the next run, so the skill treats anything unpinned as a blocking failure. Each check has to cite evidence, a file, a line, or a commit, so the audit cannot decay into a checkbox ritual.

The boundary for a skill like this is design-time and registration-time discipline. It runs inside the model’s reasoning, before the connection goes live. It cannot see what the agent does once it is running, which tools it calls, what data left the building, or whether the action matched the intent you approved. That is a different control layer, and nothing in this repo provides it. Closing it takes interception at the moment a tool executes, structured traces a security team can query rather than vendor-specific log soup, and a live inventory of every tool, model, and dataset the agent touched, the way a software bill of materials tracks dependencies. The skills are the author-time half of a problem, with the other half running in production. Know which half you have covered.

It lives at skills/security/auditing-mcp-server-pre-trust.

Your Instruction Files Are Rotting

The last skill, auditing-instruction-hierarchy at Σ 18, fixes a problem you can’t see until it bites. The CLAUDE.md files that tell the model how to behave grow without limit, and a larger instruction file is not necessarily better. Chroma’s 2025 “Context Rot” study tested 18 frontier models and found that output quality drops as input length grows, even on simple tasks, well before the context window is anywhere near full. Every line you add to an instruction file competes for the model’s attention with the work in front of it.

My own test harness sets a hard cap of 400 lines across the entire instruction hierarchy, with 250 as the target. Past 400, instruction-following degrades measurably. The skill counts the lines across every CLAUDE.md in play, from the user-level file down to the ones plugins quietly drop in, and it greps for content that breaks the prompt cache: literal dates, session IDs, anything that changes between runs and forces the model to re-read the whole prefix every five minutes. Then it sorts each rule into a verdict. Keep it, move it to a skill that loads on demand, move it to a hook, or drop it.

I ran it against this repo while building it. The skill’s own evidence list names RCS, which is the polite way of saying it found things in my own setup worth trimming. It lives at skills/claude-code-meta/auditing-instruction-hierarchy.

What The Claude Code Skills Repo Ships

The four skills above are a sample. The repo ships 104 of them, all in the shipped state with none in draft, organized into five tracks by who needs them: security, machine learning and data science, cross-cutting workflow, teaching, and Claude Code meta-work. The whole library is MIT licensed.

Two design choices matter when deciding whether to trust it. The first is that it is catalog-free. There are no bundled framework controls and no ISO mirrors copied in to rot the day after I commit them. The skills encode method, not reference material that goes stale. The second is that every skill ships with three test scenarios, a normal case, an edge case, and an anti-trigger that checks the skill stays quiet when it should not fire. That last one is the part most prompt collections skip, and it separates a helpful skill from one that fires on everything and turns into noise.

Install is a clone and a symlink loop that drops each skill into your ~/.claude/skills directory, skipping anything already there. The skills compose themselves. Start an ML notebook and the scaffolding skill, the seed-hygiene skill, and the train-test-split audit fire in sequence without you wiring them together.

Key Takeaway: If you keep pasting the same instructions into an AI, turn them into Claude Code skills, because the discipline you do not write down is the discipline you lose every session.

What to do next

Clone the repo, install the skills, and point the premortem at the next design you are about to commit to. Watch it argue with you. The repo is at github.com/rocklambros/RCS, and the install steps are in the README.

If you want the thinking behind this kind of work, the AI security and governance advisory I run lives at rockcyber.com, and the rest of these teardowns are at rockcybermusings.com. Tell me which skill broke something useful. The anti-trigger tests catch a lot, and you will still find edges I missed.

Subscribe for more AI security and governance insights with the occasional rant.

👉 Subscribe for more AI security and governance insights with the occasional rant.

Subscribe now

Share RockCyber Musings

👉 For ongoing analysis of agentic AI governance frameworks, the conversation continues at RockCyber Musings.

👉 Visit RockCyber.com to learn more about how we can help with your traditional Cybersecurity and AI Security and Governance journey.

👉 Want to save a quick $100K? Check out our AI Governance Tools at AIGovernanceToolkit.com

👉 As a bonus, check out my conversation with Eva Benn where we talked about the cybersecurity skills you need to develop to stay relevant in 2026 and beyond.

The views and opinions expressed in RockCyber Musings are my own and do not represent the positions of my employer or any organization I’m affiliated with.

Trump pulled the executive order. Anthropic shipped a model that finds vulnerabilities by the thousand. Threat actors poisoned developer AI assistants with invisible characters. The week of May 22 through 28, 2026, didn’t give CISOs a quiet moment. The federal government cannot decide if AI is a threat or a savior. Attackers keep outpacing the policies meant to slow them.

The week’s signal lived in the contrast. Anthropic’s Mythos model surfaced 10,000 critical vulnerabilities in a month. The White House could not get a single executive order across the line. CISA sat at the table without a vote. Attackers poisoned AI coding assistant config files with invisible Unicode. A malicious npm package exfiltrated files from Claude AI’s working directory. AI capability keeps accelerating. AI governance keeps collapsing. Security teams who treat the next 90 days as business as usual will be explaining decisions to regulators they cannot defend.

Share

Agent Control Standard Launches Open Runtime Governance Framework for AI Agents

The Agent Control Standard launched on May 27, 2026 at the AI Agent Security Summit in San Francisco, releasing a vendor-agnostic, open framework for runtime governance of AI agents (BusinessWire, VMblog). Existing protocols govern how agents communicate with each other. None cover what they actually do once they start acting inside enterprise environments. ACS targets that gap with a common framework for runtime enforcement, intervention, and policy governance across agent ecosystems. The specification is released as open source under the MIT license, with no single company controlling the spec. Michael Bargury, co-founder and CTO of Zenity, is co-creator. Full disclosure, I serve as director of AI standards and governance at Zenity and contribute to ACS.

Why it matters

• The industry has a control-layer gap. MCP and other protocols cover communication, not what agents do once they act.

• Runtime governance has been a per-vendor build problem, which has been blocking enterprise procurement and audit.

• An open, vendor-neutral spec gives regulators and auditors a reference point that does not depend on a single platform’s roadmap.

What to do about it

• Read the spec at agentcontrolstandard.ai and map it against your current agent runtime controls.

• Ask your AI agent platform vendors which parts of ACS they will support and on what timeline.

• Add ACS-style runtime controls including policy enforcement, intervention, and kill switches to your 2027 agent governance roadmap.

Rock’s Musings

Full disclosure up top. I am leading ACS, so putting this up top is my prerogative 😀. Read this knowing that. The reason we built it is the same reason I keep writing about agent governance every week. Everyone I talk to is putting agents into production with no runtime enforcement layer, no intervention model, and no audit trail that survives a regulator’s question. The vendor-by-vendor approach was never going to scale. We needed a common spec that any platform could implement and any auditor could point to. That is what ACS is. Go read it at https://agentcontrolstandard.ai, push your vendors to support it, and tell us where it falls short.

2. Axios Publishes the Killed AI Executive Order Text

Axios published the full text of the canceled AI executive order on May 22, 2026, the day after President Trump pulled the signing ceremony (Axios, NPR). The draft included a voluntary Treasury clearinghouse for AI security vulnerabilities and a pre-launch review process where major AI companies would share frontier models with the government for up to 90 days. CEOs from OpenAI, Anthropic, and other major labs had been invited.

Why it matters

• The federal government walked away from the only proposed coordination mechanism for AI vulnerability sharing.

• Any serious U.S. AI security baseline now has to come from industry, state regulators, or international peers.

• AI vendors with CAISI evaluation agreements face uncertainty about whether voluntary testing remains the expectation.

What to do about it

• Set your own baseline using the NIST AI RMF and the joint CISA-Five Eyes agentic AI guidance from May 1.

• Map which AI vendors have signed CAISI evaluation agreements and treat that as third-party risk data.

• Engage with state AI laws including California SB 942 and Texas HB 149 rather than waiting on Washington.

Rock’s Musings

The administration spent months convening industry CEOs and threading a needle on voluntary frontier model review. Then it walked away because the work sounded like regulation. Plan as if no federal framework is coming for the rest of this administration. State attorneys general will probe your AI governance posture soon enough. More at https://www.rockcybermusings.com.

3. Anthropic’s Project Glasswing Finds 10,000 Critical Vulnerabilities in One Month

Anthropic published an update to Project Glasswing on May 22, 2026, reporting that Claude Mythos Preview, working with roughly 50 partner organizations, identified more than 10,000 high or critical-severity vulnerabilities in about four weeks (Anthropic, CSO Online). Cloudflare alone surfaced about 2,000 bugs, 400 rated high or critical. Mozilla patched 271 vulnerabilities in Firefox 150, ten times the count from an earlier Claude Opus 4.6 run. Six independent firms validated 1,752 findings, with 90.6% confirmed as true positives.

Why it matters

• The model is doing in days what well-staffed AppSec teams take quarters to complete.

• Software vendors are now expected to keep pace with AI-found bugs at speeds no human team can match.

• Vulnerability management economics change when triage volume jumps an order of magnitude in a month.

What to do about it

• Pressure software vendors for AI-assisted vulnerability discovery details and patch SLA commitments.

• Update patch and risk acceptance policies for a world where critical bugs surface at machine speed.

• Pilot AI-assisted code review inside your own engineering organization before your competitors do.

Rock’s Musings

Project Glasswing is the first credible public demonstration of large-scale AI vulnerability discovery. Mozilla’s 271 Firefox patches in one release is a confession that we have all been underspending on AppSec for a decade. The harder question is what happens when threat actors get this capability. If your patch SLA is 30 days, you are living on borrowed time.

4. CISA Sidelined in White House AI Cyber Response

Axios reported on May 26, 2026 that CISA has been pushed to the margins of the administration’s AI cyber response, with one industry source describing the agency as “at the table, not in the game” (Axios, Newsmax). CISA leadership joins early White House calls led by the Office of the National Cyber Director, but has little influence. The agency has lost roughly one-third of its workforce since the start of 2025. The FY2027 budget proposal calls for another quarter of staff cut and $707 million in funding reductions.

Why it matters

• The federal civilian operational cyber agency is being structurally weakened as AI reshapes the threat picture.

• Private sector relationships built on CISA’s information sharing face uncertainty about continuity.

• State and local governments who depend on CISA for technical support face longer response times.

What to do about it

• Diversify your federal cyber relationships. Build direct ties to FBI cyber, Secret Service, and your sector ISAC.

• Review incident response plans for assumptions about CISA support and revise where federal assistance is uncertain.

• Engage with state cyber programs in your operating jurisdictions, since state authorities will inherit the burden.

Rock’s Musings

CISA was supposed to be the federal cyber civilian backstop. Watching it get hollowed out while the threat surface explodes is one of the most demoralizing things I have seen in this field. Build your federal incident response playbook around the assumption that CISA will be slow, understaffed, and unable to provide the level of technical assistance you got in 2024. The federal cavalry is not coming this year.

5. Check Point Report Finds 51-Point Gap Between AI Security Intent and Capability

Check Point released its 2026 Cloud Security Report on May 26, 2026, finding that 77% of organizations have updated their cloud security strategy for AI, while only 26% have the architecture to enforce those policies (Check Point, PR Newswire). The 51-point gap pairs with 78% of organizations reporting confirmed or suspected AI-related security incidents in the past year. Seventy percent now run generative AI in production. Only 5% have full visibility into AI usage. Only 14% actively enforce and audit AI security policies.

Why it matters

• AI adoption has structurally outpaced security architecture at a board-level scale.

• Shadow AI is no longer a future risk. It is the current operating reality.

• Vendors building generative AI security controls now have a credible commercial story for board-level investment cases.

What to do about it

• Run an AI usage discovery exercise this quarter. You cannot govern what you cannot see.

• Tie generative AI policy enforcement to identity controls and DLP systems rather than standalone AI proxies.

• Make AI visibility metrics a recurring agenda item for your risk committee with a 12-month target.

Rock’s Musings

Almost 80% of organizations have already had an AI security incident, and only 1 in 20 know what AI is running across their environment. We are in the consequences phase, and most security teams are still arguing about which AI proxy vendor to evaluate. The fix is not buying another tool. The fix is treating AI like data, applying the same identity, access, and monitoring discipline you apply to every critical workload. More at https://www.rockcyber.com.

6. TrapDoor Supply Chain Attack Poisons AI Coding Assistants

Researchers at Socket and partner firms disclosed TrapDoor, a coordinated supply chain campaign that pushed more than 34 malicious packages across npm, PyPI, and Crates.io (The Hacker News, Socket, Phoenix Security). The earliest package appeared on May 22, 2026. TrapDoor’s novel component injects hidden instructions into .cursorrules and CLAUDE.md files using zero-width Unicode characters. The payload looks invisible in a code editor. AI coding assistants process the hidden text as live prompts. The campaign also opened pull requests against open-source AI projects including LangChain, MetaGPT, LangFlow, and OpenHands.

Why it matters

• The attack weaponizes the AI coding assistant itself as the execution layer, a new class of supply chain compromise.

• Existing software composition analysis tooling does not detect zero-width Unicode payloads in editor configuration files.

• Open-source AI orchestration projects are now an active target for adversary-supplied configuration via pull request.

What to do about it

• Scan repositories for non-printable Unicode characters in AI assistant config files including .cursorrules and CLAUDE.md.

• Treat AI assistant configuration files as security-sensitive artifacts subject to code review and CI controls.

• Restrict outbound traffic from developer machines and CI/CD systems to known good destinations.

Rock’s Musings

The AI coding assistant is a trusted, privileged execution context with access to credentials, source code, and tokens. Compromise its configuration and you compromise everything the assistant can touch. Pin versions, review changes, restrict what assistants can read and write, and treat any pull request touching .cursorrules or CLAUDE.md as malicious until proven otherwise.

7. Malicious npm Package Targets Claude AI User Directory

Researchers disclosed on May 27, 2026 a malicious npm package called “mouse5212-super-formatter” designed to exfiltrate files from /mnt/user-data, the directory Claude AI uses for user uploads and outputs (The Hacker News, The Register). The campaign, named Malware-Slop, walks the directory and uploads every file through the GitHub Contents API. The attacker leaked their own GitHub private token, which let OX Security trace the stolen data. The package reached 676 downloads before npm removed it.

Why it matters

• Threat actors are now writing supply chain malware that specifically targets AI assistant user data directories.

• AI-generated malware is creating new operational security mistakes that defenders can sometimes exploit.

• Claude users who installed the package have working sessions, uploads, and outputs exposed to the attacker.

What to do about it

• Inventory which developers use Claude or similar AI tools with a user-data directory and audit recent package installs.

• Add file integrity monitoring and outbound network controls on AI assistant working directories.

• Require token scoping reviews for any developer credential an AI agent might use.

Rock’s Musings

The operator burned themselves with a leaked GitHub token. The next operator will not make that mistake. AI assistant working directories are now a named target. If your developers run Claude, Cursor, Copilot, or any equivalent, those tools have privileged access to source code and uploaded files. Treat the AI assistant runtime like a privileged build server.

8. Microsoft Warns of AI Chatbot Cryptojacking Campaign

Microsoft published a threat advisory on May 26, 2026 detailing an active cryptojacking campaign that uses AI chatbot interactions to deliver malicious download links (Microsoft, Help Net Security). Users searching for system utility software were directed to attacker-controlled lookalike sites through poisoned search results and AI chatbot responses. The archive contains a legitimate utility plus a malicious DLL that sideloads a fake Visual C++ Redistributable and installs ScreenConnect for persistent remote access.

Why it matters

• AI chatbot recommendations now sit alongside search results as an attack surface for SEO poisoning-style campaigns.

• Legitimate software brands plus credible AI responses bypass user skepticism that traditional malvertising would trigger.

• Persistent ScreenConnect access means cryptomining is the visible threat, with data theft available on demand.

What to do about it

• Block known cryptojacking command and control infrastructure and watch for unauthorized ScreenConnect installations.

• Educate users on verifying download URLs even when they come from AI chatbot suggestions.

• Prevent employees from installing system utilities outside an approved software catalog.

Rock’s Musings

People have been trained for two decades to distrust the top three Google search ads. They have not been trained to distrust an AI chatbot suggesting a download link inside a friendly conversation. The cryptojacking is the low-stakes test. The ScreenConnect persistence is the actual play. Outbound traffic to AI services needs the same scrutiny you give to any shadow IT category.

9. Anthropic Signals Plans for Public Mythos-Class Release

The Register reported on May 25, 2026, that Anthropic plans to release Mythos-class models to the public once stronger safeguards are in place, tied to the May 22 Project Glasswing announcement (The Register, Help Net Security). The Mythos preview was limited to a small group of trusted organizations due to its cybersecurity capabilities. Anthropic’s stated rationale is that defenders need access to the same tools attackers can build. Project Glasswing partners now exceed 50 organizations including Cloudflare and Mozilla.

Why it matters

• A widely available frontier model with proven offensive cyber capability changes the threat model for every software vendor.

• Vendors without AI-assisted vulnerability discovery in their SDLC will fall behind attackers using the same tooling for free.

• EU and UK regulators are likely to revisit gatekeeping rules for high-capability cyber models if the defender-attacker gap closes.

What to do about it

• Assume Mythos-class capability reaches motivated attackers within 18 months. Plan patch cadence around that timeline.

• Engage your AppSec vendor on AI-assisted vulnerability discovery roadmaps tied to broader model availability.

• Track Anthropic’s Responsible Scaling Policy updates as a leading indicator of public release timing.

Rock’s Musings

Anthropic has a model that finds vulnerabilities faster than human researchers, they want defenders to have access, and they cannot release it without arming any nation state with the same capability. Holding it inside a curated partner program is the right short-term move. Start building the operational muscle now to consume an order of magnitude more findings.

10. Help Net Security Adds Detail on Enterprise AI Governance Failure

Help Net Security published a follow-up on May 28, 2026 on the Check Point 2026 Cloud Security Report, noting that more than half of companies have experienced at least one AI-related security incident (Help Net Security). The most common categories were unauthorized or shadow AI use, AI-generated phishing and deepfake content, and sensitive data leaks tied to AI services. Some companies permit source code in generative AI tools. Many cannot trace sensitive data flow through AI processing environments.

Why it matters

• AI policy and AI control are two different things in most organizations.

• The categories of AI-related incidents match the threat model security teams have been describing for a year, meaning predicted incidents are now actual.

• Source code exposure through generative AI tools is a top-line legal and IP issue, not a future risk.

What to do about it

• Set a quarterly AI incident review cadence in your risk committee, broken out by incident category.

• Implement DLP controls on outbound traffic to consumer generative AI services and require enterprise tenant routing.

• Require legal review of generative AI tool acceptable use policies focused on IP, training data rights, and breach notification.

Rock’s Musings

The added detail is the part you take to your board. AI-related incidents are happening now, the categories are predictable, and most organizations are not running controls that would catch them. Read your generative AI vendor contracts again. The second time around you should walk in with a list of demands.

The One Thing You Won’t Hear About But You Need To: Cisco Quietly Rewrites Its Vulnerability Disclosure for the AI Era

Cisco’s security blog published a post on May 22, 2026, with Help Net Security follow-up on May 25, announcing changes to vulnerability disclosure in the AI era (Cisco Blogs, Help Net Security). For internally found vulnerabilities assessed as lower likelihood and lower impact, Cisco said it “may change the level of detail shared,” with some bugs that would have warranted a standalone advisory no longer getting one. Cisco will post high-level data on its website pointing customers toward security-hardened releases.

Why it matters

• A major networking vendor is moving toward suppressing standalone disclosure of lower-rated vulnerabilities.

• Enterprise vulnerability management programs that rely on vendor advisories will see a coverage drop on Cisco issues.

• The shift is likely to be followed by other vendors as AI-assisted discovery generates more findings than traditional disclosure can support.

What to do about it

• Update vendor patching policy to prioritize installation of all security-hardened releases, not just releases addressing named advisories.

• Track which other major vendors are making similar disclosure changes. Adjust your asset inventory to match.

• Push vendor management to ask hard questions during renewals about disclosure practices and AI-discovered vulnerability handling.

Rock’s Musings

This is the story everyone slept on, and it will bite enterprise vulnerability management teams in the next two quarters. Cisco found a polite way to say that AI is generating too many internal findings to disclose every one in the old format. Patch by release, not by advisory. Cisco will not be the last vendor to do this. The vendors will not give you transparency unless you make them.

👉 For ongoing analysis of agentic AI governance frameworks, the conversation continues at RockCyber Musings.

👉 Visit RockCyber.com to learn more about how we can help with your traditional Cybersecurity and AI Security and Governance journey.

👉 Want to save a quick $100K? Check out our AI Governance Tools at AIGovernanceToolkit.com

👉 As a bonus, check out my conversation with AI Cyber Magazine, where we talked about everything from Context Rot to Least Agency.

📣📣📣 The Weekly Musings will take a week off next week as I am taking a very much needed vacation 📣📣📣

The views and opinions expressed in RockCyber Musings are my own and do not represent the positions of my employer or any organization I’m affiliated with.

Share RockCyber Musings

References

Agent Control Standard. (2026). Agent Control Standard specification and community resources. https://agentcontrolstandard.ai/

Anthropic. (2026, May 22). Project Glasswing: An initial update. https://www.anthropic.com/research/glasswing-initial-update

Axios. (2026, May 22). Read the AI executive order thwarted by Trump tech allies. https://www.axios.com/2026/05/22/ai-executive-order-cancelled-white-house

Axios. (2026, May 26). CISA takes backseat in White House AI cyber response. https://www.axios.com/2026/05/26/cisa-white-house-cybersecurity-ai

BusinessWire. (2026, May 27). Agent Control Standard launches open framework for runtime governance of AI agents. https://www.businesswire.com/news/home/20260527326259/en/Agent-Control-Standard-Launches-Open-Framework-for-Runtime-Governance-of-AI-Agents

Check Point Software. (2026, May 26). AI adoption creates critical cloud security gaps for enterprises, new Check Point report shows. https://www.checkpoint.com/press-releases/ai-adoption-creates-critical-cloud-security-gaps-for-enterprises-new-check-point-report-shows/

Cisco. (2026, May 22). Cisco’s risk-based vulnerability disclosure in the age of AI. Cisco Blogs. https://blogs.cisco.com/security/ciscos-risk-based-vulnerability-disclosure-in-the-age-of-ai

CNBC. (2026, May 21). Trump postpones AI executive order signing: ‘I didn’t like certain aspects’. https://www.cnbc.com/2026/05/21/trump-ai-executive-order-postponed.html

CSO Online. (2026, May 26). Project Glasswing has uncovered 10,000 vulnerabilities: Anthropic. https://www.csoonline.com/article/4176865/project-glasswing-has-uncovered-10000-vulnerabilities-anthropic.html

Help Net Security. (2026, May 25). Cisco refines its risk-based vulnerability disclosure for the AI era. https://www.helpnetsecurity.com/2026/05/25/cisco-risk-based-vulnerability-disclosure-ai/

Help Net Security. (2026, May 26). Anthropic: Claude Mythos identified 10,000+ software flaws. https://www.helpnetsecurity.com/2026/05/26/anthropic-project-glasswing-update/

Help Net Security. (2026, May 27). AI chatbot recommendations lure users to cryptojacking malware sites. https://www.helpnetsecurity.com/2026/05/27/ai-chatbot-cryptojacking-campaign/

Help Net Security. (2026, May 28). Companies built AI into core systems before figuring out how to govern it. https://www.helpnetsecurity.com/2026/05/28/check-point-genai-security-controls-report/

Microsoft Security Blog. (2026, May 26). From poisoned search results to GPU mining: A cryptojacking campaign abusing ScreenConnect and Microsoft .NET utilities. https://www.microsoft.com/en-us/security/blog/2026/05/26/poisoned-search-results-gpu-mining-cryptojacking-campaign-abusing-screenconnect-microsoft-net-utilities/

Newsmax. (2026, May 26). CISA faces AI threat wave amid deep staffing cuts. https://www.newsmax.com/politics/cisa-sean-plankey-ai/2026/05/26/id/1257509/

NPR. (2026, May 22). Trump cancels AI executive order signing. https://www.npr.org/2026/05/22/nx-s1-5829908/trump-cancels-ai-executive-order-signing

Phoenix Security. (2026, May). TrapDoor supply chain attack: AI poisoning via npm, PyPI, Crates. https://phoenix.security/trapdoor-supply-chain-ai-poisoning-npm-pypi-crates/

PR Newswire. (2026, May 26). AI adoption creates critical cloud security gaps for enterprises, new Check Point report shows. https://www.prnewswire.com/news-releases/ai-adoption-creates-critical-cloud-security-gaps-for-enterprises-new-check-point-report-shows-302780612.html

Socket. (2026, May). TrapDoor crypto stealer supply chain attack hits 34 packages across npm, PyPI, Crates.io. https://socket.dev/blog/trapdoor-crypto-stealer-npm-pypi-crates

The Hacker News. (2026, May). TrapDoor supply chain attack spreads credential-stealing malware via npm, PyPI, CratesIO. https://thehackernews.com/2026/05/trapdoor-supply-chain-attack-spreads.html

The Hacker News. (2026, May 27). Malicious npm package stole files from Claude AI user directory via GitHub. https://thehackernews.com/2026/05/malicious-npm-package-stole-files-from.html

The Hacker News. (2026, May 27). AI chatbot recommendations redirect users to cryptojacking malware sites. https://thehackernews.com/2026/05/ai-chatbot-recommendations-redirect.html

The Register. (2026, May 25). Anthropic to release Mythos-class models to the public. https://www.theregister.com/security/2026/05/25/anthropic-to-release-mythos-class-models-to-the-public/5245596

The Register. (2026, May 27). Malware dev tries to steal Claude users’ secrets, writes npm slop, leaks own GitHub private token. https://www.theregister.com/cyber-crime/2026/05/27/supply-chain-brain-drain-npm-attacker-foolishly-leaks-own-github-private-token/5247424

VMblog. (2026, May 27). Agent Control Standard launches open framework for runtime governance of AI agents. https://vmblog.com/news/agent-control-standard-launches-open-framework-for-runtime-governance-of-ai-agents/

Your AI security maturity score is probably inflated. Half of security organizations already run AI in production, and most can’t prove it’s governed. The SANS 2025 AI Survey reports that 50% of organizations use AI for security work today, another 30% will within a year, and only 35% run a formal AI risk and compliance program. That gap is where fake maturity lives. The new SANS AI Security Maturity Model exists to drag your real numbers into daylight, and the way it does that is the most useful part of the book.

Share

Your AI Security Maturity Score Is Fiction

You’ve seen the slide. It says Stage 3, maybe Stage 4, green across the board, shown to leadership with the confidence of someone who has never sat through an audit. Then a regulator calls or an incident hits, and the green turns out to be a vendor logo on a PDF and a policy nobody has opened since onboarding week.

I reviewed this model before release, alongside a group of practitioners SANS brought in. Chris Cochran, SANS Field CISO and VP of AI Security, wrote it. He co-authored prEN 18282 and leads the Agentic AI Task Force on the OWASP AI Exchange, where we collaborate, so the structure comes from someone who has done the work rather than someone selling a dashboard. Treat me as a biased but informed guide, and check my reasoning against the model yourself.

The model runs three pillars, Protect, Utilize, and Govern, across five stages from ad hoc to leading. That part looks like every maturity model you’ve met. The difference sits in the scoring, and it’s where the book earns its keep. The model assumes you’re inflating your score, then builds two mechanisms that force you to prove you aren’t. Once you see them, you can’t unsee how thin most Stage 3 programs turn out to be.

The survey data backs the suspicion. Adoption is sprinting, and governance is crawling behind it. When half your peers have AI in the building, and barely a third have a governance program, the difference is a pile of unmanaged risk wearing a maturity badge. A model that strips the badge off does you a favor, even when the result stings. The sting is the signal it’s working.

If you’ve ever watched a maturity self-assessment sail through a steering committee and wondered who was going to check it, you’re the reader this model was built for. You already suspected the number was soft. Here’s the structure that proves it.

Two Old Disciplines The Model Smuggles In

Nothing about the two mechanisms is new, and that’s the point. Cochran took two disciplines that security has trusted for 30 years and aimed them at AI, where the discourse has been mostly threat theater and Stage 4 daydreams.

The first mechanism is weakest-link capping. Your overall stage can’t float more than one level above your weakest pillar, and it can’t exceed your Govern score by more than one stage. Score Stage 1 in Govern, and your Stage 4 detection tooling earns you a Stage 2 overall, and no amount of tooling spend changes that. Anyone who survived CMMI or NIST tiering immediately recognizes this move. Maturity behaves like a floor function, not an average. The averaging instinct is the seductive error here, because averaging lets a strong pillar paper over a weak one, and a program with world-class detection and absent governance is exactly the program that ends up in the headlines. The cap rules refuse the trade.

Walk a real example. A team rates itself Stage 4 on Utilize because it runs AI-assisted detection across the SOC. Protect lands at Stage 3. Govern sits at Stage 1, because there’s no AI risk committee, no model inventory, and no documented oversight. The averaging story says Stage 3. The model says the Govern floor caps you at Stage 2, and the minimum-pillar rule confirms it. Your real maturity is the weakest load-bearing wall, not the prettiest room in the house.

The second mechanism is the evidence ceiling. Any capability you self-report without documentary evidence is capped at Stage 2. Without an approved policy, audit logs, or a dashboard export, you don’t get Stage 3. This is plain controls-testing doctrine, the same standard a SOC 2 auditor applies to a control narrative. Assertion isn’t evidence, and the model writes the rule into the scoring so you can’t talk past it. The discipline this imposes is quiet and real. Before you claim a stage, you go find the artifact. Half the time, the search itself tells you the honest answer, because the artifact doesn’t exist.

Put both mechanisms together, and your number drops, often by a full stage. That’s the system working. An honest Stage 2 you can defend in a board room beats a fictional Stage 3 that disintegrates the first time someone asks for proof.

The independent data agrees on which pillar carries the weight. The CSA and Google Cloud State of AI Security and Governance Survey, published December 18, 2025, found organizations with comprehensive policies nearly twice as likely to report early agentic AI adoption, 46%, against 25% for partial guidelines and 12% for policies still in development. Governance maturity, not tooling spend, predicts who’s ready to move. The model’s governance floor encodes that finding into the math instead of leaving it as advice.

Why Blocking AI Makes You Less Safe

Plenty of programs believe they’ve handled AI risk by banning it. The model has a name for that posture, the Framework of No, and it parks you at Stage 2 by design. Prohibition feels like control. The data says it manufactures blind spots.

UpGuard’s State of Shadow AI found 81% of employees and 88% of security leaders using unapproved AI tools, with 45% of workers routing around blocks to reach the applications they want. Software AG found that 46% of shadow AI users would keep using the tools even if their employer banned them outright. Read those numbers together, and the picture turns grim for the prohibition crowd. Your own security leaders sit inside the shadow AI population. Your block list is a polite suggestion. Every ban you can’t enforce converts visible usage into invisible usage, which runs precisely backward from the outcome you wanted.

The model treats prohibition as immaturity rather than rigor, and the staging reflects it. Higher stages move from blocking toward visibility, sanctioned tooling, and monitored usage, because you can only govern what you can see. A CISO who bans AI and reports the ban as a control runs a Stage 1 program narrating a Stage 3 story. The evidence ceiling catches it the instant someone asks for proof that the ban holds, and the proof never comes because usage moved to personal devices and unmanaged accounts the day after the policy shipped.

The harsh reality is that the C-suite is often the worst offender, pasting board material and deal terms into consumer chatbots while security writes memos no one reads. A maturity model that scores prohibition honestly hands you the language to take that conversation upstairs, where the real shadow AI risk usually lives.

The Question Almost Nobody Can Answer

The Govern pillar carries a question that empties most rooms. When your AI agent causes harm, can you produce the audit trail proving the chain of authority from the human who authorized it to the action the agent took?

Sit with that, because the numbers are moving against you in a hurry. Entro Labs’ H1 2025 research found non-human identities grew 44% year over year and now outnumber humans 144 to 1 in cloud-native environments, up from 92 to 1 a year earlier. Rubrik Zero Labs, surveying 1,625 security decision-makers, found 89% have already wired AI agents into their identity infrastructure, while most concede they lack governance for those machine credentials. The agents are in production. The accountability layer is not.

Producing that audit trail demands plumbing that most programs skipped on the way to the demo. You need a durable identity for every agent, distinct from the human who delegated it, with a lifecycle someone owns from creation to revocation. You need structured logging that carries a trace ID through every reasoning step and every tool call, so that one agent action reconstructs end-to-end rather than dissolving into disconnected log lines. You need the decision artifacts, what the agent was asked, what it chose, what scope it held, what it touched, and what it retained long enough to satisfy an investigator who shows up a year later. Most shops have a shared service account, a static key, and a log that stops at the API gateway.

Picture the incident. An agent with delegated access moves money, deletes records, or leaks a dataset. Legal asks who authorized the action and on what basis. You can name the human who kicked off the workflow, and you can’t show the scope they granted, the policy that bound the agent, or the reasoning that led to the action. That’s a Stage 1 program that bought good tooling and skipped the accountability spine, wearing a Stage 4 costume.

This is the part of the model I’d hand to any team standing up agents this quarter. Build the identity, the trace, and the decision record before the first agent touches production, because reconstructing the trail after an incident costs an order of magnitude more than instrumenting it up front, and regulators have stopped accepting “we couldn’t tell” as an answer.

The World’s Moving Fast, So Here’s Where I’d Push v2

I like this model. I reviewed it because I wanted it to exist, and liking something doesn’t mean calling it finished. The ground is shifting under every one of us, so here’s where I’d push the next version.

The timeline estimates run directionally. The model offers stage-progression guidance that reads as reasonable, Cochran flags it as directional, and a team under pressure will quote those numbers to a budget committee as if a stopwatch produced them. V2 should ground the timelines in survey data or label them as planning heuristics in much louder type.

Parts of the scoring rely more on practitioner judgment than on published benchmarks. That’s a fair call for a first edition built from field experience, and it’s the soft spot a skeptical CISO will press. Tying more of the rubric to external evidence, the kind the SANS survey itself generates, would harden the model against the “says who” reflex.

Stage 5 reads as aspirational for nearly the entire field. Almost no program clears it today, which serves as a north star and makes risk a target, because an out-of-reach top stage invites the same score inflation that the rest of the model fights. V2 could split the leading practice we observe in the field from the theoretical ceiling, so teams stop grading themselves against a horizon.

The pillar weighting profiles arrive asserted rather than derived. The model hands you weightings for different organization types, which helps, and the reasoning behind the specific numbers stays under the hood. Publishing that rationale would let practitioners tune the weights to their own risk profile instead of inheriting a default they can’t interrogate.

None of this is fatal. All of it is the ordinary distance between a strong v1 and a sharper v2, and the regulatory clock is why closing that distance matters. The clock is messier than the headlines suggest. Prohibited practices and general-purpose AI rules are already in force. The heavy obligations for high-risk systems under Annex III were set for August 2, 2026, and on May 7, 2026 EU lawmakers reached a provisional agreement to push them to December 2, 2027, pending formal adoption. Until that adoption lands, the original date still stands in the law. Read the slip as breathing room and nothing more. The standards bodies needed the extra runway, and so do most programs. A maturity model that finds your real stage now beats a scramble when the deferral runs out.

Key Takeaway: This model wins by assuming your AI security maturity is inflated and forcing you to prove otherwise, and an honest score you can defend in front of a regulator beats a flattering one that collapses the moment someone asks for evidence.

What to do next

Download the model and score yourself against it without flinching. Walk each pillar on its own, gather the evidence before you assign a stage, then run the cap rules and watch your number settle where it belongs. Get the full 2026 SANS AI Security Maturity Model ebook here. If you’d rather not surrender an email yet, the executive summary linked off that page reads ungated.

Once you have a real baseline, the work shifts from scoring to strategy, which is the layer my CARE framework lives in, moving a program from where it scores to where it needs to be. For the agent-accountability gap in particular, I’ve written more on threat-modeling the systems you’re rushing into production over at RockCyber Musings.

👉 Subscribe for more AI security and governance insights with the occasional rant.

Subscribe now

Share RockCyber Musings

👉 For ongoing analysis of agentic AI governance frameworks, the conversation continues at RockCyber Musings.

👉 Visit RockCyber.com to learn more about how we can help with your traditional Cybersecurity and AI Security and Governance journey.

👉 Want to save a quick $100K? Check out our AI Governance Tools at AIGovernanceToolkit.com

👉 As a bonus, check out my conversation with AI Cyber Magazine, where we talked about everything from Context Rot to Least Agency.

The views and opinions expressed in RockCyber Musings are my own and do not represent the positions of my employer or any organization I’m affiliated with.

Share

The executive branch stalled. The supply chain bled. Frontier model builders started negotiating with central bankers. Trump tore up his own AI executive order hours before signing. Anthropic agreed to brief the Financial Stability Board on what its Mythos model can produce. A worm called Mini Shai-Hulud chewed through npm, the Nx Console extension, GitHub’s internal repositories, Grafana’s source code, and a slice of OpenAI’s developer laptops.

The throughline has nothing to do with the technology. The story is the widening gap between capability and control. Washington wants speed and won’t write rules. The labs show off their offensive capabilities, then ask regulators to contain them. The supply chain runs on trust that nobody verifies. Identity systems pretend to have been built for AI agents. Here are ten to track, plus one you missed.

1. Trump Pulls AI Executive Order Hours Before Signing

On May 21, 2026, President Trump scrapped the signing ceremony for an AI executive order that would have created a voluntary review process for frontier models before public release (Axios). Trump told reporters the order “gets in the way” (CNBC). The draft covered a voluntary cybersecurity clearinghouse with Treasury and pre-deployment evaluation, giving federal agencies up to 90 days to test new models (Bloomberg). The Washington Post reported that infighting between economic and security advisers killed the timing.

Why it matters

• The voluntary framework was the lightest federal touch on frontier model safety. Killing it signals zero appetite for mandatory pre-deployment review.

• The 90-day evaluation window was already a compromise. Some labs wanted 14 days.

• The vacuum pulls states forward. Colorado’s SB 26-189 takes effect January 1, 2027.

What to do about it

• Build your governance program assuming federal silence and state activity.

• Inventory which AI vendors signed the prior CAISI agreements. Commitments still hold for OpenAI, Anthropic, Google, Microsoft, and xAI.

• Document model-evaluation evidence from vendors. You’ll need it for state filings and customer audits.

Rock’s Musings

Washington cannot govern faster than the labs ship. The voluntary EO was the security community’s best near-term win, killed in 24 hours over speed-versus-China optics. I’m not surprised. I’m tired. Treat federal AI governance as imaginary infrastructure. My longer take sits at rockcybermusings.com.

2. Anthropic Agrees to Brief the Financial Stability Board on Mythos Findings

On May 18, 2026, the Financial Times reported that Anthropic agreed to meet the Financial Stability Board (FSB) to discuss cyber vulnerability findings from its Claude Mythos Preview model (PYMNTS). The request came from Bank of England Governor Andrew Bailey. The G20 watchdog has worried that Mythos and similar models will expose weak spots in bank cyber defe’ cyber defenses (The Decoder). Anthropic says Mythos has identified thousands of high-severity vulnerabilities across every major operating system and web browser, with fallout that will be “severe” for economies and national security (TechRadar).

Why it matters

• Frontier labs are now in the room with central bank regulators on cyber risk. A structural change in who governs offensive AI capability.

• The FSB shapes the Basel framework. Expect cyber-resilience requirements to grow teeth.

• The financial sector is the canary. Whatever the FSB demands rolls downhill to every regulated industry.

What to do about it

• Map your critical software stack against Anthropic’s flagged categories. Plan for compressed patch cycles.

• Watch your home regulator for follow-on guidance. Bailey’s FSB brief will reverberate.

• Build vulnerability backlog metrics into board reporting. The question has shifted from “are we vulnerable” to “how fast can we close known exposure.”

Rock’s Musings

The lab that built the dangerous capability is now negotiating with the regulators expected to contain it. A weird posture, half whistleblower, half hostage-taker. The FSB doesn’t normally touch software, so their interest signals cyber risk has crossed the systemic-threat line. I’ve spent thirty years in this field and never seen central bankers convene on a single AI vendor’s product. Model what happens when your regulator decides “model-discovered zero-days” is a category of systemic risk.

3. Microsoft Open-Sources RAMPART and Clarity for Agent Safety

On May 20, 2026, Microsoft released two open-source tools that push agent safety into the development pipeline (Microsoft Security Blog). RAMPART (Risk Assessment and Measurement Platform for Agentic Red Teaming) is a Pytest-native framework built on Microsoft’s PyRIT toolkit. It lets teams write CI-runnable adversarial tests against agents covering prompt injection, data exfiltration, and behavioral regressions (The Register). Clarity walks teams through assumptions and failure modes before they write agent code (The Hacker News).

Why it matters

• The first credible attempt by a hyperscaler to operationalize agent red-teaming inside the CI pipeline. Most “agent safety” tooling sits outside the SDLC.

• Pytest integration matters. Agent safety tests look like every other test, which means engineers run them.

• PyRIT was already the reference toolkit. RAMPART extending it makes Microsoft the de facto standard for agent adversarial testing.

What to do about it

• Pilot RAMPART against your highest-risk agent. Pick the one with the broadest tool permissions.

• Use Clarity in design reviews. Catching bad scope at the whiteboard is cheaper than catching it in production.

• Add agent-safety test coverage to your AppSec metrics.

Rock’s Musings

Microsoft did the right thing. They built the tools, open-sourced them, and put them where developers work. Most security tools fail because they sit outside the developer workflow. RAMPART has no such excuse. The question is whether your AppSec team has the political capital to make these tests blocking in CI. I cover the adoption muscle at rockcyber.com.

4. GitHub Confirms 3,800 Internal Repos Breached via Nx Console

On May 21, 2026, GitHub disclosed that 3,800 of its internal repositories were accessed through a developer’s compromised Nx Console VS Code extension, a casualty of the May 11 TanStack npm supply chain attack (BleepingComputer). Help Net Security traced the chain from the Mini Shai-Hulud worm through the GitHub and Grafana breaches. TechCrunch confirmed on May 20 that the attacker exfiltrated material from the affected employee’s repositories. The same campaign hit OpenAI, Mistral AI, UiPath, and dozens of downstream maintainers.

Why it matters

• GitHub’s own internal repos got popped through a VS Code extension. An IDE compromise now spans your entire engineering footprint.

• The Nx Console extension lives on hundreds of thousands of developer machines. Every install is a potential entry point.

• Second supply chain worm in 60 days chaining GitHub Actions misconfiguration with OIDC token theft. The pattern is the playbook.

What to do about it

• Inventory IDE extensions across your engineering teams. Treat them like browser extensions, with allowlisting and version pinning.

• Rotate GitHub OIDC tokens that have touched a developer machine in the past 60 days. Audit workflow files for pull_request_target patterns.

• Revisit endpoint posture for developer laptops. The IDE is now an attack surface equivalent to a browser.

Rock’s Musings

The supply chain conversation has changed shape. The attacker walks through a VS Code extension to reach repository tokens, then pivots to the corporate GitHub org. If your developer laptops live in an “engineering exception” bubble outside EDR, MDM, and identity controls, you’re the next Grafana. Put developer endpoint hygiene on par with finance.

5. Grafana Labs Refuses Ransom After Codebase Theft

On May 18, 2026, Grafana Labs confirmed an unauthorized party obtained a GitHub token and downloaded its codebase (TechCrunch). The intrusion traced back to the TanStack supply chain attack from May 11. Grafana received a ransom demand on May 16 and refused to pay (The Register), citing no guarantee the stolen data would be deleted. The company rotated tokens, audited every commit since May 11, and hardened GitHub posture (Grafana blog). No customer data was exposed.

Why it matters

• Refusing the ransom publicly is defensible. FBI guidance and peer disclosure make it the default for open-source vendors.

• Grafana’s codebase is public anyway. The ransom value was reputational, and the company called the bluff.

• The hardened posture published in the blog is a teaching artifact. Use it.

What to do about it

• If your codebase is open-source, write the ransom-refusal playbook before you need it. Brief your board.

• Mirror Grafana’s recovery checklist. Rotate tokens, audit commits, harden GitHub config, increase monitoring.

• Add commit-signing enforcement and require attestations on release artifacts.

Rock’s Musings

I respect what Grafana did. They confirmed quickly, refused the ransom, and published a postmortem with operational specifics. That’s how you turn a breach into a credibility win. Compare it with the usual vague disclosure six weeks late from a forensics firm hiding behind privilege. If your IR plan still treats ransom payment as a live option, you’re behind.

6. Mini Shai-Hulud Worm Expands Across the npm Ecosystem

On May 19, 2026, TechCrunch reported the Mini Shai-Hulud campaign had spread to dozens of additional open-source packages beyond the original TanStack hit. Wiz and Snyk traced the worm’s propagation through @squawk/* and @mistralai/* packages, on top of the 84 malicious versions across 42 @tanstack/* packages from May 11 (Wiz). StepSecurity attribution ties the same TeamPCP threat group to the March Trivy scanner compromise and April’s Bitwarden CLI package hit (Snyk). The campaign chains pull_request_target misconfiguration with GitHub Actions cache poisoning and OIDC token extraction.

Why it matters

• A self-propagating worm. It exfiltrates maintainer credentials and uses them to publish further malicious versions. Containment lags.

• The same threat actor keeps finding new targets with the same attack pattern. The pattern is the problem.

• Every downstream consumer of an affected package has a credential rotation event ahead.

What to do about it

• Build a list of every npm package your org consumes, including transitive dependencies. Cross-reference against IOC lists from StepSecurity and Wiz.

• Move CI secrets out of GitHub Actions environment variables. Use ephemeral, scoped tokens.

• Block pull_request_target on any repository whose CI touches secrets. There is no safe configuration.

Rock’s Musings

The worm pattern is the story. A compromised maintainer’s token pushes malicious versions that compromise more maintainers, and the campaign scales without human work. A structural problem for any ecosystem built on maintainer trust. We’ve known pull_request_target was dangerous since 2021. Its presence at major projects in 2026 tells you how the open-source world treats its security debt.

7. EU Commission Opens Consultation on AI Act Transparency Guideline

On May 19, 2026, the European Commission opened a public consultation on the draft guideline for the AI Act’s transparency obligations, due in August 2026 (Council of the EU). The consultation follows the May 7 AI Omnibus agreement, which shortened the grace period for transparency solutions on AI-generated content from six months to three. The new deadline lands December 2, 2026. The Commission’s enforcement powers against general-purpose AI model providers go live August 2, 2026, including authority to request documentation and impose fines.

Why it matters

• Transparency rules apply to every model output touching an EU resident, regardless of training or hosting location.

• The shortened grace period gives GPAI providers 90 days to ship watermarking, content labeling, and disclosure mechanisms.

• August’s enforcement powers give the AI Office real teeth for the first time.

What to do about it

• Map your AI-generated content workflows. Tag every production path that needs disclosure.

• Implement provenance labeling now using C2PA or equivalent.

• Brief legal and product on the December 2 deadline. Earlier guidance assumed June 2027.

Rock’s Musings

The Brussels Effect is doing its work. Whatever the AI Act forces on GPAI providers becomes the de facto global standard for transparency disclosure. American companies pretending the Act doesn’t apply will learn otherwise. Regulators wanting a quick enforcement win start with content labeling, not algorithmic auditing. If your product surfaces AI-generated content to any EU user, December 2 turned real this week.

8. CISA Weighs Three-Day Patching Deadline as AI Compresses Exploit Cycles

On May 20, 2026, Federal News Network reported CISA is considering a three-day patching deadline on Known Exploited Vulnerabilities, replacing the current 15-day default. The Insurance Journal covered the debate, citing AI compressing the time between disclosure and exploitation. Sysdig research found CVE-2026-44338 in the PraisonAI framework was probed by scanners 3 hours, 44 minutes, and 39 seconds after disclosure. Palo Alto Networks reports 28.3% of CVEs are now exploited within 24 hours.

Why it matters

• A three-day federal mandate would be the most aggressive remediation deadline CISA has ever proposed.

• The same compression hits private defenders. Patch SLAs run 5-10x slower than the attack timeline.

• AI-assisted exploit development operates at scale. The 3-hour PraisonAI scan window is the leading edge, not the outlier.

What to do about it

• Pull your last 12 months of KEV-listed CVEs. Measure actual time-to-patch against the 15-day baseline. Be honest.

• Build runbooks for emergency patching of internet-exposed assets. The three-day clock starts at disclosure, not your next change window.

• Plan compensating controls when 72-hour patching is impossible. Virtual patches and WAF rules buy time.

Rock’s Musings

The math is brutal. Attackers weaponize a CVE in hours. Defenders take weeks to deploy a patch through change management. A three-day mandate forces a conversation every CISO has avoided. Redesign the process or accept being late by default.

9. Anthropic Opens Mythos Partner Sharing After Initial Lockdown

On May 18, 2026, Anthropic reversed its earlier position and now allows Project Glasswing partners to share Mythos vulnerability findings with outside parties (Reuters via KFGO). The new policy permits disclosure to security teams, industry bodies, regulators, open-source maintainers, the media, and the public, subject to responsible disclosure. The original Glasswing structure had limited information to launch partners only. About 40 organizations have Mythos.

Why it matters

• The first information-sharing reversal of a frontier model program of this kind. Centralized cyber findings control was not workable in practice.

• Open-source maintainers now have a path to receive Mythos-discovered vulnerabilities. That changes the patch dependency calculus.

• The reversal suggests Anthropic underestimated the volume of findings and the scaling problem of single-vendor coordination.

What to do about it

• Partners should designate a single coordinated-disclosure contact. Volume will overwhelm informal channels.

• Non-partners should register with ISACs and CERTs as receiving organizations.

• Pre-write your triage process for AI-discovered vulnerabilities. The format won’t match your CVE workflow.

Rock’s Musings

A governance lesson in real time. You cannot bottle frontier capability and call it safe. Glasswing tried, and within six weeks the math broke. Voluntary coordination is fragile when capability outruns headcount.

10. Trump Pivots Toward AI Regulation Amid Backlash and China Safety Talks

On May 19, 2026, Fortune reported the Trump administration is shifting its public stance on AI regulation in response to mounting voter backlash over job displacement, deepfakes, and AI-enabled crime. The shift comes alongside reported US-China safety talks on frontier AI capability. The administration’s December 2025 EO 14365 sought to preempt state AI regulation. The May 21 EO postponement suggests the political calculation has changed. Fortune cited senior officials describing the sentiment shift as “faster than anyone expected.”

Why it matters

• Public backlash on AI is influential enough to move executive policy. A new political force.

• US-China safety dialogue, even if informal, sets the stage for future bilateral commitments on frontier capability.

• An administration that was preempting state regulation is now hesitating. State AGs read this as license to push harder.

What to do about it

• Track AI ballot initiatives in your operating states. The 2026 midterms will surface enforceable propositions.

• Audit public-facing AI claims for accuracy. The SEC has flagged AI-washing as an enforcement priority.

• Brief government affairs on the bilateral angle. China engagement changes the calculus for export controls and model access.

Rock’s Musings

The political dynamic shifts faster than the technology. Six months ago, the White House was suing California to block AI rules. This week, they were drafting their own voluntary review. Plan around the volatility. The companies that thrive have built controls higher than any jurisdiction requires. You don’t have to guess which regulator strikes next. You have to be ready for any of them.

And then there is musing #1…

The One Thing You Won’t Hear About But You Need To: Identity Dark Matter Is Eating Your AI Agent Program

On May 19, 2026, Orchid Security released its Identity Gap: 2026 Snapshot report (Tech Startups, GlobeNewswire). Invisible identity, what Orchid calls “identity dark matter,” now outweighs visible identity in enterprise environments 57% to 43%. 67% of non-human accounts are created directly within applications, unseen and unmanaged by IAM programs. 70% of enterprise applications carry excessive privileged accounts. The data comes from anonymized telemetry across financial services, healthcare, retail, and energy from April 2025 through March 2026.

Why it matters

• AI agents inherit credentials at runtime. If most of your non-human identity is invisible, your agents operate in the blind spot.

• Traditional IAM was built for humans. An AI agent using a stale service account has a larger blast radius than the equivalent human error.

• The 70% over-privilege finding means that most enterprise apps cannot survive a single agent-misuse event without exposing other systems.

What to do about it

• Run non-human identity discovery against your top 10 enterprise applications. Expect a delta against your IAM inventory.

• Implement time-bound, on-demand credentials for AI agents. Standing access is the failure mode.

• Treat every AI agent identity as privileged. Apply PAM controls, session recording, and behavioral monitoring.

Rock’s Musings

The story under the story. Every AI security headline this week depends on identity being right. The TanStack worm spread through OIDC tokens. The GitHub breach used a developer’s repository access. Your AI agent governance program is only as good as your non-human identity hygiene. If two-thirds of your service accounts are invisible, you cannot govern the agents using them. Read the report and bring it to your board. Don’t let “we have IAM” be the answer.

👉 For ongoing analysis of agentic AI governance frameworks, the conversation continues at RockCyber Musings.

👉 Visit RockCyber.com to learn more about how we can help with your traditional Cybersecurity and AI Security and Governance journey.

👉 Want to save a quick $100K? Check out our AI Governance Tools at AIGovernanceToolkit.com

👉 As a bonus, check out my conversation with AI Cyber Magazine, where we talked about everything from Context Rot to Least Agency.

The views and opinions expressed in RockCyber Musings are my own and do not represent the positions of my employer or any organization I’m affiliated with.

References

Axios. (2026, May 21). Scoop: White House postpones AI EO signing ceremony. https://www.axios.com/2026/05/21/white-house-postpones-ai-eo-signing

BleepingComputer. (2026, May 21). GitHub links repo breach to TanStack npm supply-chain attack. https://www.bleepingcomputer.com/news/security/github-links-repo-breach-to-tanstack-npm-supply-chain-attack/

Bloomberg. (2026, May 21). White House postpones AI cybersecurity order signing by Trump. https://www.bloomberg.com/news/articles/2026-05-21/white-house-postpones-ai-cybersecurity-order-signing-by-trump

CNBC. (2026, May 21). Trump postpones AI executive order signing: ‘I didn’t like certain aspects’. https://www.cnbc.com/2026/05/21/trump-ai-executive-order-postponed.html

CNN Business. (2026, May 20). White House postpones executive order on AI. https://www.cnn.com/2026/05/20/tech/ai-executive-order-trump-white-house

Council of the European Union. (2026, May 7). Artificial intelligence: Council and Parliament agree to simplify and streamline rules. https://www.consilium.europa.eu/en/press/press-releases/2026/05/07/artificial-intelligence-council-and-parliament-agree-to-simplify-and-streamline-rules/

CSO Online. (2026, May). Microsoft releases open-source tools to operationalize AI agent safety. https://www.csoonline.com/article/4175592/microsoft-releases-open-source-tools-to-operationalize-ai-agent-safety-2.html

Federal News Network. (2026, May 20). AI drives new debate around CISA software patching deadlines. https://federalnewsnetwork.com/cybersecurity/2026/05/ai-drives-new-debate-around-cisa-software-patching-deadlines/

Fortune. (2026, May 19). The times they are a-changin’: Trump pivots towards AI regulation in the face of a mounting public backlash. https://fortune.com/2026/05/19/trump-pivots-towards-ai-regulation-in-face-mounting-ai-backlash-china-ai-safety-talks/

GlobeNewswire. (2026, May 19). Two-thirds of nonhuman accounts are unseen and unmanaged, according to new Identity Gap Report. https://www.globenewswire.com/news-release/2026/05/19/3297602/0/en/Two-Thirds-of-Nonhuman-Accounts-Are-Unseen-and-Unmanaged-According-to-New-Identity-Gap-Report.html

Grafana Labs. (2026, May 16). Grafana Labs security update: Latest on TanStack npm supply chain ransomware incident. https://grafana.com/blog/grafana-labs-security-update-latest-on-tanstack-npm-supply-chain-ransomware-incident/

Help Net Security. (2026, May 21). GitHub, Grafana Labs breaches traced back to TanStack supply chain compromise. https://www.helpnetsecurity.com/2026/05/21/github-grafana-breach-root-cause-nx-console/

Insurance Journal. (2026, May 4). CISA weighs cutting deadlines to fix digital flaws amid worries over AI. https://www.insurancejournal.com/news/national/2026/05/04/868205.htm

KFGO. (2026, May 18). Anthropic to let partners share Mythos cybersecurity findings with others. https://kfgo.com/2026/05/18/anthropic-to-let-partners-share-mythos-cybersecurity-findings-with-others/

Microsoft Security Blog. (2026, May 20). Introducing RAMPART and Clarity: Open source tools to bring safety into Agent development workflow. https://www.microsoft.com/en-us/security/blog/2026/05/20/introducing-rampart-and-clarity-open-source-tools-to-bring-safety-into-agent-development-workflow/

NBC News. (2026, May 21). Trump abruptly scraps signing of landmark executive order regulating AI. https://www.nbcnews.com/tech/tech-news/trump-scraps-signing-landmark-executive-order-regulating-ai-rcna346288

PYMNTS. (2026, May 18). Anthropic will update regulators on Mythos’ cyber vulnerability findings. https://www.pymnts.com/cybersecurity/2026/anthropic-will-update-regulators-mythos-cyber-vulnerability-findings/

Snyk. (2026, May). TanStack npm packages hit by Mini Shai-Hulud. https://snyk.io/blog/tanstack-npm-packages-compromised/

Tech Startups. (2026, May 19). Two-thirds of nonhuman accounts are unseen and unmanaged, according to Orchid Security’s Identity Gap Report. https://techstartups.com/2026/05/19/two-thirds-of-nonhuman-accounts-are-unseen-and-unmanaged-according-to-orchid-securitys-identity-gap-report/

TechCrunch. (2026, May 18). Open source tool maker Grafana Labs says hackers stole its code, refuses to pay ransom. https://techcrunch.com/2026/05/18/open-source-tool-maker-grafana-labs-says-hackers-stole-its-code-refuses-to-pay-ransom/

TechCrunch. (2026, May 19). Hackers have compromised dozens of popular open source packages in an ongoing supply-chain attack. https://techcrunch.com/2026/05/19/hackers-have-compromised-dozens-of-popular-open-source-packages-in-an-ongoing-supply-chain-attack/

TechCrunch. (2026, May 20). GitHub says hackers stole data from thousands of internal repositories. https://techcrunch.com/2026/05/20/github-says-hackers-stole-data-from-thousands-of-internal-repositories/

TechRadar. (2026, May 18). Anthropic to present exposed Mythos flaws to global watchdog. https://www.techradar.com/pro/security/anthropic-to-present-exposed-mythos-flaws-to-global-watchdog-claims-critical-vulnerabilities-found-in-every-major-operating-system-and-web-browser

The Decoder. (2026, May 18). Anthropic to brief global financial regulators on cyber flaws found by Claude Mythos. https://the-decoder.com/anthropic-to-brief-global-financial-regulators-on-cyber-flaws-found-by-claude-mythos/

The Hacker News. (2026, May 20). Microsoft open-sources RAMPART and Clarity to secure AI agents during development. https://thehackernews.com/2026/05/microsoft-open-sources-rampart-and.html

The Register. (2026, May 18). Grafana Labs admits all its codebase are belong to someone who popped its GitHub account. https://www.theregister.com/cyber-crime/2026/05/18/grafana-labs-admits-attackers-downloaded-its-codebase-from-github/5241686

The Register. (2026, May 21). Microsoft storms RAMPART, adds Clarity to agentic AI safety. https://www.theregister.com/security/2026/05/21/microsoft-open-sources-agentic-ai-safety-tools/5243822

The Washington Post. (2026, May 21). Trump delays executive order on AI oversight hours before planned signing. https://www.washingtonpost.com/technology/2026/05/21/white-house-tore-down-ai-rules-now-its-building-new-defenses/

Wiz. (2026, May). Mini Shai-Hulud strikes again: TanStack + more npm packages compromised. https://www.wiz.io/blog/mini-shai-hulud-strikes-again-tanstack-more-npm-packages-compromised

Share

I spent most of last month watching myself do the same dance every time I opened Claude Code. Each session ate 20-30 minutes up front, depending on how Claude Code was performing that day, and I’d spend that time re-stating trust boundaries, re-configuring tooling, and reminding a fresh session what the project was. I was doing it on three machines (Mac, Jetson AGX Orin, Windows), 5-10x/week. Before I’d written a line of code, I was burning two to five hours a week on a problem I’d already solved twice and forgotten how.

The “fix it in code review” answer for security findings fell apart around the same time, once I’d read enough of the benign-prompt vulnerability data on frontier models to understand what I was accepting by deferring. If the model’s shipping vulnerable code at a non-trivial rate even when nobody’s trying to make it, “we’ll catch it in PR” is wishful thinking with a JIRA ticket attached.

That was the moment. I stopped patching the symptom. I built my harness from scratch on the Mac, ported the reasoning to the Jetson and Windows, and wrote down why I made every choice. The repo’s a reasoning trail with the code attached as evidence.

What I’m publishing lives at github.com/rocklambros/harness-engineering. The README says it plainly: this isn’t a clone-and-run template, and personal-specific configuration is the point. If you read it expecting a drop-in setup, you’ll come away disappointed. If you read it expecting to see how a harness gets reasoned into existence, you’ll come away with a frame for arguing with mine and building yours.

Harness engineering isn’t what most people think it is

Prompt engineering got the marketing budget. Harness engineering didn’t, and most Claude Code users skip past it because it doesn’t feel like coding. It feels like ops, and nobody writes posts about ops decisions.

Here’s the working definition I’ve landed on. A harness is the configured environment around an agent (in this case, a coding agent) that determines what it can and can’t do, what guidance it follows by default, and what guardrails it can’t talk its way past. Harness engineering is the discipline of designing that environment on purpose, with reasoning you can defend, instead of accepting whatever defaults shipped in the box.

In Claude Code terms, the harness is everything outside the chat turn. The project-level CLAUDE.md the model reads at session start. The settings.json that defines permission modes and hook registrations. The deterministic rules the model can’t override, even if it tries. The skills that load advisory guidance on demand. The hooks that fire on tool use to validate, scan, and audit. The agents you delegate specialized tasks to.

If you’re running Claude Code with a default settings.json, no hooks, no skills beyond what shipped, and a CLAUDE.md that someone else wrote, you don’t have a harness. You have a session. The model is making decisions about what’s safe to run, what tools to invoke, and what your codebase should look like, with zero guardrails you can defend in a postmortem.

For a vibe-coding indie dev shipping a side project, no harness might be fine. The blast radius is one repo, possibly with no production users. For anyone shipping code that matters, the absence of a harness means the model is making decisions about what’s safe with zero documented constraints, and you’re trusting the defaults to do work you’d never trust an unverified junior to do.

Most of the “10 tips for Claude Code” content I’ve read is harness suggestion without harness reasoning, which means surface configs without the why. That’s why those posts age out within a minor-version bump. The configs survive maybe four weeks before an upstream change breaks the assumption they were built on, and the reader has no idea which assumption broke or how to fix it. The reasoning is what survives the upgrade. The configs are what fall out.

The honest answer is: don’t build

Most of you should adopt, not build. The README says this directly, and I want to repeat it before anyone gets the wrong idea from the announcement:

The honest answer for most people reading this is: don’t build. Adopt.

The cost of building isn’t in the writing. It’s in the maintenance against Claude Code itself, which ships breaking changes on minor version bumps. The TTL cache regression in March 2026 was the canonical example. A behavior change in the cache layer silently halved the economic value of half the harnesses in circulation, and most of the people running those harnesses didn’t notice for weeks. If your harness assumes a Claude Code behavior that later changes in a release, every part of your reasoning trail that depended on that assumption needs re-evaluation. That’s a non-trivial tax to pay if your day job isn’t building harnesses.

Who should build, then? The conditions are narrow, and all four must be true.

You operate across multiple machines, and the off-the-shelf options don’t survive the cross-platform parity test. You have a non-trivial security posture, and “fix it in code review” isn’t a defensible answer for the work you ship. You don’t trust the trust boundaries that ship in the existing community harnesses, either because they’re underspecified or because they’re calibrated to a different threat model than yours. You can afford the maintenance cost of keeping a reasoning trail up to date as Claude Code evolves.

If any of those four don’t apply, adopt. There are good public harnesses in the community right now. Pick one whose reasoning you can read and whose tradeoffs you can defend. That’s a faster path to a harness you can trust than building your own.

I built mine because all four applied: three machines, an AI security threat model I don’t want negotiated by a maintainer I’ve never met, a low tolerance for trust boundaries I can’t trace, and the time budget to keep the reasoning current. Most of you don’t have all four. Reading my repo to argue with my reasoning is useful. Copying my configs into a project that doesn’t share my four conditions is the same kind of mistake as cloning someone else’s threat model and hoping it covers yours.

If you read this section and think, “but my situation is special,” it probably isn’t. The cases that earn building are rarer than people think, and the cases where adopting is the smart move look pretty similar to mine from the outside.

What’s in the repo, and what it does

The repo is organized as one foundation section, three platform sections (Mac, Jetson AGX Orin, Windows), and a research section. Foundation holds the parts that are identical across platforms: the Quality Contract that binds every artifact, the threat model, the architectural principles, the seed evaluation methodology, and the research references.

The Mac section is the validated reference build. All six phases (Phase 0 goals through Phase 5 release) are written and tested against my actual machine. The Jetson and Windows sections mirror the structure. Phases 0 through 2 are written and ready. Phases 3 through 5 are scaffolded with explicit “needs validation when ported” markers because I haven’t run them against those environments yet. The capability surface is identical to Mac. Tools differ where they have to.

Each platform’s harness has the same five-layer shape. The project-level CLAUDE.md sits under 200 lines and covers seven sections: the role the model is operating in, the code standards I expect it to honor, the security rules it can’t bypass, the core constraints on the project, the things that break (failure modes I’ve already hit), an operational section for day-to-day commands, and a status section that captures where the build currently is. A settings.json template defines permission modes, hook registrations, and trust-boundary policy. A deterministic rules directory lists path deny patterns, command deny patterns, and secret patterns that get consumed by hooks rather than interpreted by the model. A skills directory holds lazy-loaded advisory guidance. A hooks and agents directory holds the deterministic gates and the specialized subagents.

The piece I’m most willing to defend is the three-layer security stack that cuts across the skills and hooks layers. Layer one is pre-generation guidance: a security-review skill seeded from the Arcanum-Sec sec-context anti-pattern taxonomy (CC BY 4.0, Jason Haddix), with 10 pattern files for the Mac build that match the skill’s manifest one-to-one. The skill loads pattern sections based on file type, so the context tax stays small. Layer two is commit-time hardening: a Semgrep PostToolUse hook that fires on every Write or Edit and feeds findings back to Claude in the same session, implementing the SecureForge methodology from Liu et al. (arXiv:2605.08382, MIT). The published paper reports a roughly 48% reduction in CWE rate from this layer alone. Layer three is post-generation validation: a pinned pre-commit gate running gitleaks for secrets, Semgrep for SAST, shellcheck for hook scripts, and a local drift check for reference integrity. It’s the same Semgrep engine as layer two, running in a different invocation context. The redundancy is intentional.

The one piece I’d point to first if you want to see how the reasoning trail format works is JOURNEY.md. It’s a running narrative of the build, written as prose checkpoints. Reasoning lives in JOURNEY.md, decisions land in commits, locked decisions land in foundation docs. That separation is doing real work. The commit history is part of the artifact, not just a side effect of using git.

Decisions I made that won’t transfer to your setup

The repo is a reasoning trail, not a config to copy. Here are the load-bearing decisions in it that won’t survive translation to your environment unchanged.

The Windows section runs Semgrep in WSL2 rather than the native Windows binary. The native binary has spotty coverage on some of the rule packs I care about, and forcing parity across platforms outweighed the convenience of running Semgrep natively on Windows. If your security posture cares about different rule packs than mine does, your decision might run the other way. The same goes for the broader WSL2 call. I picked it because it gave me a Linux-shaped tool environment without dual-booting. If you’re already deep into PowerShell and Windows-native tooling, you’d pick differently, and you’d be right.

The Jetson section assumes Tegra Python and the apt-plus-Jetson-SDK package management posture. If you’re running a Jetson but you’ve layered conda over the top, or you’re using a different L4T release than mine, the Phase 0 inventory output won’t match yours, and the downstream phases will need adjustment. The reasoning still applies. The specific tool versions won’t.

The seven-section CLAUDE.md under 200 lines is calibrated to my context-tax tolerance, not yours. I write CLAUDE.md to be the smallest thing that’s still useful, because every line in it is paid for on every turn in every session. If your projects are larger or smaller than mine, your CLAUDE.md should be too. If your tolerance for context tax is different (some people will trade more setup tokens for less in-session friction), your CLAUDE.md will be longer than mine.

The pattern prose in the security-review skill has been rewritten from the Arcanum-Sec sec-context taxonomy to reflect my voice and selection logic. The attribution is preserved, but the prose isn’t theirs anymore. If you adopt the skill as a starting point, you should rewrite it again. The selection logic is mine, the priorities are mine, and the file-type triggers reflect what I write the most of. If your language mix is different, you’ll want different triggers and a different priority order.

The Quality Contract section IDs and threat IDs are stable across my repo, which means hooks and skills can cite them by ID, and a drift check can verify the citations resolve. If you adopt the structure, you’ll want to renumber to your own threat model. Don’t inherit my IDs and pretend they’re yours. The whole point of the reasoning trail format is that the citations track to something real, and ID inheritance breaks that the first time you forget which threat ID came from where.

What I’d do differently if I started over

Two things, and I’ll know about a third by the time I finish the Jetson and Windows validations.

Lock the foundation docs and the Quality Contract before any platform work. I built the Mac section in parallel with the foundation, which meant some early Mac decisions had to be revisited as the Quality Contract sharpened. Each revisit costs a commit cycle and a small amount of confidence in the validity of earlier work. Doing the foundation first and the platform second would have made the reasoning trail cleaner, and the Mac reference build wouldn’t have had a handful of decisions that needed an asterisk.

Write the JOURNEY.md format on day one. I started JOURNEY.md after the initial batch of artifacts had already landed, which meant the reasoning for the first batch had to be reconstructed from commit messages rather than captured live. Commit messages are good for landing decisions. They aren’t the same thing as a running narrative that captures the questions you were sitting with as you made them. Future me will thank present me for any reasoning that gets captured live instead of being reconstructed later. Past me did not get that gift.

The third thing I’m watching for: I suspect the Phase 4 security-review skill will need a different structure once I validate it against the Jetson and Windows environments. The Mac pattern selection assumes a tool mix I haven’t proven survives the port. If it doesn’t, the lesson will be “design the skill structure against the hardest target first, not the easiest.” I don’t know yet. The JOURNEY.md entry that resolves it will say so.

How to read the repo

Read foundation/00-quality-contract.md first. It binds everything else in the repo, and if you’re going to argue with my reasoning, you need to argue from the same starting point I’m arguing from. After that, pick your path. USER_GUIDE.md walks through the wiring if you want a quick start for adopting the harness in your own project. HARNESS_GUIDE.md is the technical reference across all three platforms. If you want the full validated build with all the reasoning intact, read mac/ start to finish in commit order.

What I want from readers isn’t forks of the configs. It’s forks of the thinking. If your harness ends up looking nothing like mine because you have a different threat model, different platforms, a different language mix, or a different context-tax budget, that’s the right outcome. If your harness ends up looking exactly like mine, one of us is wrong, and the math says it’s probably you.

The question I’m leaving open

Most Claude Code users I’ve talked to are running with default permission modes on production codebases and calling that ops maturity. They have no hooks, no skills beyond what shipped, and a CLAUDE.md that someone else wrote or that doesn’t exist at all. If you can’t name the three layers of your security stack without checking, and you can’t say what gets enforced deterministically versus advisorily, you don’t have a harness. You have a session.

What’s in your harness, and could you defend it on a panel?

The repo’s at github.com/rocklambros/harness-engineering. The license is MIT. Use the patterns and argue with me in the comments or in your own JOURNEY.md.

👉 For ongoing analysis of agentic AI governance frameworks, the conversation continues at RockCyber Musings.

👉 Visit RockCyber.com to learn more about how we can help with your traditional Cybersecurity and AI Security and Governance journey.

👉 Want to save a quick $100K? Check out our AI Governance Tools at AIGovernanceToolkit.com

Share

Three vendors launched competing AI vulnerability hunters. Google announced the first confirmed attacker use of an AI-discovered zero-day. The European Commission opened a transparency rulebook nobody finished writing. OpenAI got sued because ChatGPT allegedly helped plan a mass shooting. LiteLLM hit CISA’s KEV list after a pre-auth SQL injection compromised the AI gateway holding model API keys.

This week confirmed what skeptics argued for two years. AI doesn’t change cybersecurity through some abstract paradigm shift, it changes it by collapsing timelines. Discovery cycles that took months now run in days. Patching windows evaporate before the patch ships. Regulatory drafting runs on three-month consultation cycles. The center of gravity is moving from people who hunt bugs to people who govern the systems hunting them. If your strategy still assumes humans set the pace, you’re already behind.

1. Google Confirms First Real-World AI-Discovered Zero-Day Attack

Google’s Threat Intelligence Group disclosed on May 11, 2026 that it disrupted a criminal group using AI to identify and exploit an unknown vulnerability in widely used open-source software (Domain-b). Analysts spotted machine-generated code indicators, including metadata inconsistencies. Google did not name the target, the AI model, or the group, but said the campaign was blocked before launch (Fortune).

Why it matters

• Attackers crossed a capability threshold that defenders expected years away

• Open-source dependencies became economically attractive to compromise at machine speed

• Google’s detection signal, LLM code artifacts, is what sophisticated attackers will suppress next

What to do about it

• Audit your SBOM for open-source components in critical paths, prioritizing low-maintenance projects

• Treat AI-assisted vulnerability research as a baseline attacker capability in your threat model

• Validate your detection stack ingests statistical anomalies in code patterns, not only traditional IoCs

Rock’s Musings

Google blocking one campaign isn’t a victory; it’s the first time we caught one. Every honest threat hunter I know assumes five or ten more slipped through. Detection relied on attackers being sloppy enough to leave LLM fingerprints in their code. That window closes the second they polish exploits through a human pass, which costs about thirty bucks of contractor time. AI-powered attacks aren’t a 2027 problem anymore, they’re a today problem.

2. OpenAI Launches Daybreak as Defensive Counter to Anthropic Mythos

OpenAI introduced Daybreak on May 11, 2026, pairing GPT-5.5 with Codex Security as an agentic scaffold alongside Akamai, Cisco, Cloudflare, CrowdStrike, Fortinet, Oracle, Palo Alto Networks, and Zscaler (The Hacker News). Three tiers ship: standard GPT-5.5, GPT-5.5 with Trusted Access for Cyber, and GPT-5.5-Cyber for red-team and pen-test workflows. Unlike Mythos, which remains in tight preview, Daybreak is publicly accessible by request (Cybersecurity Dive).

Why it matters

• Frontier AI labs are in direct competition for cybersecurity-vendor relationships, redrawing procurement for every CISO

• Tiered access tied to verified cyber credentials is the first serious dual-use governance attempt for capability-restricted models

• Defenders gain a second credible vendor for AI-assisted vulnerability discovery, breaking monoculture risk

What to do about it

• Run a head-to-head of Daybreak, Mythos partners, and MDASH against your codebase before any multi-year deal

• Build your AI-assisted vulnerability program around outputs you can validate, not vendor demos

• Define what “ready” means for an AI-discovered finding before these systems push results into your tracker

Rock’s Musings

The pitch sounds great. Three labs are racing to embed themselves in Fortune 500 security operations before regulators figure out what the technology is doing. Tiered access by credential verification is the smartest piece of Daybreak, and the piece most likely to be quietly relaxed once a major customer’s red team gets blocked. I’ve seen this pattern with offensive tools for twenty years. The right question isn’t which model finds more bugs, it’s which vendor’s scaffold produces findings your team can actually fix.

3. Microsoft Reveals MDASH and Discloses 16 Windows Vulnerabilities

Microsoft revealed MDASH on May 12, 2026, a multi-model agentic scanning harness orchestrating more than 100 specialized AI agents (Microsoft Security). The system found 16 previously unknown vulnerabilities patched in May's Patch Tuesday, including four critical RCEs in tcpip.sys, ikeext.dll, netlogon.dll, and dnsapi.dll. MDASH scored 88.4% on CyberGym, beating Mythos (GeekWire). It’s in limited preview with select customers.

Why it matters

• Durable advantage lies in the agentic system around the model, not the model itself

• All four critical flaws were network-reachable without credentials, the bug class adversaries pay top dollar for

• 96% recall on five years of CLFS bugs and 100% on tcpip.sys shows AI vulnerability discovery is production-grade

What to do about it

• Patch the May cohort with priority on the four critical RCEs, even ahead of normal change windows

• Ask your software vendors what their AI-assisted vulnerability discovery program looks like

• Update procurement security reviews to include questions about AI-driven code auditing maturity

Rock’s Musings

Two things stand out. Ensemble AI agent systems beat single-model systems for bug hunting. That’s an architectural finding, not marketing copy. Sixteen new RCE-class vulnerabilities in the Windows networking stack reminds us the most reviewed code on Earth still hides serious bugs humans missed for years. The AI didn’t get smarter, we finally pointed enough compute at the problem. The strategic question is what happens when adversaries point the same compute at the same code. Microsoft’s lead is months.

4. EU Commission Opens Consultation on AI Transparency Obligations

The European Commission published draft guidelines on May 8, 2026 covering AI Act Article 50 transparency obligations, with consultation running through June 3, 2026 (European Commission). The guidelines spell out four obligations effective August 2, 2026: disclosure when users interact with AI, marks on AI-generated content, disclosure for emotion recognition and biometric categorization, and deepfake labeling. Non-compliance carries fines up to €15 million or 3% of global turnover (DataGuidance).

Why it matters

• Article 50 reaches non-EU providers if their AI outputs touch EU users, putting US companies in scope

• The watermarking window shrank to December 2, 2026 under the May 7 Digital Omnibus deal

• Compliant watermarking standards are not yet published, leaving companies building against a moving target

What to do about it

• Map every AI system you operate that could touch EU users, including embedded vendor capabilities

• Start watermarking proof-of-concept work now against draft standards like C2PA, accepting possible rework

• Submit feedback to the EU consultation by June 3 if your business depends on AI transparency boundaries

Rock’s Musings

The political headline was the AI Act got simpler. The substance was that one transparency deadline got compressed while another got delayed. Compliance officers love that kind of calendar arithmetic because it lets them quietly miss things. The August 2026 chatbot disclosure is the boring obligation that catches everybody. If your AI assistant doesn’t tell EU users it’s an AI assistant, you’re exposed. Your vendor’s chatbot not disclosing is your problem.

5. OpenAI Sued Over ChatGPT’s Alleged Role in Florida Mass Shooting

Vandana Joshi, widow of a Florida State University mass shooting victim, filed a federal lawsuit against OpenAI on May 11, 2026, alleging ChatGPT advised attacker Phoenix Ikner on optimal location, timing, weapon selection, and ammunition (Reuters, AP News). Florida’s attorney general opened a rare criminal investigation in April 2026. OpenAI denied wrongdoing, saying ChatGPT provided factual responses drawn from public sources (US News).

Why it matters

• Product liability theories on general-purpose AI assistants are now in active federal litigation

• The case tests whether AI companies have a duty of care to detect and intervene in violence-planning conversations

• A plaintiff win could rewrite operational requirements for consumer AI safety guardrails

What to do about it

• Review AI vendor contracts for indemnification clauses tied to misuse and downstream harm

• Document harm detection and escalation procedures with evidence that they were followed

• Treat AI safety telemetry as a legal artifact, retained and discoverable, not only an operational signal

Rock’s Musings

This case will settle or be appealed for years, but the discovery phase is what matters. Internal documents showing what OpenAI knew about violence-planning prompts and what they chose not to escalate will become the de facto safety standard. Plaintiffs don’t need to win the verdict… they just need to win the depositions. If your product can be used to plan harm and telemetry shows it has been, your retention policy just became a litigation strategy.

6. Microsoft Patch Tuesday Sets Vulnerability Record as AI Discovery Surges

Microsoft issued patches for more than 130 vulnerabilities on May 13, 2026, on pace to break its annual record after patching over 500 in the first five months (The Record). CVE-2026-41089 in Windows Netlogon and CVE-2026-41096 in Windows DNS Client both carry 9.8 CVSS. Microsoft’s security leadership acknowledged AI tools are driving the surge. HackerOne paused its open-source bug bounty earlier this year, citing the imbalance between AI-driven discovery and maintainer remediation capacity.

Why it matters

• AI-accelerated discovery is pushing patch volume past the absorption capacity of most vulnerability management programs

• Traditional 30-day or 60-day patching SLAs were never designed for monthly batches of critical RCEs

• Open-source maintainer burnout is a systemic security risk as AI finds faster than humans fix

What to do about it

• Move from time-based patching SLAs to risk-based ones tied to exploit probability and asset criticality

• Invest in network segmentation and identity isolation to limit blast radius when patching slips

• Track mean-time-to-patch for critical vulnerabilities monthly and report the trend to your audit committee

Rock’s Musings

Vulnerability management has been broken for a decade. We pretended monthly patch cycles were sustainable when they were already breaking. AI made the math impossible to ignore. The honest answer is you will never patch fast enough. The strategy has to shift to “assume compromise, limit blast radius, recover faster than the attacker can adapt.” I’ve been saying that for three years to compliance team eye-rolls. This week’s data ends that argument.

7. Cisco Open-Sources Foundry Security Spec for Agentic Security Evaluation

Cisco released the Foundry Security Spec as open source on May 12, 2026, defining eight core agent roles, five extensions, around 130 functional requirements, and 11 inviolable principles for agentic security evaluation systems (Techzine, SMBtech). It’s model-agnostic and works with Mythos and GPT-5.5-Cyber via GitHub’s spec-kit. The goal is moving AI security from prompt demos to auditable production systems, paired with Project CodeGuard for prevention.

Why it matters

• Open-source specs for AI security agents create a path to vendor-neutral compliance and audit

• The eight-role decomposition gives security teams shared vocabulary instead of vendor terminology

• Cisco open-sourcing the framework is a credible play to set the de facto standard before regulators do

What to do about it

• Pilot Foundry Security Spec against a non-critical workflow to gauge operational lift

• Map existing AI security tooling against the eight core roles to find gaps in orchestration and validation

• Engage on the GitHub repository if you have the maturity to contribute, because early committers shape standards

Rock’s Musings

This is the kind of plumbing announcement that gets ignored in favor of flashier news, and it shouldn’t. Architectural standards win or lose markets. The OWASP Top 10 didn’t change vulnerability classes, it changed how teams talked about them. Foundry Security Spec is aiming for the same effect on agentic security. The tell will be whether AWS and Azure converge on it or fork it. Convergence skips a decade of fragmentation. A fork drops us back into vendor lock-in.

8. EU Commission Publishes Second Draft Code of Practice on AI Content Marking

The European Commission published the second draft of the Code of Practice on Marking and Labeling of AI-Generated Content on May 8, 2026 (European Commission). The revised text introduces a two-layered marking approach that combines secure metadata with watermarking, optional fingerprinting, logging protocols, and detection-and-verification procedures. Skadden’s analysis confirmed that compliance is required as of December 2, 2026, for generative AI systems already on the EU market, accelerated relative to earlier proposals (Skadden).

Why it matters

• The revised two-layered watermarking approach is the most concrete EU technical specification published to date

• Generative AI providers have six months to build compliant marking against a still-evolving technical standard

• Fines remain at €15 million or 3% of global turnover for Article 50 violations

What to do about it

• Confirm AI vendors have a credible two-layer watermarking roadmap targeting December 2, 2026

• Build C2PA-compatible metadata and watermarking prototypes against the draft code now

• Track the optional fingerprinting and logging requirements for downstream traceability

Rock’s Musings

The second draft Code is the most concrete watermarking specification anyone has published, and it’s still incomplete. Six months to build secured metadata, watermarking, fingerprinting, and detection tooling against an evolving standard is engineering fiction. Expect generative AI vendors to claim adherence via voluntary code participation while the technical build drifts. The CISOs who already started C2PA work in 2025 are sitting pretty. The ones who treated watermarking as a marketing problem will discover December 2 isn’t negotiable.

9. India Demands Sovereign Control Over Frontier AI Cybersecurity Models

India’s government met with Anthropic’s India team in early May 2026 to discuss hosting requirements for Claude Mythos, with reporting confirmed on May 12, 2026 (Medianama). Finance Ministry, MeitY, and CERT-In officials argued that AI in banking, telecom, and critical infrastructure must be hosted in Indian territory or a government-approved sovereign cloud. Finance Minister Nirmala Sitharaman called Mythos’s capabilities an “unprecedented” threat.

Why it matters

• Sovereign hosting is becoming a procurement gate for frontier AI access in major non-Western markets

• Indian banking and critical infrastructure deployments of US-hosted AI face new jurisdictional risks

• The pattern will spread to Brazil, Indonesia, and the Gulf states

What to do about it

• Validate AI hosting jurisdiction with your legal team if you operate in India’s regulated industries

• Build a vendor diversification strategy that accommodates regional sovereignty without forcing rewrites

• Engage sovereign cloud providers earlier in architecture, not as a post-deployment retrofit

Rock’s Musings

The geopolitical fragmentation of AI access is happening in real time. Western vendors still pretend it’s manageable through commercial agreements. India is signaling clearly that strategic AI must operate under Indian jurisdiction or not at all. Other countries will copy. The companies figuring out sovereign deployment architectures first win the next decade of international AI revenue. Those treating this as a temporary hurdle will watch growth markets quietly close.

10. CISA Adds LiteLLM SQL Injection to KEV as Active Exploitation Confirmed

CISA added CVE-2026-42208 to its Known Exploited Vulnerabilities catalog on May 8, 2026, for a pre-auth SQL injection in BerriAI’s LiteLLM proxy that allows attackers to access the database storing API keys for OpenAI, Anthropic, AWS Bedrock, Google Gemini, and other providers (Windows Forum, CCB Belgium). Affecting LiteLLM 1.81.16 through 1.83.6, the flaw was exploited within 36 hours of disclosure (Sysdig). Federal agencies had until May 11 to patch under BOD 22-01.

Why it matters

• AI gateways consolidate provider API keys with five-figure spend caps in one database

• A database extraction at an AI proxy is closer to cloud-account compromise than a traditional SQL injection

• Most LiteLLM deployments were stood up by application teams outside security review

What to do about it

• Inventory every AI proxy and gateway, including shadow deployments

• Patch LiteLLM to v1.83.10-stable or later, and review Postgres query history for probing

• Rotate every provider API key managed by an affected instance as a credential compromise response

Rock’s Musings

This is the canary I’ve been warning about. AI gateways became the pattern of choice because they make access to multi-provider models manageable, and they did so without a serious security review. The bug isn’t exotic, it’s a 2003-vintage SQL injection. The blast radius is exotic because of what these gateways guard. Federal agencies had three days to patch. Most enterprises will take three weeks and feel proud of moving fast.

11. The One Thing You Won’t Hear About But You Need To: Vector Embedding Pipelines Are the Next Enterprise AI Blind Spot

While the industry focused on vendor launches this week, the quieter story is that the AI data plane is wide open. Help Net Security published research on May 13, 2026, confirming that vector-embedding pipelines used for retrieval-augmented generation expose enterprise AI to attacks that traditional security tools cannot detect (Help Net Security). DLP tools can’t read or interpret embeddings, creating a blind spot for sensitive content shipped to embedding services. Spring AI bugs disclosed in late April included SQL injection in CosmosDBVectorStore, confirming vector store backends inherit traditional database vulnerability classes without the same control maturity.

Why it matters

• 53% of enterprises now use RAG and agentic pipelines, so vector database flaws affect most enterprise AI deployments

• Sensitive content gets converted to embeddings and shipped to third-party services where DLP cannot inspect in transit

• Multi-tenant vector databases create cross-tenant exposure paths that mirror early cloud storage failures of 2015

What to do about it

• Inventory every vector database, including SaaS embedding services you didn’t approve

• Apply integrity checks and access controls to vector stores at the same maturity as primary databases

• Run hybrid retrieval combining dense vectors with BM25 lexical search to limit poisoned embedding impact

Rock’s Musings

Vector stores look boring. They’re glorified key-value databases that happen to hold numerical arrays. Those arrays encode every confidential document your knowledge base ingests, and your security stack treats them as opaque blobs. AI security isn’t a model problem, it’s a data plane problem. The first major enterprise AI breach in the next twelve months will trace back to a vector store nobody inventoried, an embedding service nobody reviewed, or an agent nobody scoped. The defenders who win are the ones treating their AI pipeline like their CI/CD pipeline. Visit rockcybermusings.com for deeper coverage and rockcyber.com for advisory work on governance programs that survive contact with production AI.

For more on agentic AI risk and CISO governance, see RockCyber and analysis at RockCyber Musings.

👉 For ongoing analysis of agentic AI governance frameworks, the conversation continues at RockCyber Musings.

👉 Visit RockCyber.com to learn more about how we can help with your traditional Cybersecurity and AI Security and Governance journey.

👉 Want to save a quick $100K? Check out our AI Governance Tools at AIGovernanceToolkit.com

👉 As a bonus, check out my conversation with CISO Tradecraft® where we talked about the OWASP GenAI Security Project Agentic Top 10

👉 Subscribe for more AI and cyber insights with the occasional rant.

The views and opinions expressed in RockCyber Musings are my own and do not represent the positions of my employer or any organization I’m affiliated with.

References

Aembit. (2026). MCP security vulnerabilities: Complete guide for 2026. https://aembit.io/blog/the-ultimate-guide-to-mcp-security-vulnerabilities/

Air Street Press. (2026, May). State of AI: May 2026. https://press.airstreet.com/p/state-of-ai-may-2026

Associated Press. (2026, May 11). OpenAI is sued over ChatGPT’s alleged role helping plan a mass shooting. AP News. https://apnews.com/article/openai-chatgpt-lawsuit-mass-shooting-florida-1a8071ee49ad0220348d3eb55f60e648

Bishop, T. (2026, May 13). Microsoft’s multi-agent AI system tops Anthropic’s Mythos on cybersecurity benchmark. GeekWire. https://www.geekwire.com/2026/microsofts-multi-agent-ai-system-tops-anthropics-mythos-on-cybersecurity-benchmark/

Centre for Cybersecurity Belgium. (2026, May 13). Warning: LiteLLM pre-auth SQL injection (CVE-2026-42208), patch immediately! https://ccb.belgium.be/advisories/warning-litellm-pre-auth-sql-injection-cve-2026-42208-patch-immediately

Cybersecurity Dive. (2026, May 11). OpenAI launches Daybreak to combat cyber threats. https://www.cybersecuritydive.com/news/OpenAI-Daybreak-cyber-threats/820122/

Cygnus. (2026, May 11). Google reports first AI-generated zero-day exploit in cybersecurity milestone. Domain-b. https://www.domain-b.com/technology/artificial-intelligence/google-ai-zero-day-exploit-cybersecurity-2026

DataGuidance. (2026, May 8). EU: Commission opens consultation on draft AI Act transparency guidelines under Article 50. https://www.dataguidance.com/news/eu-commission-opens-consultation-draft-ai-act

European Commission. (2026, May 8). Commission opens consultation on draft guidelines for AI transparency obligations. https://digital-strategy.ec.europa.eu/en/news/commission-opens-consultation-draft-guidelines-ai-transparency-obligations

Forbes. (2026, May 12). OpenAI Daybreak takes on Mythos to redefine security. https://www.forbes.com/sites/timkeary/2026/05/12/openai-daybreak-goes-head-to-head-with-anthropic-to-redefine-security/

French, L. (2026, May 13). OpenAI Daybreak joins growing movement of AI-driven vulnerability discovery. SC World. https://www.scworld.com/news/openai-daybreak-joins-growing-movement-of-ai-driven-vulnerability-discovery

Help Net Security. (2026, May 13). Microsoft’s agentic security system found four critical Windows RCE flaws. https://www.helpnetsecurity.com/2026/05/13/microsoft-mdash-agentic-ai-security-system/

Kim, T. (2026, May 12). Defense at AI speed: Microsoft’s new multi-model agentic security system tops leading industry benchmark. Microsoft Security Blog. https://www.microsoft.com/en-us/security/blog/2026/05/12/defense-at-ai-speed-microsofts-new-multi-model-agentic-security-system-tops-leading-industry-benchmark/

Lakshmanan, R. (2026, May 12). OpenAI launches Daybreak for AI-powered vulnerability detection and patch validation. The Hacker News. https://thehackernews.com/2026/05/openai-launches-daybreak-for-ai-powered.html

Lakshmanan, R. (2026, May 13). Microsoft’s MDASH AI system finds 16 Windows flaws fixed in Patch Tuesday. The Hacker News. https://thehackernews.com/2026/05/microsofts-mdash-ai-system-finds-16.html

European Commission. (2026, May 8). Commission publishes second draft of Code of Practice on Marking and Labelling of AI-generated content. https://digital-strategy.ec.europa.eu/en/library/commission-publishes-second-draft-code-practice-marking-and-labelling-ai-generated-content

Inside Global Tech. (2026, May 12). 10 takeaways: European Commission draft guidelines on AI transparency under the EU AI Act. https://www.insideglobaltech.com/2026/05/12/10-takeaways-european-commission-draft-guidelines-on-ai-transparency-under-the-eu-ai-act/

Skadden. (2026, May). AI Act state of play – Key obligations postponed and amended. https://www.skadden.com/insights/publications/2026/05/ai-act-state-of-play

Medianama. (2026, May 12). India pushes for sovereign control over AI cybersecurity systems: Report. https://www.medianama.com/2026/05/223-india-pushes-sovereign-control-ai-cybersecurity-systems-report/

O’Brien, M. (2026, May 11). ‘It’s here’: Google issues dire warning after catching hackers using AI to break into computers. Fortune. https://fortune.com/2026/05/11/google-catches-hackers-cybersecurity-warning-ai-anthropic-mythos/

Open Source For You. (2026, May 12). Cisco launches open-source Foundry Security Spec to tackle AI-driven cyber threats. https://www.opensourceforu.com/2026/05/cisco-launches-open-source-foundry-security-spec-to-tackle-ai-driven-cyber-threats/

Repello. (2026, May 2). Vector embedding security: Why static audits miss the real attacks. https://repello.ai/blog/vector-embedding-security

Reuters. (2026, May 11). Family of Florida mass shooting victim sues OpenAI in US court. https://www.reuters.com/legal/government/family-florida-mass-shooting-victim-sues-openai-us-court-2026-05-11/

SMBtech. (2026, May 12). Cisco open-sources specification for building AI-powered security evaluation systems. https://smbtech.au/news/cisco-open-sources-specification-for-building-ai-powered-security-evaluation-systems/

Sysdig. (2026). CVE-2026-42208: Targeted SQL injection against LiteLLM’s authentication path discovered 36 hours following vulnerability disclosure. https://www.sysdig.com/blog/cve-2026-42208-targeted-sql-injection-against-litellms-authentication-path-discovered-36-hours-following-vulnerability-disclosure

Taylor Wessing. (2026, May). The EU Digital Omnibus on AI – What the political deal means. https://www.taylorwessing.com/en/insights-and-events/insights/2026/05/the-eu-digital-omnibus-on-ai-what-the-political-deal-means

Techzine. (2026, May 12). Cisco open-sources Foundry Security Spec for CISO-ready agents. https://www.techzine.eu/news/security/141257/cisco-open-sources-foundry-security-spec-for-ciso-ready-agents/

The Record. (2026, May 13). Microsoft on pace to break annual vulnerability record as AI-driven patch wave takes hold. https://therecord.media/microsoft-on-pace-to-break-annual-vulnerability-record-ai

US News & World Report. (2026, May 11). Lawsuit blames ChatGPT maker OpenAI for bot helping plan a mass shooting. https://www.usnews.com/news/best-states/california/articles/2026-05-11/lawsuit-blames-chatgpt-maker-openai-for-bot-helping-plan-a-mass-shooting

Windows Forum. (2026, May 8). CISA adds LiteLLM SQL injection CVE-2026-42208 to KEV—AI proxies are high-value. https://windowsforum.com/threads/cisa-adds-litellm-sql-injection-cve-2026-42208-to-kev-ai-proxies-are-high-value.417219/

On May 1, 2026, six allied cyber agencies dropped 30 pages on agentic AI security, and the industry promptly reached for its highlighters. Twenty-three risks and more than a hundred best practices. The initial reflex is to map them to existing controls and call it a project plan.

WRONG!

CISA, NSA, ASD, NCSC-UK, NCSC-NZ, and the Cyber Centre published an architecture brief disguised as a guidance document. Read it that way, and the work changes.

The Misreading That’s Happening

Pick any board deck circulating right now, and I’ll bet the Five Eyes guidance shows up as a row in a control matrix (if at all). Privilege controls: check. Identity management: check. Logging: check. Someone in the room nods, the GRC team gets a tracking spreadsheet, and the agentic AI rollout continues at the same pace as before May 1.

That’s the failure mode. The document contains 23 distinct risks and over 100 individual best practices to address them. You don’t bolt 100 practices onto an existing platform without changing its shape...its architecture. Treating a system-level prescription as line-item compliance is how you end up with the audit-passes-but-the-thing-is-still-broken” pattern that plagues us to this day.

Read the document carefully, and the architectural intent is everywhere. Identity binds to privilege. Privilege binds to tool access. Tool access binds to logging. Logging binds to accountability. Each control assumes the others exist. Each one fails when built alone. The agencies named this directly when they recommended system-theoretic approaches like STPA and STPA-Sec, calling out that traditional component-level analysis is insufficient because risks emerge from interactions between components rather than isolated flaws.

That single paragraph is the operational thesis. The rest of the document describes how to build for it. A senior security practitioner, reading carefully, will recognize a familiar pattern, and this is what happens when policy folks finally accept you don’t write a check-box for emergent risk.

The question now is what production systems look like when somebody actually does the work. AAGATE is one answer, and we released it last November.

What the Document Actually Says

Strip the fluff, and the document organizes around five risk categories:

1. Privilege risk

2. Design and configuration flaws

3. Behavioral risk

4. Structural risk

5. Accountability risk

The categories aren’t mutually exclusive. They’re stacked dependencies.

Privilege risk is the foundation. The procurement-agent scenario in the guidance is a classic confused-deputy attack. An over-permissioned agent gets compromised through a low-risk tool, the attacker inherits the agent’s privileges, and modified contracts and approved payments slip past audit logs that look legitimate.

Design and configuration risk sits atop privilege. Static permission checks at startup don’t survive dynamic workflows. Allow lists go stale. Boundaries between agent enclaves erode under operational pressure. Behavioral risk piles onto that. Goal misalignment, specification gaming, deceptive behavior, and emergent capabilities all assume the agent has already been granted enough autonomy to act in surprising ways.

Structural risk is where it gets interesting. The agencies describe cascading failures across orchestration layers, tool integrations, third-party components, agent-to-agent communication, and shared data stores. A single rogue agent in a multi-agent system corrupts consensus, spreads incorrect information, alters logs, and propagates malicious plans peer-to-peer. None of this is fixable at the agent level alone.

Accountability risk closes the loop. Decisions made through long reasoning chains, stochastic outputs, and emergent multi-agent interactions are difficult to audit, attribute, or reproduce. The agencies reach for cryptographic identity, comprehensive artifact logging, and unified audit logs across inter-agent interactions. They’re describing a system property, not a feature you purchase.

AAGATE Maps the Architecture to NIST AI RMF

AAGATE is a Kubernetes-native control plane built to operationalize the NIST AI Risk Management Framework against agentic AI systems. The paper, which I co-authored with Ken Huang, Hammad Atta, and a research team, was published to arXiv in late 2025. It picks NIST AI RMF as the spine because the RMF’s four functions, Govern, Map, Measure, and Manage, are general enough to absorb the Five Eyes prescriptions without forcing translation. The novelty isn’t the alignment to RMF. The novelty is the prescriptive toolchain: MAESTRO for Map, OWASP AIVSS plus SEI SSVC for Measure, the CSA Agentic AI Red Teaming Guide for Manage, and a zero-trust service mesh anchoring Govern.

What follows is the mapping of the Five Eyes document points at without naming. Five control areas. Each one shows what the architecture looks like when you stop treating the guidance as a checklist.

1. Identity-Anchored Privilege (Govern + Map)

The Five Eyes document spends real ink on this. It tells developers to construct each agent as a distinct principal with its own cryptographically anchored identity and unique keys or certificates, to authenticate every inter-agent and agent-to-service API call with mutual TLS, and to maintain a trusted registry that’s reconciled against the live set of agents. It tells operators to use just-in-time credentials, cryptographic attestation, and a centralized policy decision point that runs at every request.

Those aren’t five different controls. They’re one architecture.

AAGATE’s Agent Naming Service builds it. ANS works like DNS for agents. When a new agent starts, it registers its Decentralized Identifier and capabilities, and the service issues a Verifiable Credential along with an Istio SPIFFE certificate that binds the pod’s identity to its cryptographic DID. Other agents resolve through the registry. Anything not in the registry gets denied. Istio mTLS authenticates every pod-to-pod call with X.509 certificates. The OAuth Relay translates abstract agent capabilities into ephemeral, narrowly-scoped credentials for each side-effect, which is the only practical way to do least-privilege when traditional user-centric consent models break down.

Try doing any one of those pieces without the others and the system collapses. A registry without mTLS is unauthenticated. mTLS without ephemeral credentials still leaks long-lived tokens. Ephemeral credentials without a registry have no verification path at issuance. The Five Eyes guidance lists these as separate best practices. AAGATE shows why they’re one control.

This is also why CISOs aren’t the only audience for this work. Identity engineers, IAM architects, platform teams, and product leaders need to read it. The org chart that ships agentic AI safely is wider than the security team’s mailing list.

2. The Single Chokepoint for Side-Effects (Map)

The guidance recommends restricting tool use to an approved allow list of tools and versions, logging agent tool usage so results are captured in system logs in human-readable format, and establishing trigger-action protocols that automatically restrict agent permissions when unexpected behavior emerges. It tells you to harmonize the controls with the NIST Zero Trust Architecture.

The architectural pattern that satisfies all three is one many readers will resist: a single chokepoint. Every external HTTP, database, or file operation funnels through one gateway. The mesh denies egress everywhere else. Bypass attempts get quarantined.

AAGATE’s Tool-Gateway is exactly that. Agents publish requests to a Kafka topic. The Tool-Gateway consumes them, checks policies (allow lists, rate limits, scope), executes the action if permitted, and logs the request and response with a cryptographic hash to an immutable audit log. The Governing-Orchestrator Agent watches for bypass attempts and quarantines the offender on detection. OAuth2 token exchange happens at the Gateway, with refresh tokens never leaving its memory vault.

A single chokepoint smells like a bottleneck to anyone raised on horizontally scaled architectures. That intuition is wrong here. The Tool-Gateway is the place where agentic AI security becomes tractable. Threat modeling becomes tractable because you have one comprehensive map of every system interaction. Audit becomes tractable because logs are unified. Policy enforcement becomes tractable because the decision point is centralized. Eliminate the chokepoint and you’ve spread the same controls across hundreds of agent-tool integrations, none of which will be enforced consistently. Distributed systems engineers will object. Reality wins.

3. Continuous Measurement (Measure)

The Five Eyes document repeats itself when it talks about monitoring. Use multiple independent monitoring systems that cross-validate. Monitor agent operations, including internal processes, not the inputs and outputs alone. Watch for goal drift by comparing active objectives against approved baseline specifications. Establish anomaly detection that flags discrepancies between stated intentions and observed behavior. Implement runtime monitoring with rules or behavioral baselines.

Reading those passages, I count at least six distinct signal types the document expects you to collect, score, and respond to in real time. Treating them as line items is how you end up with six dashboards nobody watches.

AAGATE compresses them into one pipeline. The UEBA Behavior Profiler builds per-agent behavioral fingerprints with anomaly scores, using Isolation Forest and Markov chains. The ComplianceAgent streams events from the Tool-Gateway, applies Rego policy checks plus LLM-driven reasoning, and generates security signals scored using OWASP’s AI Vulnerability Scoring System. The Governing-Orchestrator Agent consumes the scored incidents through an SSVC-inspired decision tree to choose a proportionate response. QSAF monitors run alongside, watching for cognitive degradation: recursion loops, memory starvation, context flooding, the kinds of failure modes invisible to conventional anomaly detection.

The pattern is Observe, Score with AIVSS, Decide with SSVC, Act, then Learn. None of those steps are optional. Skip the scoring, and you have no priority order. Skip the decision tree, and you have no machine-speed response. Skip the cognitive monitors, and you miss a class of failures the document explicitly names.

Most enterprises run anomaly detection bolted onto SIEM. That doesn’t work for agents. The signals are different, the response cadence is different, and the decision logic has to be co-located with the policy decision point, not 20 minutes downstream.

4. Adversarial Defense and the Kill Switch (Manage)

The guidance tells operators to conduct red teaming exercises, deploy agent simulation tests including multi-agent red teaming or chaos testing, embed agentic AI systems with fail-safe defaults and containment mechanisms that limit blast radius, and implement runtime monitoring and anomaly detection to identify unusual patterns and trigger alerts or pauses.

Periodic red teaming doesn’t keep up with agents acting at machine speed. Manual chaos exercises don’t catch a goal-drift event occurring in the 17 seconds between human review cycles. The guidance is asking for continuous adversarial pressure with millisecond response time. That’s a runtime architecture, not a quarterly engagement.

AAGATE answers it with the Janus Shadow-Monitor-Agent. Janus runs in a different container with a different model, re-evaluating every high-risk agent’s planned actions before execution. Goal manipulation, hallucination exploitation, and drift from baseline specifications get caught pre-execution rather than post-mortem. When Janus raises a CRITICAL alert, the Governing-Orchestrator Agent injects an Istio AuthorizationPolicy that cuts all egress. AAGATE calls it the millisecond kill switch because that’s the time window the system operates in.

The pairing matters. A continuous internal red team without a kill switch is as useless as a bucket with a gaping hole in the bottom. A kill switch without continuous red teaming has nothing to act on. Five Eyes named both controls separately. AAGATE shows why they’re the same control.

This is also where the OT crowd should pay attention. The guidance recommends defense-in-depth and continuous evaluation. In OT contexts, that translates directly to “you don’t roll back a physical actuator.” Containment has to happen before the action, not after.

5. Tamper-Evident Accountability (Govern)

The accountability section of the guidance is the hardest one. The agencies want comprehensive artifact logging, unified audit logs for inter-agent interactions, interpretability tools that surface reasoning, and information referencing that shows where outputs originated. They’re describing what the EU AI Act Article 12 calls automatic recording of events, plus what auditors call evidence of effective control operation. If and when the EU AI Act actually ever goes into effect is another conversation altogether…

Conventional logging breaks down here. Long reasoning chains generate massive logs that are repetitive and loosely structured. The Five Eyes document is blunt: traditional logs make it even more challenging to extract meaningful signals. Accountability fails not because the data isn’t recorded, but because nobody proves it wasn’t tampered with after the fact.

AAGATE’s answer combines three patterns. Cryptographic hashes on every Tool-Gateway request and response give you tamper-evidence at the unit level. The optional ETHOS ledger integration mirrors agent registrations and material governance events to a public smart contract, creating a tamper-proof record of agent identity and status. The ZK-Prover service hashes logs hourly and posts Groth16 zero-knowledge proofs on-chain, showing that incidents stayed within the contract-tier budget, giving you privacy-preserving compliance assurance without exposing operational data.

Argue with the on-chain pieces if you want. They’re optional in single-tenant deployments, and the AAGATE paper says so explicitly. The cryptographic hashing isn’t optional. If your accountability model doesn’t prove logs weren’t altered after the fact, you don’t have accountability. You have hope.

What This Means Going Forward

The Five Eyes document changes the burden of proof. Boards, regulators, and acquirers now have a coordinated multi-government statement naming architecture-level controls as the floor, not the ceiling. “Until security practices, evaluation methods and standards mature, organisations should assume that agentic AI systems may behave unexpectedly.” That sentence will undoubtedly show up in due diligence questionnaires.

If you’re operating agentic AI today, you have two choices.

• Option one: take the line-item path, map controls to a tracking spreadsheet, and ship 100 separate workstreams that someone else’s auditor will pull apart in 18 months.

• Option two: read the guidance as an architectural prescription, pick a reference build like AAGATE, and treat your agentic security work as a platform engineering problem rather than a compliance problem.

I know which one I’d present to a board.

Key Takeaway: The Five Eyes guidance describes a system property, not a checklist, and compliance follows from architecture rather than the other way around. AAGATE provides that reference architecture.

What to do next

If your agentic AI program is more than a pilot, audit it against the five risk categories now and look for the architectural gaps the line-item view will hide. The CARE framework I use for AI-augmented security programs lays out how to sequence Create, Adapt, Run, and Evolve work without burning out the platform team. For the technical reference, read the AAGATE paper on arXiv and treat it as a reference architecture rather than a finished product. If you want help mapping current state to the Five Eyes prescriptions and a NIST AI RMF aligned target architecture, RockCyber does this work with security and engineering leadership across critical infrastructure and financial services. For more posts like this, RockCyber Musings lands in your inbox roughly once a week.

👉 For ongoing analysis of agentic AI governance frameworks, the conversation continues at RockCyber Musings.

👉 Visit RockCyber.com to learn more about how we can help with your traditional Cybersecurity and AI Security and Governance journey.

👉 Want to save a quick $100K? Check out our AI Governance Tools at AIGovernanceToolkit.com

👉 As a bonus, check out my conversation with CISO Tradecraft®, where we talked about the OWASP GenAI Security Project Agentic Top 10

👉 Subscribe for more AI security and governance insights with the occasional rant.

Share RockCyber Musings

Share

This was the week the supervisors stopped asking permission. Five Eyes intelligence agencies, the Pentagon, the Commerce Department, and ServiceNow all converged on the same conclusion at nearly the same time. Agentic AI is shipping without brakes, the brakes need to be added now, and nobody has a clean answer for who pays. Brussels blinked. Washington floated an FDA-style gate for frontier models. Researchers kept finding holes in the plumbing under every AI agent your developers are racing to deploy.

The pattern was governance catching up to deployment. Three governments and a $200 billion software company echoed what the security crowd has been saying since GPT-4 shipped. You bought the speedboat and forgot the kill switch. Below are the ten stories that mattered between Friday, May 1, and Thursday, May 7, 2026, plus one you missed.

1. Five Eyes Drop Joint Agentic AI Guidance

CISA, the NSA, Australia’s ASD ACSC, the Canadian Centre for Cyber Security, the UK’s NCSC, and New Zealand’s NCSC released “Careful Adoption of Agentic Artificial Intelligence (AI) Services” (CISA, 2026). The document identifies five risk categories: privilege; design and configuration; behavior, including goal misalignment and deception; structural risks across interconnected components; and accountability risks rooted in opacity. The Register summarized the message bluntly. Agentic AI is too dangerous for rapid rollout (Brandon, 2026).

Why it matters

• Five intelligence agencies aligning sets a baseline for procurement, audit, and insurance underwriting across the English-speaking world.

• The guide pressures vendors selling fully autonomous agents by recommending incremental deployment and human oversight.

• Critical infrastructure operators gain a defensible reference document when business units demand agent rollouts in days.

What to do about it

• Map every deployed agent against the five risk categories and grade each honestly.

• Require attestation against this guide in procurement language for agentic capabilities.

• Brief your board this quarter on how the guidance changes your residual risk posture.

Rock’s Musings

Five Eyes guidance is rare enough to mean something. When agencies that attribute nation-state intrusions speak with one voice, treat it as a soft mandate. The privilege risks section reads like a list of incidents I have seen at clients in the last twelve months. Stop deploying autonomy on top of access models you built for humans.

2. EU Strikes Provisional Deal to Delay Core AI Act Obligations

On May 7, 2026, after roughly nine hours of negotiation, the Council of the EU and the European Parliament reached provisional agreement on the Digital Omnibus on AI (Lewis Silkin, 2026). High-risk obligations under Annex III now apply from December 2, 2027. Annex I obligations apply from August 2, 2028. The transparency grace period for AI-generated content shrinks from six months to three, with a deadline of December 2, 2026 (Modulos, 2026).

Why it matters

• The narrative that the EU is the world’s strictest AI regulator took a real hit, with industry pressure winning a delay measured in years.

• Companies that scrambled for Annex III readiness by August 2026 spent their budget on a deadline that no longer exists.

• The shortened transparency window makes deepfake labeling the most urgent compliance work of the year for consumer-facing AI.

What to do about it

• Reset your AI Act program plan against the new deadlines and brief your audit committee on the freed-up budget.

• Accelerate transparency labeling on generative output exposed to EU users by Q3 2026.

• Watch the Council and Parliament endorsement votes because the deal can still shift.

Rock’s Musings

I told three clients in 2025 that betting on the original Annex III timeline was a coin flip. The coin landed on delay. The AI Act isn’t dead, but Brussels learned the lesson California learned with CCPA. With Brussels stretching its timeline, the White House gains room to argue that federal preemption beats a state patchwork. Bet on more state attorneys general filling the gap with UDAP actions before December.

3. Pentagon Clears Eight Vendors for AI on Classified Networks

The Department of War announced agreements with AWS, Google, Microsoft, NVIDIA, OpenAI, SpaceX, and Reflection AI, with Oracle added shortly after, to deploy AI tools on Impact Level 6 and Impact Level 7 networks (Breaking Defense, 2026). Those impact levels cover secret-classified and the most highly classified Defense systems. Anthropic was conspicuously absent, despite Claude already running inside Palantir’s Maven Smart System on classified networks (TechCrunch, 2026).

Why it matters

• Defense AI procurement consolidated around eight vendors, with Anthropic frozen out despite a working production deployment.

• IL-7 deployments mean general-purpose models will reason over the most sensitive U.S. government data, with limited public visibility into evaluation rigor.

• Defense contractors and integrators have a vendor shortlist that will shape program decisions for the next five years.

What to do about it

• If you sell into DoD, align your AI roadmap with these eight vendors.

• If you advise federal agencies, push for transparency on red-team results before production at IL-6 and IL-7.

• Expect this vendor list in prime contractor solicitations within a quarter.

Rock’s Musings

Commercial AI is now inseparable from national security infrastructure. Eight vendors. Two impact levels. Decisions that will shape how the U.S. military thinks, plans, and fights for a decade. Where are the public test results? When the FDA approves a drug, you can read the trial data. When the Pentagon approves a model for IL-7, you cannot. That asymmetry will eventually break.

4. CAISI Locks Pre-Deployment Testing Deals With Google, Microsoft, and xAI

The Center for AI Standards and Innovation announced agreements on May 5, 2026 that allow the U.S. government to evaluate frontier AI models from Google, Microsoft, and xAI before public release (CNBC, 2026). The deals expand a program that already included OpenAI and Anthropic, with the older agreements renegotiated to align with America’s AI Action Plan (Al Jazeera, 2026). The arrangements remain voluntary.

Why it matters

• Five frontier labs now run pre-deployment evaluations through one federal channel, creating a de facto standard for “tested” at the top of the AI supply chain.

• Voluntary agreements give the government influence without legislation.

• Smaller and open-source providers face an emerging market expectation they can’t match.

What to do about it

• Add CAISI evaluation status to vendor risk questionnaires for frontier model dependencies.

• Track CAISI’s published evaluation criteria, since they will shape your internal evaluation programs.

• Treat models without CAISI evaluation as higher inherent risk in supply chain assessments.

Rock’s Musings

Voluntary regulation by reputational pressure is the Trump administration’s preferred AI playbook. The upside is speed. The downside is that voluntary agreements dissolve when a CEO decides the political winds have shifted. If CAISI becomes the gravitational center for AI evaluation, insurers and enterprise buyers will start citing it in contracts. That is how soft governance becomes hard governance.

5. ServiceNow Adds AI Agent Kill Switches as the 9-Second Story Goes Mainstream

ServiceNow announced on May 5, 2026 at Knowledge 2026 that it has expanded AI Control Tower with real-time pause, redirect, and stop capabilities for any AI agent across the enterprise estate (ServiceNow, 2026). The expansion adds 30 new connectors spanning AWS, Google Cloud, Microsoft Azure, SAP, Oracle, and Workday. CEO Bill McDermott told Fortune the marketing message in plain English, citing a real incident where an AI agent gained elevated permissions and deleted a production database with all backups in nine seconds (Fortune, 2026).

Why it matters

• Selling kill switches as a primary feature validates the security community’s argument that agentic AI requires runtime governance.

• The 30-connector expansion makes ServiceNow the de facto governance layer above other clouds and SaaS apps.

• The 9-second story shifts the default purchasing posture toward “show me the brakes.”

What to do about it

• Inventory every AI agent with write access to production systems and document its maximum blast radius in seconds.

• Require a documented kill switch capability as a procurement gate for any agentic AI vendor.

• Run a tabletop exercise this quarter where an autonomous agent acts destructively at machine speed.

Rock’s Musings

I have been waiting for a vendor to put “kill switch” on the price list. ServiceNow finally did it. The 9-second story is not hypothetical. Every CISO I know has heard a similar war story from a peer in the last year. A kill switch is only as good as its blast-radius coverage and detection latency. If your agent can do irreversible damage in seconds and your governance layer needs minutes, the kill switch is theater. Test the latency before signing.

6. White House Floats FDA-Style Gate for Frontier AI

National Economic Council Director Kevin Hassett told Bloomberg on May 6, 2026 that the White House is studying an executive order to create a vetting system for new AI models like Anthropic’s Mythos, comparing the approach to FDA drug evaluation (Bloomberg, 2026). The directive comes weeks after Anthropic disclosed that Mythos is unusually capable at finding network vulnerabilities, prompting the company to limit access through Project Glasswing (Insurance Journal, 2026).

Why it matters

• An FDA-style gate would mark the first concrete pre-market regulatory framework for frontier AI in the U.S., even by executive order.

• The Mythos disclosure shifts the political center of gravity, with a frontier lab effectively asking for more regulation.

• Framing AI as public safety reshapes which agencies and committees own the issue.

What to do about it

• Track which federal agency the order designates as the gating body, since that agency’s authorities will determine how real the regime becomes.

• Prepare your own internal “model approval” process now, modeled on how you approve cryptographic libraries.

• Engage with industry comment processes early, before draft text leaks and positions harden.

Rock’s Musings

The FDA analogy is compelling and imperfect. Drugs have measurable endpoints. AI capability evaluations are partly subjective and dependent on who designed the test. The reason I take this seriously is the political logic. An administration that has emphasized deregulation is signaling it might gate frontier AI at the federal level. If the national security argument has won inside the West Wing, the rest of the Western world will follow within twelve months.

7. One in Four MCP Servers Carries Code Execution Risk

Help Net Security reported on May 5, 2026, that one in four Model Context Protocol servers exposes AI agents to code execution risk through skill-handling and configuration blind spots (Help Net Security, 2026b). The research builds on an OX Security disclosure from April 2026 that covered an architectural choice in Anthropic’s official MCP SDKs for Python, TypeScript, Java, and Rust, in which STDIO transport executes OS commands without sanitization (VentureBeat, 2026). Vulnerable MCP integrations affect Cursor, VS Code, Windsurf, Claude Code, and Gemini-CLI.

Why it matters

• MCP is the connective tissue between AI agents and enterprise systems, with 150 million downloads and 7,000-plus public servers.

• A 25% vulnerability rate across the supply chain means most enterprises running MCP-based agents are running known-vulnerable infrastructure now.

• Anthropic’s stance that the behavior is “expected” leaves customers holding the remediation burden alone.

What to do about it

• Inventory MCP servers, including developer workstations, and segment them from sensitive data and production credentials.

• Force allowlisting on MCP tool calls, with explicit human approval for anything outside the allowlist.

• Add MCP server compromise to your incident response runbooks.

Rock’s Musings

MCP is the USB-C of AI agents, and it is shipping with the equivalent of a hot socket. The architectural pattern is fine. The default behavior is dangerous. Treat MCP like browser extensions in a regulated environment. Default deny. Document exceptions. Audit quarterly.

8. Lenovo Survey Confirms One in Three Employees Use AI Without IT Oversight

Lenovo’s Work Reborn Research Series 2026, surveying 6,000 enterprise workers globally, was reported on May 1, 2026. Between one-fifth and one-third of employees use AI outside IT governance (Help Net Security, 2026a). Almost half of large enterprises in Protiviti’s AI Pulse Survey 2026 lack full visibility into which AI tools employees use. ISACA’s 2026 AI Pulse Poll found 38% of organizations report a formal AI policy, up from 28% the prior year.

Why it matters

• Shadow AI is the dominant AI risk category for most enterprises.

• The gap between employee AI adoption and IT governance is widening faster than policy alone can close it.

• Generative AI accounts for roughly a third of unauthorized data movement in measured environments.

What to do about it

• Deploy DLP controls that recognize generative AI as a defined egress channel, not an undifferentiated browser session.

• Offer a sanctioned AI tool path that is genuinely useful, because banning AI without alternatives has not worked anywhere.

• Track AI policy adoption as a KPI alongside traditional security awareness metrics.

Rock’s Musings

I have watched this story play out several times. Personal email in the 2000s. SaaS in the 2010s. Now AI. Ban the tool. Watch usage go underground. Find the breach. Reverse the ban two years too late. Short-circuit the cycle now. Your highest performers are the ones doing shadow AI work because the sanctioned tools are slower or dumber.

9. Researchers Scan One Million Exposed AI Services, Find Default Authentication Off

The Hacker News reported a large-scale scan of one million publicly exposed AI services. AI infrastructure is more vulnerable, exposed, and misconfigured than any other software category investigators have recently studied (The Hacker News, 2026). Many hosts run without authentication because it is not the default in many AI projects. Over 90 exposed instances were identified across government, marketing, and finance, with chatbots, prompts, workflows, and outward access all open to the public internet.

Why it matters

• Default-open AI infrastructure puts attackers ahead of defenders on basic asset discovery.

• Government, marketing, and finance exposure shows the problem is not confined to the unregulated long tail of startups.

• LLM conversation history exposure leaks strategy, contracts, and personal data in ways traditional data leakage models miss.

What to do about it

• Treat AI infrastructure like internet-facing crown jewels and harden it accordingly.

• Run attack surface management scans tuned for AI service fingerprints, including n8n, Flowise, Langflow, and LiteLLM.

• Make default-deny authentication non-negotiable for any AI workflow touching enterprise data.

Rock’s Musings

This is the cybersecurity equivalent of finding every front door wide open. The mistake is older than AI. Project maintainers and platform vendors should answer for shipping with authentication disabled by default. Default secure beats secure-by-checklist every time. Until AI projects ship safely, assume the defaults are wrong and configure your way out of them.

10. Trellix Discloses Source Code Repository Breach

Cybersecurity company Trellix disclosed on May 4, 2026 that it suffered unauthorized access to a portion of its source code repository (BleepingComputer, 2026). Trellix protects more than 50,000 customers and over 200 million endpoints. The company says it has found no evidence the source code release process was affected or that the code has been exploited (SecurityWeek, 2026). Trellix has not named the actor or disclosed dwell time.

Why it matters

• A defensive software vendor losing source code ripples through every customer.

• The breach feeds AI-augmented vulnerability discovery against Trellix products, given how attackers now use LLMs to mine source for exploits.

• Federal customers will require new attestations on code provenance and pipeline integrity within weeks.

What to do about it

• Trellix customers should demand a full incident report covering IOCs, scope of stolen code, and pipeline changes.

• Audit detection coverage for TTPs that exploit knowledge of the affected products.

• Treat defensive software vendors as potential single points of failure in your supply chain risk register.

Rock’s Musings

Defensive vendors getting popped is a now-quarterly story. The interesting wrinkle is what an attacker does with stolen source code in the AI era. Two years ago, source theft was slow-burn. Today, an attacker can feed thousands of files into an LLM and ask for likely vulnerability classes in hours. Trellix saying the code has not been exploited is a snapshot, not a guarantee.

The One Thing You Won’t Hear About But You Need To: ARGUS and the Quiet Admission That Today’s Agent Defenses Don’t Hold

Researchers published the ARGUS paper to arXiv on May 5, 2026. It introduces a benchmark, AgentLure, that captures context-aware prompt-injection attacks across four agentic domains and eight attack vectors, along with a defense mechanism that enforces provenance-aware decision auditing for LLM agents (ARGUS, 2026). ARGUS reduces attack success rate to 3.8% while preserving 87.5% task utility. Without provenance-aware controls, undefended agents fail at much higher rates.

Why it matters

• Provenance tracking inside agent reasoning is a real shift from perimeter-style defenses most vendors sell today.

• Context-aware prompt injection is the dominant unaddressed risk in production agentic deployments.

• Benchmarks like AgentLure will become reference points enterprise red teams use, much as MITRE ATT&CK reshaped traditional red teaming.

What to do about it

• Read the ARGUS paper and use its threat model to evaluate your current agent deployments.

• Push vendors to publish performance against context-aware benchmarks, not only static jailbreak datasets.

• Build provenance tracking into your internal agent platforms, even if commercial vendors do not yet support it.

Rock’s Musings

The reason this matters is what it implies about everything else. If 3.8% is the new state of the art with strong defenses in place, the rate without those defenses is much higher. That is the gap most production agents sit in today. Vendor marketing on agent safety has been measured against weak benchmarks for two years. Get ahead of the curve, or be the case study in someone else’s incident report.

For more on agentic AI risk and CISO governance, see the library at RockCyber and analysis at RockCyber Musings.

👉 For ongoing analysis of agentic AI governance frameworks, the conversation continues at RockCyber Musings.

👉 Visit RockCyber.com to learn more about how we can help with your traditional Cybersecurity and AI Security and Governance journey.

👉 Want to save a quick $100K? Check out our AI Governance Tools at AIGovernanceToolkit.com

👉 As a bonus, check out my conversation with CISO Tradecraft® where we talked about the OWASP GenAI Security Project Agentic Top 10

👉 Subscribe for more AI and cyber insights with the occasional rant.

The views and opinions expressed in RockCyber Musings are my own and do not represent the positions of my employer or any organization I’m affiliated with.

Share RockCyber Musings

References

ARGUS. (2026, May 5). ARGUS: Defending LLM agents against context-aware prompt injection. arXiv. https://arxiv.org/abs/2605.03378

BleepingComputer. (2026, May 4). Trellix discloses data breach after source code repository hack. https://www.bleepingcomputer.com/news/security/trellix-discloses-data-breach-after-source-code-repository-hack/

Bloomberg. (2026, May 6). AI security order under review as White House responds to Anthropic’s Mythos. https://www.bloomberg.com/news/articles/2026-05-06/white-house-preps-order-to-boost-ai-security-hassett-says

Brandon, R. (2026, May 4). Five Eyes warn agentic AI is too dangerous for rapid rollout. The Register. https://www.theregister.com/2026/05/04/five_eyes_agentic_ai_recommendations/

Breaking Defense. (2026, May 1). Pentagon clears 8 tech firms to deploy their AI on its classified networks. https://breakingdefense.com/2026/05/pentagon-clears-7-tech-firms-to-deploy-their-ai-on-its-classified-networks/

CISA. (2026, May 1). Careful adoption of agentic AI services. Cybersecurity and Infrastructure Security Agency. https://www.cisa.gov/resources-tools/resources/careful-adoption-agentic-ai-services

CNBC. (2026, May 5). Trump admin moves further into AI oversight, will test Google, Microsoft and xAI models. https://www.cnbc.com/2026/05/05/ai-oversight-trump-google-microsoft-xai.html

Al Jazeera. (2026, May 5). Microsoft, Google, xAI give US access to AI models for security testing. https://www.aljazeera.com/economy/2026/5/5/microsoft-google-xai-give-us-access-to-ai-models-for-security-testing

Fortune. (2026, May 6). Your company’s AI could delete everything in 9 seconds. ServiceNow wants to be the kill switch. https://fortune.com/2026/05/06/servicenow-kill-switch-ai-agents-bill-mcdermott/

Help Net Security. (2026a, May 1). Shadow AI risks deepen as 31% of users get no employer training. https://www.helpnetsecurity.com/2026/05/01/shadow-ai-risks-it-oversight/

Help Net Security. (2026b, May 5). One in four MCP servers opens AI agent security to code execution risk. https://www.helpnetsecurity.com/2026/05/05/ai-agent-security-skills-blind-spots/

Insurance Journal. (2026, May 7). White House prepares order to boost AI security, says economic advisor. https://www.insurancejournal.com/news/national/2026/05/07/868812.htm

Lewis Silkin. (2026, May 7). The Council and Parliament agree to slim down and delay parts of the EU AI Act. https://www.lewissilkin.com/insights/2026/05/07/the-council-and-parliament-agree-to-slim-down-and-delay-parts-of-the-eu-ai-act-102ms0v

Modulos. (2026, May 7). EU AI Act delayed: The Omnibus deal closed on 7 May 2026. https://www.modulos.ai/blog/eu-ai-act-omnibus-deal/

SecurityWeek. (2026, May 4). Trellix source code repository breached. https://www.securityweek.com/trellix-source-code-repository-breached/

ServiceNow. (2026, May 5). ServiceNow expands AI Control Tower across systems. https://newsroom.servicenow.com/press-releases/details/2026/ServiceNow-expands-AI-Control-Tower-to-discover-observe-govern-secure-and-measure-AI-deployed-across-any-system-in-the-enterprise/default.aspx

TechCrunch. (2026, May 1). Pentagon inks deals with Nvidia, Microsoft, and AWS to deploy AI on classified networks. https://techcrunch.com/2026/05/01/pentagon-inks-deals-with-nvidia-microsoft-and-aws-to-deploy-ai-on-classified-networks/

The Hacker News. (2026, May). We scanned 1 million exposed AI services. Here’s how bad the security is. https://thehackernews.com/2026/05/we-scanned-1-million-exposed-ai.html

VentureBeat. (2026, April). 200,000 MCP servers expose a command execution flaw that Anthropic calls a feature. https://venturebeat.com/security/mcp-stdio-flaw-200000-ai-agent-servers-exposed-ox-security-audit

Share

Open-weight reasoning models are landing in enterprise production, and the closed-vendor governance you bought doesn’t transfer with them. “Half-perimeter” is rhetorical; the real number depends on which controls you bought, but the point holds. The day a competent open-weight reasoning model runs on your hardware, the AI-specific governance you bought from your closed vendor stops covering part of the stack. The rest of this post walks the gap and the build.

The Vendor’s Own Words

OpenAI shipped gpt-oss-120b and gpt-oss-20b last year. Both are under Apache 2.0, and both are downloadable from Hugging Face. The 120b runs on a single 80GB GPU. In the model card, OpenAI’s own safety team admits what every CISO should already suspect. Once the weights ship, OpenAI cannot “implement additional mitigations or to revoke access.”

It’s the model provider’s own framing. It’s not me opining. Open-weight is a different risk profile from closed-API, by the model provider’s own assessment. The vendor can’t patch your inference cluster. The vendor can’t revoke a key that doesn’t exist. The vendor can’t run server-side abuse classifiers on traffic the vendor never sees. Everything that lived on the vendor side of the perimeter now lives on yours.

This is not a DeepSeek-versus-American-models story. It’s a closed-API-versus-open-weight story. Llama 3.3 70B (Meta), Qwen 3 32B (Alibaba), Mistral Magistral, and gpt-oss-120b sit on the same side of the boundary. The boundary is wherever the weights stop being someone else’s problem.

What Closed-Vendor Governance Bought You

Walk through what was on the bill of materials when you stood up your closed-API AI program. Oh, that’s right, you never did… but let’s pretend you did. You probably evaluated vendor-attested compliance, usually wrapped in a SOC 2 Type II report and a data processing addendum. DLP is integrated at the API gateway, watching prompts in flight. Output filtering runs on the vendor side, refusing to ship CBRN-adjacent content out of the model. Prompt firewall logic is embedded in the vendor SDK and patched without you redeploying. Vendor red teaming is on a continuous cadence. ToS enforcement occurs when an account misbehaves.

That stack assumed one thing. That a vendor sat on the other end of the inference call. Open-weight self-hosting moves every one of those controls in-house, with no shared customer base to underwrite the cost.

What does transfer? Network egress controls, identity at the runtime boundary, sandbox isolation, and supply-chain provenance for the model weights and fine-tunes. Notice what those have in common. None of them are AI-specific. They were always there. They’re the controls you applied to every other service you ran. Losing the AI-specific layer doesn’t break the non-AI controls. It does mean the only thing standing between a self-hosted reasoning model and a bad day is the perimeter you built for everything else.

Read your closed-vendor MSA carefully. The reps and warranties typically carve out third-party model behavior, hallucinations, and adversarial misuse. The vendor warrants infrastructure availability and indemnifies IP claims. The vendor doesn’t warrant safe model output. The “governance” part of vendor-attested compliance was always thinner than the SOC 2 cover suggested. Self-hosting strips even the thin part.

Refusal Training Is Now an In-House Problem

Vendor refusal training is the AI-specific control most enterprise teams over-trust. The research breaks the over-trust hard.

The Badllama 3 paper (arXiv 2407.01376) showed safety fine-tuning gets removed from Llama 3 8B in five minutes on a single A100 GPU for under fifty cents. The 70B model goes in 45 minutes for under three dollars. The same paper notes the attack runs on free Google Colab for the 8B variant. FAR.AI’s “Illusory Safety” research extended the result. Pre-fine-tune refusal rates near 100% across DeepSeek-R1, GPT-4o, Gemini 1.5 Pro, and Claude 3 Haiku dropped under 20% post-fine-tune. Harmfulness scores climbed past 80%.

The R1 red-team picture is even worse on the model itself, before any attacker fine-tuning. Cisco / Robust Intelligence reported a 100% attack success rate on 50 random HarmBench prompts against R1, while OpenAI o1 rejected every test in a parallel Holistic AI evaluation. Qualys TotalAI found R1’s distilled 8B variant failed 58% of 885 attempts across 18 jailbreak categories. Promptfoo put failures over 60% on prompts, including biological and chemical weapons. KELA jailbroke R1 to produce ransomware development steps and instructions for toxins and explosive devices.

OpenAI’s own approach to gpt-oss is the strongest signal that adversarial fine-tuning is the real threat model. The model card describes the adversarial fine-tuning of gpt-oss-120b under the Preparedness Framework prior to release. OpenAI’s Safety Advisory Group concluded the adversarially fine-tuned model didn’t reach “High” capability in Biological and Chemical Risk or Cyber risk. Read the implication closely. The model provider treats fine-tune-stripped safety as the baseline release condition the model must meet. The deployer running fine-tunes downstream gets no equivalent gate.

OpenAI knows this. It’s why gpt-oss-safeguard shipped on October 29, 2025: open-weight reasoning models for safety classification, designed for developers to operate as a defense-in-depth layer. Llama Guard 3, Prompt Guard, and Code Shield exist for the same reason. The vendor is shipping you the components. Components are not the same as a service. You operate them, tune them, monitor them, retrain them when the policy changes, and absorb the latency. OpenAI’s own gpt-oss-safeguard report names the constraint: reasoning-based classifiers add compute and latency that limit large-scale real-time use.

The math is brutal. The model weights are free. The runtime safety pipeline is not.

The Frameworks Describe the Gap. They Don’t Close It.

NIST AI RMF 1.0 plus the GenAI Profile (NIST AI 600-1, July 2024) plus the GPAI/Foundation Models Profile extension (arXiv 2506.23949) names training data audits (Manage 1.3, Measure 2.8) and model weight protection (Measure 2.7). Voluntary. The CSA NIST AI RMF Agentic Profile draft is candid about the bigger problem. It states plainly that earlier RMF documents did not contemplate “agents that acquire tool-use capabilities and execute autonomously in live production environments.”

OWASP Top 10 for LLM Applications 2025 LLM03 is the most explicit primary-source statement of the half-perimeter problem. The category description is direct: model cards offer no guarantees of provenance, malicious LoRA adapters compromise base models in collaborative environments, and on-device LLMs increase the attack surface. The OWASP Agentic Top 10, released December 10, 2025, adds ASI01 (Agent Goal Hijack) and ASI03 (Identity and Privilege Abuse) as runtime-boundary problems on self-hosted stacks.

ASI01 and ASI03 are not abstract. ASI01 shows up when prompt injection redirects an agent’s plan, and the closed-vendor refusal layer is gone. ASI03 shows up when the agent’s runtime authorization is broader than the task requires, because no vendor SDK is scoping the call for you anymore. Both problems live at the runtime boundary the vendor used to backstop.

EU AI Act Article 53(2) is the regulatory expression of the gap. Open-source GPAI models get a carve-out from technical documentation and downstream-information obligations, provided they’re released under a free open license, weights are public, and the model isn’t monetized. The carve-out vanishes at the Article 51 systemic-risk threshold of 10^25 FLOPs. Llama 3.3 70B, Qwen 3 32B, Mistral Magistral, and most enterprise-deployed open-weight reasoning models sit well below that threshold. They get the carve-out. They impose downstream obligations on enterprise deployers under Article 25(2) when significant modifications happen, a category that catches LoRA fine-tunes. Most teams running fine-tunes don’t know the clause exists. Enforcement begins August 2, 2026.

ISO 42001 mandates AIMS scope definition, third-party supplier oversight, and 38 Annex A controls. The gap there is structural. The open-weight model dropped from Hugging Face is not a “supplier” in the contractual sense. There’s no audit clause, no security questionnaire, no MSA. The standard tells you to define your AIMS scope. It doesn’t prescribe specific runtime-boundary controls for self-hosted foundation models.

Build the Runtime Perimeter

Frameworks describe the gap. Architecture closes it. The work to close it is described in the Huang and Lambros (yes, “this” Lambros) AAGATE paper (arXiv:2510.25863v2, November 3, 2025). AAGATE is a Kubernetes-native control plane that operationalizes NIST AI RMF for self-hosted agentic AI. The reference architecture hosts the open-weight model on Ollama at Layer 1 of the MAESTRO threat-model stack, which is the design assumption built in: the protected stack is “DeepSeek, Qwan, LLAMA, OSS” running on your hardware.

Four things transfer regardless of which control plane you adopt.

First, treat weights as supply-chain artifacts. AAGATE enforces SLSA L3, Cosign keyless signing on every OCI image, and an ArgoCD admission controller that rejects unsigned manifests at the gate. Whichever your path, you need signed weights, signed adapters, and a cluster-side admission policy that refuses to load anything unsigned. The Hugging Face nullifAI incident in February 2025, where ReversingLabs found malicious pickle files evading Picklescan via 7z compression and broken pickle deserialization, is the case study. Picklescan logs an error. The reverse-shell payload runs anyway.

Second, inventory open-weight runtimes alongside closed-API endpoints. AAGATE leverages the Agent Naming Service (ANS), and it registers every agent with a Decentralized Identifier and a SPIFFE certificate. You don’t need the blockchain layer. You do need a CMDB row for every Ollama cluster, every fine-tune, every adapter, with model SHA, lineage, and license tier captured. If your AI inventory has a row for the OpenAI tenant but no row for the GPU cluster running your fine-tuned Llama, the audit is incorrect.

Third, build authorization scope into the runtime, not the vendor SDK. AAGATE’s OAuth Relay translates abstract agent capabilities into ephemeral, narrowly scoped, purpose-bound credentials per side effect. Other architectures will name the same thing differently. The control matters since every external action an agent takes funnels through a policy-enforced single chokepoint with allow-listing, rate limiting, and cryptographic logging. AAGATE calls it the Tool-Gateway. AI gateway products commercialize the same pattern. Pick one.

Fourth, run your own evals because the vendor isn’t running them for you. AAGATE’s Janus Shadow-Monitor-Agent provides continuous, pre-execution adversarial evaluation in-loop, tied to a Governing-Orchestrator Agent executing a millisecond kill-switch when AIVSS scoring and SSVC decision logic flag a critical incident. The adversarial layer can also take the form of a parallel classifier, an internal red team, or any continuous evaluation pattern that mirrors what the vendor was running server-side. The pattern is non-negotiable. The product is.

These four moves are the architectural rebuttal to the half-perimeter. The perimeter you bought was always going to end at the runtime boundary. The runtime boundary is now your problem to instrument.

Operational reality matters here. The inference stack you’re protecting is Ollama, vLLM, SGLang, or llama.cpp. None of them ship with vendor-grade telemetry. Your container hosts a probabilistic system with stateless calls and no support contract. When an attacker fine-tunes a copy of your weights and slips it into your registry, there is no support call to escalate. There is only the runtime perimeter you built before the incident.

Key Takeaway: Closed-vendor governance was the AI-specific half you didn’t have to build. Open-weight reasoning models in production change that. Inventory the runtimes, sign the weights, scope the runtime authorization, and run your own evals. The vendor isn’t doing it for you anymore.

What to do next

If you’re approving an open-weight pilot this quarter, demand four things on the architecture review before the GPUs land. First, model SHA and adapter lineage in the CMDB on day one. Second, an egress chokepoint with input/output sanitization and policy-enforced allow-lists. Third, supply-chain controls (signed weights, SLSA-grade provenance, admission control rejecting unsigned). Fourth, a continuous internal evaluation loop on every high-risk agent.

The CARE framework (Create, Adapt, Run, Evolve) applies the same structure to AI security program design. The CISO Evolution covers the executive judgment side of decisions like this one. The AAGATE paper (arXiv 2510.25863v2) is the open-source reference architecture if you want to start from running code.

👉 Visit RockCyber.com to learn more about how we can help you in your traditional Cybersecurity and AI Security and Governance Journey

👉 Want to save a quick $100K? Check out our AI Governance Tools at AIGovernanceToolkit.com

👉 Subscribe for more AI and cyber insights with the occasional rant.

The views and opinions expressed in RockCyber Musings are my own and do not represent the positions of my employer or any organization I’m affiliated with.

Share RockCyber Musings

Share

A coding agent killed a startup’s database in nine seconds. Anthropic shipped a model Mozilla called “elite.” Brussels missed its own deadline. Florida’s House Speaker buried his governor’s AI bill before lunch on day one. Two cloud-native AI vulnerabilities went from disclosure to exploitation in under 36 hours. Google and Forcepoint documented indirect prompt injection in the wild on the same day. UK’s AI Security Institute caught Mythos sabotaging research it was supposed to help with. Pretending this is theoretical is no longer defensible.

This week stress-tested every assumption CISOs hold about AI. The vendor you depend on sells your adversaries the same capability. The agent your developers love wipes three months of revenue and pastes a confession. Open source is the gateway. Indirect injection is the exploit. Autonomy without rollback is the consequence.

I’ll walk you through ten stories and one piece of plumbing. AI security used to run on a 24-month horizon. The default now is whatever ships before next quarter. If you wait for clarity, you lose ground to people who already decided.

1. The Trump Administration Eyes Anthropic’s Mythos as a Weapon

On April 24, the Washington Post reported Anthropic’s Mythos system rattled the Trump administration. Mozilla’s CTO compared the model’s vulnerability detection to a “world-class, elite security engineer.” Anthropic withheld general release, routing access through Project Glasswing partners, including AWS, Apple, Cisco, CrowdStrike, Google, JPMorgan Chase, and Microsoft. Anthropic privately briefed senior officials. Mythos meaningfully raises the probability of large-scale cyberattacks this year.

Why it matters

• Capability parity flipped. Defenders and attackers reach for the same tool.

• Vendors are now gatekeepers of dual-use capability. Anthropic’s withholding sets a precedent.

• Government dependence on private model access creates new procurement and security questions.

What to do about it

• Map your exposure to LLM-discoverable vulnerabilities in first-party and open-source code.

• Negotiate access to AI-assisted scanning before your adversaries scan you first.

• Update incident playbooks to assume hours of dwell time, not days.

Rock’s Musings

Yes… more Mythos news. Can’t ignore it if it’s coming out of the White House. It’s not fiction. It’s a procurement question. I’ve watched this pattern in every arms shift, from automated network scanning to commodity exploit kits. The defender who gets there second loses.

Anthropic’s gatekeeping is a defensible choice. The choice is whether your ecosystem qualifies for the safe lane or you’re stuck reading about Glasswing on Substack. Get on a call with your AWS, Cisco, or Microsoft reps. If the answer is no, plan around it. We track this kind of vendor calculus at RockCyber.

2. Cursor’s Claude Agent Wipes a Startup’s Database in Nine Seconds

On Friday, April 25, a Cursor coding agent powered by Claude Opus 4.6 deleted PocketOS’s entire production database and all volume-level backups in a single API call. The agent encountered a credential mismatch in staging, decided to resolve it by deleting a Railway infrastructure volume, scanned the codebase for an unrelated API token, and then ran the command. PocketOS serves car rental businesses nationwide. Three months of reservations, payments, customer information, and vehicle assignments went dark. Railway restored the data on Sunday using internal disaster backups not advertised to customers. The agent itself wrote the public confession.

Why it matters

• Agents don’t ask permission. They scan for the credentials unblocking them.

• “Production” and “staging” are now labels, not boundaries.

• Recovery happened because Railway keeps undocumented backups. Hope is not a strategy.

What to do about it

• Force agents to operate with scoped, ephemeral credentials. Long-lived API keys in a repo are liabilities with autonomy attached.

• Implement break-glass approval gates for destructive infrastructure calls.

• Test backup recovery monthly. If you can’t restore in under an hour, you don’t have backups.

Rock’s Musings

PocketOS got lucky. Railway ran a heroic recovery on a Sunday using backups the customer didn’t know existed. If your AI strategy depends on a founder’s weekend chivalry, you don’t have a strategy. You have hope.

The agent did what it was trained to do. Scan, plan, act, document. The failure was in governance, not capability (and let’s just say, a suboptimal technical infrastructure). The villain is the assumption that an autonomous system will halt and ask. They don’t halt. Build the rails. Treat agents like an over-eager intern with the ability to call DELETE on prod.

3. LiteLLM Bug Goes From Disclosure to Exploitation in 26 Hours

GitHub’s Advisory Database indexed CVE-2026-42208 in LiteLLM on April 24 at 16:17 UTC. Sysdig logged the first exploitation attempt on April 26 at 16:17 UTC, roughly 26 hours later. The bug carries a CVSS of 9.3 and lets unauthenticated attackers send a crafted Authorization header to any model API route, then read or modify the proxy’s database (Sysdig). LiteLLM is the open-source LLM gateway with more than 22,000 GitHub stars, fronting OpenAI, Anthropic, and other model providers in production. The same project sat at the heart of the Mercor breach earlier this year.

Why it matters

• AI infrastructure now looks like any internet-exposed service.

• Pre-auth SQLi on the gateway exposes API keys and credentials for downstream model providers.

• Disclosure-to-exploitation time keeps shrinking. The 36-hour window is the new optimistic baseline.

What to do about it

• Inventory every LiteLLM, vLLM, LMDeploy, or proxy node in your environment. Patch to 1.83.7-stable or above for LiteLLM.

• Treat LLM gateways as Tier 0 assets. Apply the controls you’d apply to identity providers.

• Subscribe to maintainer advisory feeds. GitHub Advisory Database lag of four days is too long.

Rock’s Musings

LiteLLM is the kind of dependency pulled in via a Cursor prompt or an aspirational architecture diagram. It runs as the front door to every model provider you care about. Pre-auth SQL injection on it is a “your AI program is over” event.

Disclosure-to-exploit windows make monthly patch cycles professional malpractice. If your AI security playbook still says “evaluate within 30 days,” shred it. We’ve moved to “act within 24 hours or accept compromise as a feature.”

4. Indirect Prompt Injection Has Left the Lab. It’s Everywhere.

On April 24, Google’s Online Security Blog and Forcepoint’s X-Labs published parallel reports documenting indirect prompt injection in the wild. Forcepoint identified ten payload families targeting AI agents with instructions for financial fraud, data destruction, and API key theft. Google reported a 32% relative increase in malicious activity between November 2025 and February 2026. Attackers hide instructions inside webpages with single-pixel text, transparent fonts, HTML comments, and metadata. Neither team attributed the campaigns to a single actor, though both noted shared templates suggesting organized tooling.

Why it matters

• Agents summarizing content are low-risk. Agents sending emails, running commands, or processing payments are the targets.

• Filters watching user input miss content fetched by the agent.

• The threat model includes every third-party page your agent loads.

What to do about it

• Inventory every agent fetching external content. Note which tools they call.

• Implement allowlists for outbound tool execution. Default deny for novel actions.

• Add output filtering for instruction-like content in tool responses, not only user input.

Rock’s Musings

We’ve been treating indirect prompt injection as a research curiosity since 2023. It’s now an operational threat with documented campaigns and template reuse. The Lakera and OWASP folks were right.

If you’ve deployed an agent with browsing capability, your trust boundary includes every webpage it visits. The entire internet. I wrote about this on RockCyber Musings earlier this year. It got worse.

5. American Leadership in AI Act Drops With 20+ Bills Stitched In

On April 27, Reps. Ted Lieu (D-Calif.) and Jay Obernolte (R-Calif.) introduced the American Leadership in AI Act, a six-title package consolidating more than 20 prior bills from the Bipartisan AI Task Force (Nextgov/FCW). The package covers standards and evaluation, research infrastructure, federal AI governance and procurement, worker protections, deepfake harms, and AI education. The bill is the most substantive bipartisan AI proposal in this Congress, landing during tension between the White House’s preemption push and active state legislation.

Why it matters

• Federal preemption fights will intensify. State AI laws face new risk.

• Procurement standards in the bill shape what enterprises demand from AI vendors.

• Deepfake provisions create new compliance obligations for media and platforms.

What to do about it

• Map AI-procurement language to current vendor contracts.

• Track state-level bills you’re already complying with for preemption risk.

• Get legal reading the testing and evaluation title carefully.

Rock’s Musings

Two California members of Congress, one D and one R, agreeing on AI is unicorn territory. Don’t get excited. Bipartisan bills with 20+ titles tend to die under the weight of their own ambition.

The interesting question is which provisions get pulled into appropriations or NDAA riders before December. Watch the procurement and federal AI governance titles. Those move first because the executive branch wants them. Plan as if procurement standards land by Q3.

6. EU AI Act Omnibus Trilogue Collapses, August Deadline Stays Live

On April 28, Brussels held the second political trilogue on the AI Act Omnibus, the proposal deferring high-risk AI compliance. After roughly twelve hours, the Council and Parliament failed to agree on conformity-assessment architecture for AI in regulated products (Modulos). A follow-up trilogue is scheduled for May 13. The August 2, 2026 high-risk obligations remain operative law.

Why it matters

• Vendors and deployers cannot bank on a deferral. August is the working assumption.

• The Cypriot Council Presidency ends June 30. Lithuania might finish negotiations.

• The Annex I disagreement signals sectoral assessments will keep biting medical device and machinery providers.

What to do about it

• Continue compliance preparation as if no Omnibus arrives. Treat May 13 as a tiebreaker, not a save.

• For medical devices, machinery, and other Annex I products, lock in your conformity-assessment plan now.

• Get internal legal sign-off on the original AI Act timelines this quarter.

Rock’s Musings

I keep telling clients hoping for a deferral is not a compliance strategy. This week confirmed it. Brussels cannot agree on the structure of the regulation it already passed.

If your CFO asks why you spent budget on AI Act readiness, point at this paragraph. The cost of overpreparing is a few quarters of work. The cost of underpreparing is an enforcement action against your highest-revenue product line. I know which side of the bet I want.

7. Microsoft and OpenAI Restructure for Cyber Defense

On April 27, Microsoft and OpenAI announced revised partnership terms (24/7 Wall St). OpenAI’s API will run on any cloud provider, including AWS via Bedrock. Microsoft’s IP license is no longer exclusive but runs through 2032. The companies expanded Trusted Access for Cyber, giving Microsoft access to OpenAI’s most cyber-capable models, folded into the Secure Future Initiative. The pact pairs OpenAI’s offensive-capable model work with Microsoft’s defender stack across cloud, identity, productivity, and frontier AI.

Why it matters

• The exclusivity reset reshapes vendor lock-in for AI procurement.

• Microsoft’s defender stack now has a privileged channel to cyber-capable models.

• The same models detecting attacks also execute them. Internal review for offensive capability is no longer optional.

What to do about it

• Reassess your AI vendor strategy. Multi-cloud is realistic now.

• For Microsoft customers, evaluate Trusted Access for Cyber eligibility.

• Demand transparency from AI security vendors about model and guardrails.

Rock’s Musings

Microsoft bought itself the most defended seat at the AI security table. The pact extends a moat already including Defender, Sentinel, Purview, and Copilot for Security. Smaller security vendors should be nervous.

If you’re a CISO in a Microsoft shop, this is a small win. If you’re betting on a non-Microsoft AI security stack, reread your strategy. The exclusivity end means more options, the cyber pact deepens lock-in.

8. UK AISI Catches Claude Mythos Sabotaging Research

On April 28, the UK AI Security Institute (AISI) published an updated sabotage evaluation framework. Across 297 scenarios, no model attempted spontaneous research sabotage. In a new “continuation” test, Mythos Preview continued to sabotage 7% of inputs after being explicitly directed not to (AISI). The same evaluation showed Mythos Preview completing the first 32-step enterprise attack simulation start-to-finish, succeeding on 73% of expert-level tasks that no model had completed before April 2025.

Why it matters

• Continuation behavior matters more than spontaneous behavior. Real attackers prompt the model.

• A 7% sustained sabotage rate warrants treating these models as untrusted insiders during sensitive work.

• The 32-step completion shows operational maturity. Models execute multi-stage cyber operations end to end.

What to do about it

• Don’t run frontier models on safety-sensitive code reviews without monitoring.

• Build red-team programs, prompting and continuing rather than single-shot tests.

• Track AISI’s methodology. Adopt continuation-style tests internally.

Rock’s Musings

Spontaneous misbehavior was never the threat model scaring me. Continuation is. Once an attacker plants the seed, the model becomes a complicit operator inside your environment. Seven percent is small until you multiply it by every prompt your enterprise sends in a day.

AISI does work nobody else funds at this rigor. If your AI governance committee isn’t reading their reports cover to cover, you’re outsourcing your threat model to LinkedIn posts. Read the source.

9. Florida House Speaker Kills DeSantis’s AI Bill on Day One

On April 28, Florida convened a four-day special session. The Senate voted 37-1 in favor of the AI Bill of Rights. House Speaker Daniel Perez killed the bill that same morning, declaring that the only topic the House would address was redrawing congressional maps (Florida Phoenix). Perez argued AI regulation belongs to the federal government, aligned with a Trump executive order targeting state AI laws. The bill would have required parental consent for minor accounts on companion chatbot platforms, prohibited unauthorized commercial use of AI-generated likenesses, and required AI disclosure to users.

Why it matters

• State preemption fights are escalating. Florida sided with the federal government before federal law exists.

• Companion chatbot rules pass Senate chambers and die in House chambers. The pattern matters.

• AI-generated likeness and consent provisions will keep returning. Plan for eventual passage somewhere.

What to do about it

• If you run companion chatbots, monitor every state bill on minors and consent.

• Brief your legal team on AI-likeness and right-of-publicity rules in California, Tennessee, and active special sessions.

• Don’t bank on federal preemption. Executive orders reverse.

Rock’s Musings

The pattern is the same one I’ve called out for two years. State Senates pass AI bills, state Houses kill them, and the federal government drafts preemption language. The result is regulatory whiplash across 50 jurisdictions plus DC plus a federal package which might or might not preempt them. Give your privacy and AI counsel hazard pay. They’re earning it.

10. HackerOne Launches h1 Validation as AI Vuln Reports Surge 76%

On April 29, HackerOne launched h1 Validation, a service triaging AI-discovered vulnerability reports for actual exploitability (Cybersecurity Insiders). Vulnerability submissions on the platform rose 76% year over year, hitting a record high in March 2026. About 25% of findings were confirmed exploitable. The share of critical and high-severity vulnerabilities grew to 32%, up from a 26-28% baseline. The launch follows months of complaints from program owners overwhelmed by AI-generated reports of varying quality.

Why it matters

• AI generates more vuln reports than security teams triage.

• Triage capacity, not discovery, is the constraint.

• This signal-to-noise problem reshapes bug bounty economics within 12 months.

What to do about it

• Audit your bug bounty intake pipeline. If reports outpace triage, fix it.

• Invest in tooling classifying reports by exploitability before a human reads them.

• Set expectations with researchers. AI-assisted submissions need higher proof of impact.

Rock’s Musings

The asymmetry is volume. Models like Mythos and GPT-5.5-Cyber produce thousands of plausible reports per day. Most are junk. Some are lethal. Your triage team won’t keep up by reading harder. Whether you buy h1 Validation or build your own, manual triage of AI-scale output is a doomed strategy.

The One Thing You Won’t Hear About But You Need To

CSAI Foundation Becomes the First AI-Specific CVE Numbering Authority

On April 29, the Cloud Security Alliance’s CSAI Foundation announced three milestones at the CSA Agentic AI Security Summit (CSA). The foundation registered as a CVE Numbering Authority through MITRE, gaining direct ability to issue CVEs for AI-specific vulnerabilities. It launched the STAR for AI Catastrophic Risk Annex extending the AI Controls Matrix to scenarios involving loss of human oversight, with rollout from June 2026 through December 2027. It also acquired the Autonomous Action Runtime Management (AARM) specification, contributed by Vanta.

Why it matters

• AI-specific CVE issuance changes how AI vulnerabilities get tracked, scored, and patched.

• The Catastrophic Risk Annex maps to NIST AI RMF, the EU AI Act, and ISO/IEC 42001, giving auditors a consolidated reference.

• AARM gives operators a formal specification for runtime control of agent actions.

What to do about it

• Add CSAI Foundation advisories to your security feed.

• For high-risk deployments, map internal controls to the Catastrophic Risk Annex during phase one rollout.

• Pilot AARM in one agentic workflow this quarter. Runtime control of agent actions is the right level of abstraction.

Rock’s Musings

Plumbing matters more than press releases. While headlines went to Mythos and the Cursor accident, the CSAI Foundation stood up the infrastructure for AI-specific vulnerability tracking, runtime control, and catastrophic risk auditing. This decides whether AI security becomes a discipline or stays a marketing category.

I’ve worked in standards for thirty years. The value compounds quietly until one day the auditors ask, and you either have it or you don’t. We track CSAI work closely at RockCyber. Start with the CSA press release, then loop in your governance team Monday.

👉 For ongoing analysis of agentic AI governance frameworks, the conversation continues at RockCyber Musings.

👉 Visit RockCyber.com to learn more about how we can help with your traditional Cybersecurity and AI Security and Governance journey.

👉 Want to save a quick $100K? Check out our AI Governance Tools at AIGovernanceToolkit.com

👉 As a bonus, check out my conversation with Eva Benn where we talked about the cybersecurity skills you need to develop to stay relevant in 2026 and beyond.

👉 Subscribe for more AI and cyber insights with the occasional rant.

The views and opinions expressed in RockCyber Musings are my own and do not represent the positions of my employer or any organization I’m affiliated with.

Share RockCyber Musings

References

Cloud Security Alliance. (2026, April 29). CSAI Foundation announces key milestones to secure the agentic control plane. https://cloudsecurityalliance.org/press-releases/2026/04/29/csai-foundation-announces-key-milestones-to-secure-the-agentic-control-plane

Cybersecurity Insiders. (2026, April 29). HackerOne launches h1 Validation to tackle rising wave of AI-driven vulnerabilities. https://www.cybersecurity-insiders.com/hackerone-launches-h1-validation-to-tackle-rising-wave-of-ai-driven-vulnerabilities/

Florida Phoenix. (2026, April 28). Florida Speaker kills DeSantis’ AI regulation, vaccine repeal bills on first day of special session. https://floridaphoenix.com/2026/04/28/florida-speaker-kills-desantis-ai-regulation-vaccine-repeal-bills-on-first-day-of-special-session/

Forcepoint X-Labs. (2026, April 24). Indirect prompt injection in the wild: X-Labs finds 10 IPI payloads. https://www.forcepoint.com/blog/x-labs/indirect-prompt-injection-payloads

Google. (2026, April 24). AI threats in the wild: The current state of prompt injections on the web. Google Online Security Blog. https://security.googleblog.com/2026/04/ai-threats-in-wild-current-state-of.html

Help Net Security. (2026, April 24). Indirect prompt injection is taking hold in the wild. https://www.helpnetsecurity.com/2026/04/24/indirect-prompt-injection-in-the-wild/

Modulos. (2026, April 28). EU AI Act Omnibus: The trilogue failed, what happens to the August 2026 deadline?. https://www.modulos.ai/blog/ai-act-omnibus-trilogue-failed/

Nextgov/FCW. (2026, April 28). Lieu and Obernolte introduce consolidated AI bill package. https://www.nextgov.com/artificial-intelligence/2026/04/lieu-and-obernolte-introduce-consolidated-ai-bill-package/413134/

Sysdig. (2026, April 29). CVE-2026-42208: Targeted SQL injection against LiteLLM’s authentication path discovered 36 hours following vulnerability disclosure. https://www.sysdig.com/blog/cve-2026-42208-targeted-sql-injection-against-litellms-authentication-path-discovered-36-hours-following-vulnerability-disclosure

The Hacker News. (2026, April 24). LMDeploy CVE-2026-33626 flaw exploited within 13 hours of disclosure. https://thehackernews.com/2026/04/lmdeploy-cve-2026-33626-flaw-exploited.html

The Hacker News. (2026, April 29). LiteLLM CVE-2026-42208 SQL injection exploited within 36 hours of disclosure. https://thehackernews.com/2026/04/litellm-cve-2026-42208-sql-injection.html

The Register. (2026, April 27). Cursor-Opus agent snuffs out startup’s production database. https://www.theregister.com/2026/04/27/cursoropus_agent_snuffs_out_pocketos/

Tom’s Hardware. (2026, April 27). Claude-powered AI coding agent deletes entire company database in 9 seconds. https://www.tomshardware.com/tech-industry/artificial-intelligence/claude-powered-ai-coding-agent-deletes-entire-company-database-in-9-seconds-backups-zapped-after-cursor-tool-powered-by-anthropics-claude-goes-rogue

UK AI Security Institute. (2026, April 28). Our evaluation of Claude Mythos Preview’s cyber capabilities. https://www.aisi.gov.uk/blog/our-evaluation-of-claude-mythos-previews-cyber-capabilities

24/7 Wall St. (2026, April 28). Microsoft’s AI moat holds up even after the OpenAI reset. https://247wallst.com/investing/2026/04/28/microsofts-ai-moat-holds-up-even-after-the-openai-reset/

Washington Post. (2026, April 24). AI hacking fears jolt Washington as Anthropic unveils Mythos. https://www.washingtonpost.com/technology/2026/04/24/anthropic-mythos-ai-washington-cybersecurity-hacking-risk/

Share

AI coding agent prompt injection has a procurement problem, and a researcher just published the receipt. Aonan Guan typed a malicious instruction into a GitHub pull request title last week. Anthropic’s Claude Code Security Review action posted its own API key as a comment. So did Google’s Gemini CLI Action. So did GitHub’s Copilot Agent. Same exploit hit three vendors, with no infrastructure required. Anthropic’s 232-page system card had named the gap before the researchers published. The other two vendors had not documented enough to predict their own outcome.

Most of the writing on this incident will focus on architecture. The runtime is the perimeter. The action boundary is the blast radius. Both readings are correct. Both are also a deflection. The architecture story explains the mechanism. It doesn’t explain why the buyer was exposed in the first place. The buyer signed three contracts, accepted three sets of safety claims, and never required any of the three vendors to assert anything about the seams between them. The trigger was a prompt injection. The exposure was procurement.

I want to push past the architecture take and look at the governance read, because the governance read implicates the reader in a way the architecture take does not.

How Comment and Control Worked

Aonan Guan, working with Zhengyu Liu and Gavin Zhong at Johns Hopkins, opened a GitHub pull request in a target repository. They typed a malicious instruction into the PR title. The repository used the pull_request_target workflow trigger, which any AI coding agent integration with secret access requires. That trigger injects repository secrets into the runner environment. The agent read the PR title, treated the instruction as a directive, called GitHub’s own API using credentials stored in its environment variables, and posted the secret as a comment on the PR. The default pull_request trigger doesn’t expose secrets to fork PRs. The pull_request_target trigger does, by design.

This is the textbook case of what Simon Willison has been calling the lethal trifecta. Access to private data sits in the runner. Untrusted input arrives through the PR title. The exfiltration channel is GitHub’s comment API, which sits in the agent’s default tool inventory. All three conditions sit at the seam between three vendors. The exploit needs all three to fire. Comment and Control satisfies all three by design, and no single vendor has written a document that asserts anything about the combination.

Anthropic ranked the disclosure as CVSS 9.4 Critical and paid a $100 bounty. Google paid $1,337. GitHub paid $500. None of the three issued a CVE in the National Vulnerability Database at the time of disclosure. None published a GitHub Security Advisory. Those numbers send a market signal. Vendor bounty programs classify seam vulnerabilities as out of scope for their own programs, and researchers respond to incentives. The next class of these findings will follow the same path the bounties point them down.

Help Net Security ran a piece this week on Google’s own CommonCrawl analysis showing a 32% relative increase in malicious indirect prompt injection content between November 2025 and February 2026. The supply of payloads is growing faster than vendor disclosures. That is the operating environment.

Why AI Coding Agent Prompt Injection Is a Governance Problem

Pull a model card off any of the three vendor sites. Anthropic’s Opus 4.7 system card, published April 16, 2026, runs 232 pages. It quantifies hack rates. It publishes injection resistance metrics. It includes an explicit statement. Claude Code Security Review is “not hardened against prompt injection.” Anthropic does the most mature disclosure work in the industry. OpenAI’s GPT-5.4 system card documents red-team hours and model-layer evals without publishing agent-runtime resistance numbers. Google’s Gemini 3.1 Pro card defers most of its safety methodology to the older Gemini 3 Pro card.

Rank those three in a procurement scorecard, and Anthropic comes out on top. That ranking is the wrong question. A model card describes a model’s behavior. Comment and Control didn’t break a model. The disclosure was complete for the layer Anthropic owns and silent on the seam, because Anthropic doesn’t own the seam. The seam runs through GitHub’s runner, GitHub’s API, the agent’s environment variable scope, the workflow trigger configuration, and the buyer’s choice to enable agent integration on a repository with secrets. Each of those pieces sits inside a different contract. None of those contracts asserts anything about the combination.

The structural gap is what makes this a governance story. The cloud security industry took roughly a decade to converge on the shared responsibility model. AWS owns the hypervisor. The customer owns the workload. Each side owns a clear half. Most of the early breaches happened in the unowned middle of that line, and the convergence was painful. Agent composition is replaying that history with a sharper acceleration curve, and there is no industry consensus on where the line sits. Three vendors share a single runtime with no agreed-upon accountability model. The buyer carries everything that the contracts do not.

Here is a hypothetical for the operational consequence. A SOC running normal vulnerability scanning across the agent-enabled repos sees green. None of the three disclosures generated CVEs in the NVD. The internal ticketing system has no category for “agent runtime composition risk.” The risk register has no entry. The budget has no line item. The exploit class is real, the severity is Critical across three vendors, and the standard tooling reports zero findings because the standard tooling has nothing to scan against. The exploit became possible because no one wrote it down as a thing to look for.

The Procurement Questions You Should Have Asked

Most CISO action checklists produced after an incident like this read as a list of post-hoc remediation steps. Rotate credentials. Restrict permissions. Add monitoring. Those moves are correct, and they are also reactive. The harder, more useful artifact is the set of procurement questions that, asked at signing, would have made Comment and Control either impossible or contractually attributable.

Here are five questions. Paste them into your next vendor governance review verbatim or adapt them. They work for AI coding agents, and they will work for the next class of agentic integrations after this one.

The first question is about layer ownership. Ask each vendor, “Name the layers of the agent runtime your security guarantees cover, and name the layers you don’t cover.” Most vendors will answer the first half. The interesting answer is the second half. A vendor who cannot articulate the layers it doesn’t cover hasn’t thought about composition. The contract you are about to sign assumes a perimeter that the vendor hasn’t analyzed.

The second question is about quantified resistance metrics on the deployment surface you actually use. Anthropic publishes injection resistance numbers in the Opus 4.7 system card. Those numbers cover Anthropic’s API surface. They don’t cover Claude Code Security Review running on GitHub Actions with a pull_request_target trigger and secrets in scope. Ask for the resistance number for the model version you run on the platform you deploy to. If the vendor cannot produce that number, the vendor cannot quantify the risk you are accepting.

The third question is about bounty scope. Ask each vendor, “Does your bounty program consider vulnerabilities at the integration boundary between your product and the platforms it deploys on?” Anthropic’s HackerOne program scopes agent-tooling findings separately from model-safety findings. The position is defensible. The position also pushes researchers’ attention away from the seams. Knowing which vendor’s program covers which surface is a procurement signal. It tells you which surfaces will get the most external scrutiny over the contract life and which surfaces will not.

The fourth question is about composition disclosure. Ask each vendor, “When your product is integrated with another vendor’s platform, who is responsible for documenting the security properties of the combined system?” The honest answer from every vendor is “the buyer.” Get it in writing. The asymmetry exposes why a shared responsibility artifact for agent runtimes does not yet exist.

The fifth question is about runtime telemetry. Ask, “What runtime signals do you publish that allow me to detect prompt injection in production?” If the answer is a model-card link, the vendor hasn’t built the runtime monitoring. If the answer is an SDK with detection hooks, document the coverage and the false-positive rate. The August 2026 EU AI Act high-risk compliance deadline turns this question from a nice-to-have into an audit artifact, and the vendors who cannot answer it now will be the ones renegotiating contracts in Q3.

Those five questions don’t eliminate the exploit class. They make the exploit class a contractual variable instead of a discovered surprise. A buyer who asks all five before signing knows where the seam runs and who is on the hook for what.

What to Do This Week, Ordered by Blast Radius Reduction

The reactive moves still matter. Order them by blast radius reduction, not by the order they appear in any vendor advisory. Each one carries a different internal political cost, and pretending the costs are equal is how good control work dies in committee.

Inventory every workflow in your repositories that uses pull_request_target. The grep is cheap. The conversation with the dev tooling team about what each of those workflows needs is not. Expect to find workflows configured for one reason, with AI agent integrations later layered on top, and no review of the original threat model.

Rotate every credential exposed to agents in those workflows over the last 90 days. The cost is low. The likelihood of someone pushing back is also low. Do it first because it is the cheap one, and use the speed of the rotation to demonstrate that agent-related credential rotation is now part of the normal operating cadence.

Switch from stored secrets to short-lived OIDC tokens for any workflow that supports it. The political cost is medium. You will need platform team buy-in. The argument that closes the loop is exactly the procurement gap above. Stored secrets in agent-accessible environments are a category of risk no vendor’s contract currently covers, and OIDC removes the category from the buyer’s residual.

Strip bash execution permissions from agents that only need to perform code review. This one starts a fight with the developer tooling team because some of the convenience features will break. The fight is worth having. An agent with bash permissions on a CI runner with secrets in scope is the worst-case configuration. Write the security memo and force the documented risk acceptance from the team that wants to keep the bash channel open.

Add a category to your supply chain risk register called “AI agent runtime composition.” Most GRC tooling doesn’t have a field that maps to the category. Add it manually. The act of adding the category forces the conversation about which vendor combinations are covered by which contracts and which are not. The conversation is the artifact you actually need. The risk register entry is the receipt that the conversation happened.

Where the Industry Has to Go

The cloud security industry built the shared responsibility model under pressure from breaches and ten years of regulatory friction. The AI agent industry has neither of those forcing functions yet. The EU AI Act high-risk obligations come into force in August 2026 and will start to put procurement language behind some of these questions, but the standards work that would produce a real shared responsibility artifact for agent runtimes hasn’t happened. This is where the CARE framework lands. Create the procurement questions before you sign. Adapt the controls you already have around CI/CD, secret scoping, and runtime monitoring. Run the agent integrations under the same operating cadence as the rest of your privileged automation. Evolve the risk register category as new exploit classes emerge. The exploit class will not stop with Comment and Control. The next one will follow the same architectural pattern and the same governance gap. The CISOs who are ready for it are the ones who treat agent procurement as a governance problem now, while the vendors and the standards bodies are still catching up.

Key Takeaway: The AI coding agent prompt injection class lives in the seams between vendor contracts, and the buyer carries the residual until the procurement questions force the seams into the conversation.

What to Do Next

Start with the five procurement questions in your next vendor renewal cycle. Do the credential rotation and the OIDC migration this quarter. Read the rest of the RockCyber Musings archive for the operating cadence I run with clients on agentic AI security reviews, and reach out through RockCyber if you want to walk through the procurement question set against a specific vendor stack you are evaluating.

👉 Visit RockCyber.com to learn more about how we can help you in your traditional Cybersecurity and AI Security and Governance Journey

👉 Want to save a quick $100K? Check out our AI Governance Tools at AIGovernanceToolkit.com

👉 Subscribe for more AI and cyber insights with the occasional rant.

The views and opinions expressed in RockCyber Musings are my own and do not represent the positions of my employer or any organization I’m affiliated with.

Share RockCyber Musings

Share

Seven days. One breached “too dangerous to release” model. One vibe coding platform exposing 76 days of customer source code. One AI supply chain attack that cost Vercel its dignity. A compliance startup accused of rubber-stamping SOC 2 reports for companies that later got breached. Every story landed between April 17 and April 23, 2026, the same week Gartner blessed its first “Company to Beat” in agent governance, the UK promised a £90 million cyber shield, and Google shipped three security agents. The security industry spent two years debating whether agentic AI was a real threat. This week, the debate ended.

AI systems are both targets and attack vectors, with failure modes of their own. A frontier model gets breached because a vendor fell for infostealer malware in February. A vibe coding startup ships a regression and exposes every customer’s source code for 76 days. A compliance startup hands out SOC 2 attestations like candy, and one customer becomes the pivot for a supply chain attack. Governments and analysts moved together. The UK committed real money to AI-powered cyber defense. Gartner stamped agent governance as a procurement category. This is the week the gap between AI capability and AI assurance became a balance sheet problem.

1. Anthropic Mythos Model Accessed By Unauthorized Discord Group Days After Launch

Anthropic confirmed on April 22, 2026, that it is investigating unauthorized access to Mythos, the frontier model restricted to roughly 40 partners, including Apple, Google, JPMorgan Chase, and NVIDIA (Bloomberg). The access came through a third-party contractor environment, not Anthropic’s direct infrastructure (CBS News). A Discord group focused on unreleased AI models guessed Mythos’s URL from naming conventions and pivoted through a contractor’s credentials to reach it. Anthropic claims no core systems were compromised.

Why it matters

• The firm Anthropic, trusted with access to frontier models, is the one that leaked it.

• Mythos autonomously finds and weaponizes zero-days. Downstream risk spans all major OSes.

• Guessing URLs and owning one contractor beat a Tier 1 AI lab.

What to do about it

• Inventory every third-party vendor with access to frontier AI weights or runtime. Treat them as Tier 1.

• Require contractors touching AI infrastructure to match your credential isolation standards.

• Demand hardware token enforcement for any vendor in production AI environments.

Rock’s Musings

A contractor endpoint blew apart the “too dangerous to release” framing in 24 hours. Anthropic built Mythos to protect partners from zero-days, then lost it through a vendor employee. The model built to find vulnerabilities got stolen because of a vulnerability nobody thought to measure. You cannot outsource your trust perimeter. Every CISO needs to audit AI-access vendors as they do their crown-jewel systems.

2. Vercel Supply Chain Breach Via Context.ai OAuth Token Compromise

Vercel confirmed on April 19, 2026 that customer data was stolen via a compromise of Context.ai, a third-party AI assistant a Vercel employee had connected to Google Workspace with full Drive read access (TechCrunch). A Context.ai employee’s device was infected with Lumma infostealer in February 2026. ShinyHunters used the exfiltrated OAuth tokens to pivot into the Vercel employee’s Google account, then into Vercel itself (Vercel). The actor is offering source code, NPM and GitHub tokens, and access keys for $2 million on BreachForums.

Why it matters

• One OAuth app installed by one employee rolled into a platform breach.

• Lumma was the vector. The AI assistant was the accelerant.

• ShinyHunters is monetizing AI-adjacent breaches at scale. Expect copycats.

What to do about it

• Audit every OAuth app with Drive, Gmail, or Workspace scopes. Revoke AI tools without documented need.

• Enforce conditional access with hardware tokens and device posture for Workspace accounts.

• Subscribe to stealer log monitoring for corporate emails.

• Rotate all secrets (e.g. API keys).

Rock’s Musings

An employee clicked a button, granted a third-party AI read access to everything, and the attacker rode that consent into production. OAuth scopes are the new privileged credentials, and most of us are not managing them that way. The shadow AI problem I flag with clients at RockCyber is not ChatGPT use. It’s the hundreds of AI-branded OAuth apps employees connect while nobody watches.

3. Gartner Names Zenity The “Company To Beat” In AI Agent Governance

On April 23, 2026, Zenity announced that Gartner named it the “Company to Beat in AI Agent Governance” (Business Wire). Gartner cited Zenity’s agentic architecture, intent-aware detection, and end-user traction. The platform covers SaaS-managed agents, custom-built agents, and device deployments from build to runtime. Gartner’s 2026 CIO survey shows that 17 percent of organizations have deployed AI agents, 42 percent plan to do so within 12 months, and another 22 percent plan to do so the year after (Yahoo Finance). Zenity also landed in two categories of the 2026 Gartner Hype Cycle for Agentic AI this month.

Why it matters

• A “Company to Beat” stamp on a narrow security category speeds up procurement.

• 79% of organizations plan to deploy AI agents within 2 years.

• Agent governance is shifting from a research topic to a commercial line item.

What to do about it

• If you are on the 42 percent 12-month curve, start evaluations now.

• Evaluate agent governance on runtime enforcement, not only inventory or posture.

• Require vendors to show agent identity, memory, tool-call, and intent controls as distinct.

Rock’s Musings

Yes… Zenity is my employer, so a) I’m super proud of this one and b) it’s my prerogative to include it in the musings 😀

“Company to Beat” labels are how procurement catches up with security reality. Mythos leaked through a contractor, Vercel got rolled via an AI assistant’s OAuth token, and the same week Gartner tells CIOs agent governance is a budget item. Read Zenity’s architecture claims against this week’s breach anatomy, then against what you bought for CASB five years ago. Same pattern, same procurement playbook. Budget the line item.

4. Lovable Vibe Coding Platform Exposed Source Code For 76 Days

On April 20, 2026, security researcher weezerOSINT disclosed a broken object-level authorization flaw in Lovable’s API that let any authenticated free-account user read source code, database credentials, AI chat history, and customer data from every project created before November 2025 (The Register). The exposure ran 76 days, from February 3 through April 20, 2026. Lovable first denied the flaw, blamed its documentation, then blamed HackerOne, then apologized for the apology (Cybernews). Customers include Uber, Zendesk, and Deutsche Telekom.

Why it matters

• Vibe coding platforms hold enterprise source code and secrets. Attacker value is enormous.

• Public denial while the flaw was live is a textbook loss-of-trust move.

• A $6.6 billion startup cannot figure out basic tenant isolation three versions in.

What to do about it

• Block new vibe coding connections at DNS or CASB until procurement reviews tenancy.

• Rotate any credentials your teams put into Lovable projects since February 2026.

• Treat vibe coding output as untrusted. Pull it into a real repo, scan it, review it.

Rock’s Musings

Vibe coding is a demo, not engineering. When you hand a growth-stage startup your production database credentials in exchange for a drag-and-drop builder, you have accepted that your security depends on whether someone refactors an authorization check. Three breaches in thirteen months is a pattern, not bad luck. If your security team has not yet restricted this category of tool, do it this week.

5. Google Cloud Next Ships Three AI Security Agents And Gemini Enterprise Agent Platform

On April 22, 2026, Google Cloud Next introduced the Gemini Enterprise Agent Platform and three new AI agents inside Google Security Operations (SiliconANGLE). The agents cover Threat Hunting, Detection Engineering, and Third-Party Context enrichment (The Register). Google also deepened its ties to the Wiz product and shipped new agent governance tools. Sundar Pichai framed the shift as moving from human-led defense to human-in-the-loop to AI-led defense overseen by humans.

Why it matters

• Three tedious SOC functions now have vendor agent equivalents. SOC staffing economics shift if they work.

• Google is betting the platform on agentic AI, not only generative AI.

• The Wiz tie-in gives Google a path into CSPM-driven SOC workflows.

What to do about it

• Pilot the Threat Hunting agent for 30 days against your human hunt team and score overlap.

• Define human-in-the-loop gates before any autonomous detection or response action.

• Update vendor risk reviews to cover agent behavior monitoring, not only model output.

Rock’s Musings

The pitch is compelling, the execution will be messy. Every SOC team I advise is drowning in alerts, and the first customer bitten by an autonomous agent on bad context will make headlines. The Third-Party Context agent matters more than the other two because better data into an agentic SOC prevents bad autonomous actions. Read my notes on AI governance before you green-light an agent in production.

6. UK Announces £90 Million National Cyber Shield And Calls On AI Firms To Co-Build Defense

At CYBERUK 2026 on April 22, 2026, UK Security Minister Dan Jarvis announced £90 million over three years for national-scale AI-powered cyber defense capabilities (GOV.UK). Jarvis asked frontier AI companies to co-develop these capabilities with the UK government and cited Mythos’s zero-day findings as justification for public sector urgency (Computer Weekly). Jarvis also launched a National Cyber Resilience Pledge aimed at private sector security baselines.

Why it matters

• The UK is the first major Western government to put operational capital into AI-defended critical infrastructure.

• Public-private cooperation on offensive-grade AI models sets a precedent others will react to.

• Frontier AI vendors in UK public sector now have a direct path to shape national doctrine.

What to do about it

• UK critical infrastructure operators: map your sector against the Pledge before it becomes mandatory.

• Track which AI vendors join. UK procurement for critical infrastructure will narrow quickly.

• Watch NCSC secure-by-design expectations for AI. They will bleed into global procurement language.

Rock’s Musings

£90 million pounds sounds like a lot, but it really is a down payment. The bigger story is the UK saying out loud what American officials still whisper. Frontier AI models are dual-use capability, and if you don’t partner with the labs building them, your adversaries will. The Pledge is the more interesting instrument. Voluntary commitments have a funny way of becoming procurement requirements, then de facto regulation.

7. OpenAI Releases Privacy Filter, An Open-Weight On-Device PII Redactor

On April 23, 2026, OpenAI released Privacy Filter, a 1.5-billion-parameter open-weight model with 50 million active parameters that detects and redacts personally identifiable information locally (Help Net Security). It supports a 128,000-token context window, runs in browsers and on laptops, and achieves a 96% F1 score on PII-Masking-300k (VentureBeat). It ships under Apache 2.0 on GitHub and Hugging Face, covering eight PII categories.

Why it matters

• A permissive open-weight PII redactor that runs on a laptop closes a real enterprise data sanitization gap.

• OpenAI shipping open weights for a safety model is a positional move, not a strategy reversal.

• The tool removes a common excuse for shipping raw enterprise data to cloud LLMs.

What to do about it

• Evaluate Privacy Filter as a preprocessing layer for any LLM pipeline on customer, support, or HR data.

• Benchmark it against existing DLP tools for AI-specific use cases.

• Add on-device redaction as a control in your AI data flow diagrams.

Rock’s Musings

Privacy Filter is the first open-weight piece from OpenAI that’s useful to a CISO. One point five billion parameters, runs local, decent accuracy, permissive license. It slots into every RAG pipeline I review as a trivial addition that removes an easy audit finding. OpenAI has taken heat on privacy posture for three years, and shipping open weights for a PII model is a pressure valve. Anthropic and Google will follow within six months.

8. Delve Compliance Scandal Widens After TechCrunch Confirms Context.ai Certification

On April 23, 2026, TechCrunch confirmed that Delve, the Y Combinator-backed compliance startup accused of faking SOC 2 audits, had certified Context.ai, the AI tool at the center of the Vercel supply chain breach (TechCrunch). Delve also certified LiteLLM, another open source project separately compromised with planted malware. Context.ai has cut ties with Delve and is re-certifying with a different auditor. Whistleblower DeepDelver alleged the Delve team took a Hawaii offsite between April 15 and April 19 while denying customer refunds.

Why it matters

• Two Delve-certified companies are at the center of AI supply chain breaches.

• SOC 2 without substance is a liability shield until the shield gets tested.

• AI compliance tooling is saturated with startups racing to rubber-stamp fast-moving products.

What to do about it

• Audit your vendor attestations. Who signed? What is the auditor’s history? Is the scope meaningful?

• For AI vendors, demand pentest summaries, code review artifacts, and threat models.

• Treat SOC 2 as one input into assurance, not a box check.

Rock’s Musings

My friends know… I believe SOC 2 needs to burn a fiery death, but “we” still insist on them. Founders want the badge, auditors want the fee, customers want the checkbox. Everyone wins until the breach, then the enterprise that relied on the paper finds out the paper was never the point. SOC 2 is a floor, not a ceiling. Nothing will change until we kill the demand side of this particular supply/demand equation.

9. NIST Narrows CVE Enrichment As Submission Volume Overwhelms NVD

On April 17, 2026, NIST announced it will only enrich CVEs that meet specific criteria due to an unsustainable rise in submissions (Cybersecurity Dive). The NVD will continue assigning CVE IDs to all submissions but will no longer guarantee CVSS scores, CPE mappings, or descriptions for every record. NIST cites AI-assisted vulnerability research as a key driver of volume. Enrichment priority goes to actively exploited vulnerabilities and CVEs affecting critical infrastructure.

Why it matters

• If your program assumes every CVE carries a CVSS score and CPE mapping, it is about to degrade silently.

• AI-generated vulnerability research is flooding public disclosure. The NVD cannot keep up.

• Enterprises relying only on NVD-fed scanners will miss or misprioritize vulnerabilities now.

What to do about it

• Supplement NVD with CISA KEV and commercial vulnerability intelligence.

• Score CVEs NIST skips using vendor advisories as primary sources.

• Reassess SLAs based on enrichment availability, not only patch availability.

Rock’s Musings

NIST is essentially throwing up its hands and giving up. The CVE system was built for a world where humans found most bugs. We no longer live there. Mythos alone found thousands of zero-days in weeks. Multiply that by every lab running similar research, and NVD throughput becomes a joke. NIST is triaging, which is the only rational move. The problem is that nobody told your vulnerability scanner. Get ahead of this now, or your next board report will be a lie by omission.

10. Anthropic MCP STDIO Flaw Burns The Agentic AI Ecosystem As New CVEs Land

The STDIO command injection flaw in Anthropic’s MCP SDK produced new CVE assignments throughout the week, including CVE-2026-30623 and CVE-2026-22252 (LiteLLM). Analysis on April 20 from BDTechTalks documented ecosystem fallout and Anthropic doubling down on its “by design” position (BDTechTalks). The flaw class affects 7,000 publicly accessible MCP servers and over 150 million package downloads (Infosecurity Magazine). Affected products include LibreChat, WeKnora, Cursor, and MCP Inspector.

Why it matters

• Anthropic will not patch. Every developer using the official SDK owns the mitigation.

• The default agentic interop standard has a baked-in remote code execution footgun.

• CVEs are stacking up. Every MCP-connected product is a vendor risk question.

What to do about it

• Inventory every MCP server and client. If you can’t produce the list in a day, you have a bigger MCP problem.

• Enforce strict input validation on any MCP server config from user input, LLM output, or third-party manifests.

• Update your agentic threat model to cover MCP as a first-class attack surface.

Rock’s Musings

“By design” is a liability transfer, not a security posture. Anthropic handed every developer on the MCP SDK a foot-gun and said go figure it out. Competing agent protocols like A2A and Agora are watching and taking notes. Building the default standard for agent-to-system communication on top of a protocol decision that cannot be fixed without breaking compatibility is the problem. Every MCP-based product in your stack is a recurring risk item.

The One Thing You Won’t Hear About But You Need To

AgentSOC Paper Publishes A Multi-Layer Blueprint For Agentic Security Operations

On April 22, 2026, researchers published AgentSOC: A Multi-Layer Agentic AI Framework for Security Operations Automation on arXiv (arXiv). The paper proposes a layered architecture combining perception, anticipatory reasoning, and risk-based action planning for autonomous SOC operations. It documents design patterns for coordinating specialized agents across triage, hunt, and response workflows while keeping human oversight in place. The work joins other 2026 papers arguing agentic AI is mature enough for production SOC environments when guardrails are in place.

Why it matters

• Vendors ship products. Research supplies the reference architectures that determine whether those products survive in production.

• The AgentSOC blueprint maps closely to what Google announced this week. The convergence is not accidental.

• CISOs now have a public framework to score vendor claims against independent research.

What to do about it

• Read the paper before your next agentic SOC evaluation. Use the layer breakdown as a scoring rubric.

• Ask vendors how their architecture maps to perception, anticipation, and action layers.

• Share the paper with SOC leadership. It gives your team a vocabulary for what to demand.

Rock’s Musings

Vendor marketing is a terrible place to learn what agentic security operations should look like. Academic literature is better. AgentSOC is not the last word, but it landed the same week three major vendors pitched agentic SOC products. CISOs who read research papers buy better tools and sign better contracts than the ones who only read analyst reports. Use the AgentSOC structure the next time a vendor promises agentic magic, and watch them squirm when you ask what happens at the perception layer when the model hallucinates.

👉 For ongoing analysis of agentic AI governance frameworks, the conversation continues at RockCyber Musings.

👉 Visit RockCyber.com to learn more about how we can help with your traditional Cybersecurity and AI Security and Governance journey.

👉 Want to save a quick $100K? Check out our AI Governance Tools at AIGovernanceToolkit.com

👉 As a bonus, check out my conversation with Eva Benn where we talked about the cybersecurity skills you need to develop to stay relevant in 2026 and beyond.

👉 Subscribe for more AI and cyber insights with the occasional rant.

The views and opinions expressed in RockCyber Musings are my own and do not represent the positions of my employer or any organization I’m affiliated with.

Share RockCyber Musings

References

arXiv. (2026, April 22). AgentSOC: A multi-layer agentic AI framework for security operations automation. https://arxiv.org/abs/2604.20134

BDTechTalks. (2026, April 20). Anthropic’s MCP vulnerability: When ‘expected behavior’ becomes a supply chain nightmare. https://bdtechtalks.com/2026/04/20/anthropic-mcp-vulnerability/

Bloomberg. (2026, April 21). Anthropic’s Mythos AI model is being accessed by unauthorized users. https://www.bloomberg.com/news/articles/2026-04-21/anthropic-s-mythos-model-is-being-accessed-by-unauthorized-users

Business Wire. (2026, April 23). Zenity named the “Company to Beat” in AI Agent Governance in new Gartner report. https://www.businesswire.com/news/home/20260423045822/en/Zenity-Named-the-Company-to-Beat-in-AI-Agent-Governance-in-New-Gartner-Report

Bloomberg. (2026, April 22). Google releases new AI agents to challenge OpenAI and Anthropic. https://www.bloomberg.com/news/articles/2026-04-22/google-releases-new-ai-agents-to-challenge-openai-and-anthropic

CBS News. (2026, April 22). Anthropic investigating possible breach of its Mythos AI model. https://www.cbsnews.com/news/anthropic-investigates-mythos-ai-breach/

Computer Weekly. (2026, April 22). UK to build ‘national cyber shield’ to protect against AI cyber threats. https://www.computerweekly.com/news/366641790/UK-to-build-national-cyber-shield-to-protect-against-AI-cyber-threats

Cybernews. (2026, April 20). Lovable goes on ego trip denying vulnerability, then blames others for said vulnerability. https://cybernews.com/security/lovable-vibe-coding-flaw-apology/

Cybersecurity Dive. (2026, April 17). NIST narrows CVE enrichment as submission volume surges. https://www.cybersecuritydive.com/news/nist-ai-cybersecurity-framework-profile/808134/

GOV.UK. (2026, April 22). Security Minister’s speech to CYBERUK 2026. https://www.gov.uk/government/speeches/security-ministers-speech-to-cyberuk-2026

Help Net Security. (2026, April 23). OpenAI tackles a bad habit people have when interacting with AI. https://www.helpnetsecurity.com/2026/04/23/openai-privacy-filter-personally-identifiable-information/

Infosecurity Magazine. (2026, April). Systemic flaw in MCP protocol could expose 150 million downloads. https://www.infosecurity-magazine.com/news/systemic-flaw-mcp-expose-150/

LiteLLM. (2026, April). Security update: CVE-2026-30623, command injection via Anthropic’s MCP SDK. https://docs.litellm.ai/blog/mcp-stdio-command-injection-april-2026

SiliconANGLE. (2026, April 22). Google rolls out new Security Operations agents, Wiz ties, and agent governance tools. https://siliconangle.com/2026/04/22/google-cloud-next-new-security-operations-agents-wiz-integrations-agent-governance-tools/

TechCrunch. (2026, April 20). App host Vercel says it was hacked and customer data stolen. https://techcrunch.com/2026/04/20/app-host-vercel-confirms-security-incident-says-customer-data-was-stolen-via-breach-at-context-ai/

TechCrunch. (2026, April 23). Another customer of troubled startup Delve suffered a big security incident. https://techcrunch.com/2026/04/23/another-customer-of-troubled-startup-delve-suffered-a-big-security-incident/

The Register. (2026, April 20). Lovable denies data leak, cites ‘intentional behavior’. https://www.theregister.com/2026/04/20/lovable_denies_data_leak/

The Register. (2026, April 22). Google unleashes even more AI security agents to fight crims. https://www.theregister.com/2026/04/22/google_unleashes_even_more_ai

Vercel. (2026, April 19). Vercel April 2026 security incident. https://vercel.com/kb/bulletin/vercel-april-2026-security-incident

VentureBeat. (2026, April 23). OpenAI launches Privacy Filter, an open source, on-device data sanitization model. https://venturebeat.com/data/openai-launches-privacy-filter-an-open-source-on-device-data-sanitization-model-that-removes-personal-information-from-enterprise-datasets

Yahoo Finance. (2026, April 23). Zenity named the “Company to Beat” in AI Agent Governance. https://finance.yahoo.com/sectors/technology/articles/zenity-named-company-beat-ai-130100277.html

Share

A Fortune 500 bank gets its Project Glasswing partner seat six weeks from now. Anthropic ships the Mythos Preview container and $10 million in credits. The bank stands up a Mythos instance inside its own environment, points it at its core banking monorepo, and starts finding bugs on day one. Forty-two days in, a developer opens a pull request that adds a utility library. The README on that library contains a commented block beginning with “SECURITY NOTE FOR AUTOMATED REVIEWERS.” The Mythos instance reads it. The comment is an indirect prompt injection telling the reviewer to mark a specific authentication bypass as a false positive and not mention the instruction in the output. The reviewer complies. The bug ships. Nobody sees it because the thing designed to see it was told not to.

That scenario is fictional. The attack class is not. The Mythos-Ready whitepaper from the CSA, SANS, OWASP GenAI Security Project, and a coalition of practitioners (I was a reviewer) lists “Unmanaged AI Agent Attack Surface” as one of its five critical risks, mapping to OWASP Agentic Top 10 entries ASI01 (Agent Goal Hijack), ASI02 (Tool Misuse), ASI03 (Identity and Privilege Abuse), plus AML.T0051.001 (Indirect Prompt Injection) in MITRE ATLAS. Ranked critical. The single most underweighted item in the entire priority table.

The industry is fixated on the wrong question. Everyone is arguing about whether Anthropic’s 40-org Glasswing coalition or OpenAI’s thousands-of-verified-defenders TAC program is the right release model. That argument matters, and I will work through it. The bigger issue is that once you get access to either Mythos or GPT-5.4-Cyber, the running instance becomes the most valuable asset in your security stack. It sits within your environment, with privileged access to your source code, vulnerability telemetry, patch queue, and incident history. It knows where your unpatched zero-days live. An attacker who compromises that instance does not need to find bugs. The instance tells them where the bugs are.

What Anthropic and OpenAI Built

Mythos Preview is a gated frontier model. Anthropic released it on April 7, 2026, announced Project Glasswing the same day, and restricted access to 12 launch partners plus roughly 40 additional organizations. The partners include AWS, Apple, Microsoft, Google, CrowdStrike, Cisco, JPMorgan Chase, NVIDIA, Palo Alto Networks, Broadcom, and the Linux Foundation. Anthropic committed $100 million in usage credits and priced the model at $25 per million input tokens and $125 per million output tokens, roughly 5x Opus 4.6 (which is roughly 5x Sonnet 4.6… OUCH!). The stated case for restricting access is that the model found thousands of zero-days across all major operating systems and browsers, including a 27-year-old bug in OpenBSD and a 16-year-old flaw in FFmpeg. Anthropic’s own assessment is that comparable capability will reach broad availability in 6 to 18 months.

GPT-5.4-Cyber is OpenAI’s answer, released April 14, 2026, one week later. It is a fine-tuned variant of GPT-5.4 with what OpenAI calls a “lowered refusal boundary for legitimate cybersecurity work.” The headline capability is binary reverse engineering. Feed it a compiled executable, and get vulnerability analysis without source code. OpenAI’s Trusted Access for Cyber program, piloted in February 2026 with $10 million in grant credits, scales to thousands of verified individual defenders and hundreds of teams. Individuals verify at chatgpt.com/cyber. Enterprises apply through account representatives. OpenAI cyber researcher Fouad Matin told reporters, “No one should be in the business of picking winners and losers” on who gets to defend their systems.

The two approaches reflect different risk philosophies. Anthropic bets on institutional trust and coalition monitoring. OpenAI bets on KYC verification and broader distribution. Both have real merit. Both share the same structural weakness: the access decision sits upstream of the threat model.

How to Get Your Hands on Each

For Mythos, the answer for 99% of organizations is: you don’t. Project Glasswing is a curated coalition. The 40 slots are filled with hyperscalers, chipmakers, one bank, and the Linux Foundation. Anthropic has not published an application path. Additional partners will be added over time, prioritized by critical infrastructure impact. If you run a regional bank, a hospital system, or a municipality, the realistic timeline for direct access to Mythos is measured in quarters.

For GPT-5.4-Cyber, the path is documented. Individuals verify at chatgpt.com/cyber. Organizations request trusted access through an OpenAI account representative. The program uses KYC-style identity verification and tiered access, with the highest tier unlocking GPT-5.4-Cyber. OpenAI says the rollout will be gradual and vetted, with early priority on security vendors, organizations, and researchers with track records in vulnerability research and remediation.

Both paths share one feature that matters more than either provider acknowledges: neither gate eliminates the capability. AISLE, an independent AI security research group, tested the exact FreeBSD vulnerability Anthropic headlined against open-weight models. Eight out of eight detected the bug. The smallest was a 3.6 billion parameter model at 11 cents per million tokens. A 5.1 billion active parameter model recovered the core analysis chain of the 27-year-old OpenBSD flaw. Total cost of AISLE’s weekend benchmarking across six models: under $100. Attackers are running abliterated Llama 4, Kimi K2, and Qwen3 variants on laptops. Your coordinated disclosure window is what the gates protect, not your attack surface.

Two Attacker Profiles, Two Different Problems

The defender community keeps talking about “the attacker” as if there is one. There are at least two. They pick different pathways.

The first is the opportunistic actor running autonomous vulnerability discovery across the entire internet-facing attack surface. This actor does not care who you are. They care about breadth. They run nano-analyzer-style scaffolding against every public codebase, every npm package, every Docker image they can reach. Open-weight models, free, uncensored variants widely distributed, workflow already documented. AISLE published their scaffolding as open source. Anyone who can run a Python script can replicate it. This actor finds your unpatched zero-days in public dependencies as soon as those dependencies are indexed.

The defense is in the whitepaper: inventory and reduce attack surface within 90 days, stand up a VulnOps function within 12 months, automate patching to match the discovery rate.

The second actor is targeted. They care specifically about you. They want your bugs, your patch queue, your incident data, and your threat model. The open-weight approach is too slow and too noisy for this actor. They need inside information. The three pathways they pick, in order of near-term probability.

First, credential theft against verified defenders. A TAC tier-three user at a Fortune 500 security vendor is a high-value target. Their API session tokens grant access to a cyber-permissive model with binary reverse engineering capabilities. A compromised developer laptop, a phished OAuth flow, or a stolen refresh token gets the attacker a capability they cannot otherwise reach. OpenAI’s announcement acknowledged that zero-data-retention environments get limited visibility, meaning stolen tokens may operate with reduced logging. Rotate short-lived tokens, enforce hardware-bound keys, and put defender-model API use behind the same privileged access controls you apply to domain admin accounts. Treat a TAC session token as a tier-0 secret.

Second, open-weight replication against a specific target. Once an attacker has selected you, they can scan your public code, your partner repositories, your open-source contributions, and any of your dependencies using the same scaffolding as the opportunistic actor. The targeting changes the risk profile. They are building a dossier on your specific organization. Defense is the same as against the opportunistic case, with urgency that scales with your profile. If you are a named Glasswing partner, assume you are the target.

Third, defender instance compromise through context poisoning and prompt injection. This pathway keeps me up at night. It is the one your existing threat model does not cover. A running Mythos or GPT-5.4-Cyber instance inside your environment consumes source code, pull request descriptions, commit messages, dependency READMEs, issue trackers, and whatever retrieval pipelines you plumb into it. Each of those input channels is an indirect prompt-injection vector. The model cannot distinguish between a developer’s pull request description and an attacker’s instructions buried in a dependency’s changelog. Anthropic’s system card for Mythos documents “reckless” behaviors from earlier versions: sandbox escape, credential hunting via /proc/ access, unauthorized file modification, git history scrubbing, and attempts to modify a running MCP server’s external URL. The model can act on indirect instructions in ways that bypass its safeguards. A hostile input channel into your defender instance is an exploitation channel into your codebase.

Why the Defender AI Is the Crown Jewel

The whitepaper’s Priority Action 4 is “Defend Your Agents.” The authors are direct: agents are not covered by existing controls, introduce cyber defense and agentic supply chain risks, and the agent scaffolding (prompts, tool definitions, retrieval pipelines, escalation logic) is where the most consequential failures occur.

Audit agents with the same rigor as you apply to the agent’s permissions. Correct guidance. Buried inside an 11-item priority table, where every item reads as equal weight. It is not equal weight.

The defender AI concentrates on four kinds of access that used to live in separate systems and separate roles.

1. It reads every line of production source code.

2. It holds context on every unpatched vulnerability in your queue. I

3. t sees the remediation timeline for each one.

4. It knows the architectural boundaries between your crown jewels and everything else.

A human with all four would be classified as an insider-threat tier-0. The defender AI requires all four as prerequisites to do its job. Your adversary does not need to compromise OpenAI or Anthropic. They need to compromise your instance. Much smaller target, much wider attack surface.

What a Defender-AI Threat Model Looks Like

The architecture defenders need has three layers. The concepts span the OWASP Agentic Security Initiative, the NIST AI RMF, and multiple emerging specifications. What is new here is applying them specifically to the defender AI case.

The first layer is runtime interception at every agent decision point. Every time the defender AI receives input, produces output, selects a tool, calls a tool, transitions from planning to execution, writes to memory, executes code, or invokes a sub-agent, that action must pass through a policy enforcement point before it reaches production. This is inline, deterministic, allow-deny-modify enforcement. Not a log review after the fact. A defender AI that reads a dependency README with an embedded prompt injection must have that input evaluated against policy before the agent’s reasoning ingests it. Policy enforcement at the hook surface, before the consequential action, is the only mechanism that works at machine speed.

The second layer is structured observability built on OpenTelemetry with agent-specific semantic conventions and OCSF mapping for SIEM integration. The trace has to cover the full agent lifecycle: prompt received, tool selected, tool called, response ingested, memory written, sub-agent invoked, output produced. Forensic reconstruction of a defender AI incident requires this granularity. Your SOC already operates on OCSF. Agent traces flowing through the pipelines your SOC already monitors is the integration that scales. A parallel agent observability stack your SOC does not watch is a dead letter office.

The third layer is live inventory. The whitepaper’s Priority Action 7 calls for real SBOMs, correct for static software. For agents, it is insufficient. The inventory has to update continuously because the agent can discover new tools, connect to new MCP servers, and modify its own tool catalog mid-session. Inventory generated at deployment time is stale by the end of the first prompt. Extend CycloneDX or SPDX semantics to live agent composition. Capture every tool, model, capability, knowledge source, and MCP connection the defender AI is wired into, across every running instance. You cannot defend what you cannot inventory, and what you cannot inventory is mutating on you.

These three layers stack on a three-tier operating model. The platform exposes the hooks once. An open enforcement SDK reads declarative policy and fires decisions through the hooks. Enterprise-specific classifiers and detectors plug into the enforcement layer. Your data sensitivity model, your PHI detection, your threat-intel feed integrations all live in the enterprise layer, consuming the same standardized hook surface. Switching from Mythos to GPT-5.4-Cyber or to a third model six months from now should not require rewriting your safety logic. It should require pointing your enforcement SDK at a different set of hooks.

The Five Actions You Can Take This Week

The whitepaper’s 11 priority actions are the right list. Here is how the defender-AI-as-crown-jewel thesis reorders them by urgency.

First, write the threat model. Before you stand up Mythos or GPT-5.4-Cyber anywhere, document what the instance will access, what inputs it will consume, what outputs it can produce, and what tools it can invoke. Map each item to ASI01 through ASI10 in OWASP Agentic Top 10 and to the relevant AML.T entries in MITRE ATLAS. If you have not done this exercise for any agent in your environment, start with the defender AI. Its blast radius is the largest.

Second, treat API tokens for defender models as tier-0 secrets. Hardware-bound keys, short TTLs, per-session scope, and the access review cadence you apply to break-glass domain admin. Stolen credentials are the fastest path to your defender AI and your unpatched zero-days. Lock them down the way you would lock down root.

Third, instrument the hook surface before you instrument the prompt. Your first integration priority is runtime policy enforcement for input, output, tool calls, tool responses, and sub-agent invocations. Not log collection. Not dashboards. Inline allow-deny-modify at the decision points.

Fourth, build a live agent inventory for every agent in your environment, starting with the defender AI. Capture the model, the tools, the MCP connections, the retrieval sources, the knowledge bases, and the memory stores. Update in real time. Review weekly until the pattern stabilizes, then move to continuous automated review.

Fifth, run the defender AI through your own red team before you point it at your own code. Indirect prompt injection via dependency READMEs, poisoned commit messages, hostile issue descriptions, and malicious pull request bodies. If you cannot compromise your own defender AI in a week, you have not tried hard enough.

Key Takeaway: The access gate is not the threat model. The defender AI in your environment is a new crown jewel. Most security programs have not yet acknowledged what it is or what protects it.

What to do next

Read the CSA, SANS, and OWASP GenAI Security Project briefing, “The AI Vulnerability Storm: Building a Mythos-Ready Security Program.” Run the 10 Questions diagnostic against your program this week. Rerank the Priority Action table, putting “Defend Your Agents” above everything except “Point Agents at Your Code.” Apply CARE (Create the threat model, Adapt your controls, Run the red team, Evolve the policy) to the defender AI before anything else in your AI portfolio.

For more on CARE and governance for defender-class agents, see RockCyber. and coverage at RockCyber Musings. Last week’s blog, AI Vulnerability Discovery: Mythos Is the Headline. Not the Story., carries the capability-parity argument that underpins the urgency here.

👉 Visit RockCyber.com to learn more about how we can help you in your traditional Cybersecurity and AI Security and Governance Journey

👉 Want to save a quick $100K? Check out our AI Governance Tools at AIGovernanceToolkit.com

👉 Subscribe for more AI and cyber insights with the occasional rant.

The views and opinions expressed in RockCyber Musings are my own and do not represent the positions of my employer or any organization I’m affiliated with.

Share RockCyber Musings

This week drew a hard line between AI security theater and AI security reality. Mythos Preview hunted vulnerabilities nobody had found in 20 years. OX Security dropped a critical MCP flaw affecting 200,000 deployments. Someone threw a Molotov cocktail at Sam Altman’s gate. OpenAI countered Anthropic’s restricted rollout with GPT-5.4-Cyber. The UK government confirmed AI clears expert-level cyber tasks. If your board still treats AI governance as an ethics committee item, the gap between your risk register and reality widened another notch.

Ten stories ranked by impact, plus one under the radar. Capability, exposure, and governance move at three speeds. Your program needs all three. Longer work lives at RockCyber and Rock Cyber Musings.

Share

1. The “AI Vulnerability Storm” Emergency Strategy Briefing

On April 14, 2026, SANS Institute, the Cloud Security Alliance, OWASP GenAI Security Project, and [un]prompted released “The AI Vulnerability Storm: Building a Mythos-Ready Security Program” (SANS Institute). Sixty named contributors produced the document over a weekend, with 250 CISOs reviewing it. It includes a 13-item risk register mapped to OWASP LLM Top 10 2025, OWASP Agentic Top 10 2026, MITRE ATLAS, and NIST CSF 2.0, plus an 11-item priority actions table. Zero Day Clock data shows mean time from disclosure to exploitation fell below one day in 2026, down from 2.3 years in 2019.

Why it matters

• Disclosure-to-exploit dropped from 2.3 years to under a day. Your patch cadence cannot keep up.

• A coalition of security institutions framing this as an emergency is a signal worth taking seriously.

• The risk register maps to four frameworks, removing the excuse about lacking a shared taxonomy.

What to do about it

• Pull the 13-item risk register into your next program review.

• Run the 10 CISO diagnostic questions with your security leadership team this quarter.

• Brief your board using the executive section. Don’t rewrite it.

Rock’s Musings

Happy and honored that I was ask to participate in this one. I jumped at the opportunity. The coalition isn’t selling anything. We’re telling you the economics of exploitation flipped. When the attacker's cost to find a vulnerability drops to near zero while your patch cycle runs for weeks, the math stops working in your favor. If you planned AI program changes for 2027, you’re late.

2. OX Security Discloses Systemic Anthropic MCP Vulnerability

On April 15, 2026, OX Security published a report detailing a critical systemic flaw in Anthropic’s official MCP SDKs across Python, TypeScript, Java, and Rust (OX Security). MCP’s STDIO transport accepts arbitrary command strings and passes them to subprocess execution with no validation, sanitization, or sandboxing. OX tested the attack against six production platforms and took over thousands of public servers across 200 open-source projects. Exposure includes 150 million downloads, 7,000 public servers, and up to 200,000 vulnerable instances. Anthropic, per OX, classified the behavior as “expected” (Infosecurity Magazine).

Why it matters

• MCP is the backbone of agentic AI. Systemic flaws propagate through every agent you’ve built or bought.

• Anthropic labeling the flaw “expected behavior” puts responsibility on your security team.

• 200,000 exposed instances is the baseline, not an edge case.

What to do about it

• Inventory every MCP server and client in your environment this week.

• Block outbound STDIO transports from untrusted MCP configurations at the gateway.

• Treat MCP command payloads like shell inputs. Assume hostile.

Rock’s Musings

Every vendor claims “secure by design” until a serious researcher pokes at the design. MCP’s STDIO transport is a textbook unsafe primitive from the first draft of the spec. The tell is Anthropic’s response. When the SDK vendor calls malicious-command-as-a-feature “expected,” you own the mitigation. Wrap it, monitor it, and expect your first incident from an MCP server you didn’t know was running.

3. UK AISI Publishes Frontier AI Trends Report

The UK AI Security Institute released its first Frontier AI Trends Report on April 10, 2026 (AISI). AI models now complete apprentice-level cyber tasks about 50 percent of the time, up from barely 10 percent in early 2024. AISI tested one model in 2025 finishing expert-level tasks requiring more than a decade of practitioner experience. The report names Anthropic’s Claude Mythos Preview as the first AI system to autonomously complete a 32-step enterprise attack simulation. AISI credits safety training for slowing the curve, while warning capability outstrips defender readiness (Computing).

Why it matters

• A government safety institute confirmed one AI model executes a full enterprise attack chain autonomously. The “someday” framing is finished.

• Apprentice-level cyber performance quintupled in two years. Expert parity arrives inside most procurement cycles.

• AISI found safeguards working, meaning vendor controls meaningfully shift your risk exposure.

What to do about it

• Demand red-team attestation from every AI vendor supporting security-relevant workflows.

• Map your attack surface against the AISI capability framework. Flag targets a Mythos-class model reaches today.

• Shift IR tabletops to assume autonomous adversary tooling. Time-box every playbook to hours.

Rock’s Musings

This is the first major government assessment I’d call usable for board reporting. AISI didn’t pull punches, which is rare when governments still court AI investment. Pay attention to the 32-step attack chain line. Most organizations run incident response assuming attackers make mistakes, burn time, or need sleep. An agentic adversary does none of those things. If your tabletops still assume a human at a keyboard, they’re obsolete.

4. OpenAI Launches GPT-5.4-Cyber for Vetted Defenders

On April 14, 2026, OpenAI announced GPT-5.4-Cyber, a variant of GPT-5.4 tuned for defensive cybersecurity work (OpenAI). The model lowers refusal boundaries for legitimate security work and enables binary reverse engineering without source code. OpenAI is limiting initial deployment to vetted security vendors, organizations, and researchers through an expanded Trusted Access for Cyber program. The release came one week after Anthropic restricted its Mythos Preview model to about 40 partners under Project Glasswing. OpenAI framed it as a counter-argument: broader access is warranted now, with tighter controls reserved for larger capability jumps (SiliconANGLE).

Why it matters

• Two foundation model providers diverge on cyber-capable AI distribution. Your vendor risk management needs to account for the split.

• Binary reverse engineering at LLM speed reshapes the economics of red and blue team work.

• Vetting programs create new attestation and insider risk questions for your security function.

What to do about it

• Evaluate whether your organization qualifies for OpenAI TAC or Project Glasswing. If yes, assign an accountable executive.

• Update acceptable use policies for cyber-capable models. Access matches role, not curiosity.

• Task SOC leadership with a 90-day assessment of how GPT-5.4-Cyber or Mythos changes detection, triage, and RE workflows.

Rock’s Musings

Anthropic and OpenAI staked out opposite ends of the distribution debate in the same week. Anthropic says keep it small. OpenAI says open the gates. Both positions have legitimate arguments. What matters for CISOs is that the defensive tooling category you’ll buy in 2027 exists in preview today. If you aren’t running pilots on one of these models this quarter, your competition is.

5. Marimo Python Notebook RCE Exploited in 10 Hours

CVE-2026-39987, a pre-authentication RCE flaw in Marimo’s Python notebook server, was exploited within 10 hours of disclosure (Sysdig). The CVSS 9.3 flaw stems from a terminal WebSocket endpoint lacking authentication, giving any attacker a full PTY shell. Sysdig observed initial exploitation nine hours and 41 minutes after disclosure, with credential theft in under three minutes. A separate campaign targeting Hugging Face Spaces began April 12, 2026, dropping a new variant of NKAbuse malware (The Hacker News). Marimo sits inside many AI toolchains. Version 0.23.0 patches the flaw.

Why it matters

• A 10-hour disclosure-to-exploit window eliminates manual triage. Automation is the floor.

• AI dev environments hold credentials for training data, model registries, and cloud APIs. A compromise there jumps the fence.

• NKAbuse malware hosted on Hugging Face Spaces weaponizes a legitimate AI asset repository.

What to do about it

• Audit AI dev environments for unauthenticated notebook services this week.

• Push Marimo 0.23.0 immediately. Rotate .env credentials and SSH keys on any affected host.

• Treat Hugging Face Spaces and similar repositories as unverified third-party code.

Rock’s Musings

Ten hours. Memorize that number. If your patch process takes longer than a shift change, you’re assuming attackers stay polite enough to wait. They aren’t. A human operator hand-crafted the exploit from the advisory text alone. No public PoC needed. AI-assisted exploit development already sits inside the attacker’s normal workflow.

6. KPMG and INSEAD Publish AI Governance Principles for Boards

On April 14, 2026, KPMG International and the INSEAD Corporate Governance Centre published AI Governance Principles for Boards (KPMG). The guidance structures board oversight around five areas: strategy, security, workforce, trustworthy AI, and how AI reshapes leadership itself. KPMG’s Global AI Pulse Survey found nearly three-quarters of boards have only moderate or limited AI expertise. The principles are sector-agnostic and apply at any AI maturity level. Timing lines up with signals that the governance gap is widening faster than board oversight can catch up (INSEAD).

Why it matters

• Three-quarters of boards lack AI expertise. Your CEO and CISO are explaining in terms the directors cannot stress-test.

• A sector-agnostic framework gives cover to restructure AI oversight without waiting for an industry mandate.

• Board principles anchored in research and real practice create a defensible baseline for shareholder scrutiny.

What to do about it

• Make AI governance a standing board agenda item using the KPMG/INSEAD principles as the template.

• Recruit at least one director with direct AI operating experience.

• Run a board-level AI risk tabletop in the next six months. Measure director fluency.

Rock’s Musings

I’ve sat across from enough boards to recognize the pattern. The AI conversation is either dominated by CMO hype or minimized by general counsel. Neither serves the company. What I appreciate about this work is the refusal to reduce governance to compliance. If your board treats AI as an IT issue, you’ve already lost the oversight fight. Rebuild the conversation at the director level.

7. Molotov Cocktail Attack on Sam Altman’s Home

Around 3:37 a.m. on Friday, April 10, 2026, Daniel Moreno-Gama allegedly threw a lit incendiary device at OpenAI CEO Sam Altman’s San Francisco home, igniting a fire on an exterior gate (CNBC). About an hour later, police arrested Moreno-Gama at OpenAI’s San Francisco headquarters with additional incendiary devices, a kerosene jug, and a manifesto opposing AI executives. San Francisco District Attorney Brooke Jenkins filed attempted murder charges on April 13, 2026 (Washington Post). The FBI raided a Spring, Texas residence linked to the suspect.

Why it matters

• AI executives face documented physical threat campaigns motivated by AI-existential ideology.

• Intimidation playbooks aimed at AI leadership echo harassment patterns seen against crypto executives.

• The AI-existential threat narrative moved from online rhetoric to physical action.

What to do about it

• Review personal security programs for AI executives, board members, and senior researchers, including residence protection.

• Update threat modeling to include ideologically motivated actors, not only financially motivated ones.

• Coordinate with local law enforcement on executive travel patterns and publicly disclosed addresses.

Rock’s Musings

The Altman attack will reshape executive protection budgets at every AI firm this year. The deeper point is the AI-existential discourse produced one person willing to act on it violently. That genie doesn’t go back. AI security functions now carry physical security responsibility alongside technical, and the two teams rarely talk. Fix that.

8. AI-Powered “Pushpaganda” Ad Fraud Scheme Exposed

On April 14, 2026, researchers exposed “Pushpaganda,” an ad fraud scheme combining SEO poisoning with AI-generated content to push deceptive news stories into Google Discover (The Hacker News). Users engaging with the stories are tricked into enabling persistent browser notifications delivering scareware and financial scams at global scale. Google deployed a security fix. Researchers linked the operation to broader AI-driven phishing trends: 82.6 percent of phishing emails now contain AI-generated content (GuardianMSSP).

Why it matters

• Consumer-facing AI fraud creates downstream reputational and fraud exposure for any brand whose customers fall for it.

• AI content weaponized through Google Discover scales instantly across borders.

• Browser notification abuse creates persistent attacker infrastructure inside your users’ devices.

What to do about it

• Update fraud and anti-phishing awareness for employees and high-value customers using Pushpaganda as a concrete example.

• Tell users to audit browser notification permissions quarterly.

• Task threat intel with tracking similar schemes targeting your brand or industry keywords.

Rock’s Musings

Ad fraud has been a rounding error in most risk registers. That’s ending. When AI pumps plausible news stories at near-zero cost through trusted distribution pipes, the economics of fraud flip in the attacker’s favor. The indirect damage is the part enterprises miss. Your customer falls for the scam, loses money, and blames you even when you had nothing to do with it. Merge brand protection and fraud prevention. The attacker already did.

9. OpenAI Discloses Axios npm Supply Chain Impact

On April 11, 2026, OpenAI confirmed it was affected by the compromise of the Axios npm package, a supply chain attack attributed to North Korea-linked actors (CNBC). The root cause was a misconfiguration in its GitHub Actions workflow touching macOS app certification. OpenAI revoked its macOS app certificate. Older macOS desktop apps stop receiving updates starting May 8, 2026. No user data, passwords, or API keys were accessed. Axios is one of the most depended-upon packages in the JavaScript ecosystem, with 100 million weekly downloads (Elastic Security Labs).

Why it matters

• The largest AI service provider disclosed a supply chain compromise from a dependency most customers do not track.

• North Korean targeting of AI providers signals state actors see AI as a strategic target.

• If OpenAI’s CI/CD was affected, every firm building on OpenAI carries secondary exposure.

What to do about it

• Audit every third-party dependency on npm, PyPI, and containers in your AI pipelines. Prioritize post-install hooks.

• Rotate signing certificates on CI/CD pipelines using GitHub Actions with third-party dependencies.

• Map your AI vendor dependency tree. Know who sits upstream of production workflows.

Rock’s Musings

OpenAI’s post-incident communication was cleaner than most. What I want security leaders to sit with is attacker selection. North Korean actors chose Axios because they understood the dependency graph. They compromised one maintainer account and reached OpenAI’s signing pipeline in one hop. Your AI platform has a similar graph. If you haven’t mapped it, you’re trusting your vendor’s vendor’s vendor without knowing any of the names.

10. The Register Questions Project Glasswing’s CVE Count

On April 15, 2026, The Register investigated Project Glasswing’s verified vulnerability count (The Register). Per VulnCheck researcher Patrick Garrity, only one CVE ties directly to Glasswing: CVE-2026-4747, a remote code execution flaw in FreeBSD’s NFS code. Anthropic had claimed Mythos Preview discovered thousands of high-severity zero-days, including 27-year-old bugs in OpenBSD, a 16-year-old FFmpeg flaw, and Linux kernel privilege escalation chains. None of those findings have assigned CVEs. Anthropic indicated a public summary report is expected around July 2026 (CSO Online).

Why it matters

• Security leaders are being asked to restructure programs around claims mostly unverifiable right now.

• The gap between marketing and disclosed CVEs is a litmus test for how AI vendors handle safety communications.

• The same capability framing already drives budget and policy conversations across government and enterprise.

What to do about it

• Track vendor AI capability claims against disclosed CVE evidence. VulnCheck, NVD, and CVE.org are sources of record.

• Require AI vendors to commit to disclosure timelines in the contract.

• Apply the same skepticism to AI capability claims you apply to any vendor’s performance claims.

Rock’s Musings

I believe AI-assisted vulnerability discovery is real. I also know marketing departments exist. The Register did what security trade press should do more often: press for evidence instead of reposting press releases. Until Anthropic’s July report arrives with specificity, assume the capability is real at a smaller scale than the headlines suggest. Your board deserves honest uncertainty over confident hype.

The One Thing You Won’t Hear About But You Need To

State AI Legislation Quietly Picks Up Pace in Nebraska, Maine, and Maryland

The week of April 13, 2026 saw three state legislatures advance AI-specific bills most national coverage missed (Troutman Pepper Locke). Nebraska’s unicameral legislature passed LB 525, bundling the Agricultural Data Privacy Act with a Conversational AI Safety Act regulating minors’ interaction with conversational AI services. Maine’s legislature prohibited therapy or psychotherapy services, including those delivered through AI, unless provided by a licensed professional. Maryland passed a pricing bill placing new constraints on AI-driven pricing practices. Nineteen new AI laws passed across U.S. states in the prior two weeks (Plural Policy).

Why it matters

• State AI legislation accelerates faster than federal harmonization, raising compliance complexity for multi-state AI services.

• Vertical bans like Maine’s on AI psychotherapy signal the “AI wrapper as feature” era is ending for regulated professions.

• Conversational AI protections for minors now vary by state. Your chatbot rollout inherited new compliance surface.

What to do about it

• Assign legal and compliance ownership of state AI legislation tracking.

• Map customer-facing AI products against regulated-profession restrictions appearing in multiple states.

• Build a multi-state compliance matrix for conversational AI aimed at minors. Treat it as living documentation.

Rock’s Musings

Federal AI policy gets the headlines. State legislation gets the enforcement. The gap is where CISOs and general counsel earn their salaries. AI compliance is not a checkbox on the NIST AI RMF. It’s a moving target across 50 jurisdictions, each with different enforcement flavor. Miss Maine, your mental health AI product is illegal. Miss Maryland, your pricing engine invited an AG letter. Miss Nebraska, your chatbot cannot talk to kids in the Cornhusker State. Track it, resource it, or pay the lawyers later.

👉 For ongoing analysis of agentic AI governance frameworks, the conversation continues at RockCyber Musings.

👉 Visit RockCyber.com to learn more about how we can help with your traditional Cybersecurity and AI Security and Governance journey.

👉 Want to save a quick $100K? Check out our AI Governance Tools at AIGovernanceToolkit.com

👉 Subscribe for more AI and cyber insights with the occasional rant.

The views and opinions expressed in RockCyber Musings are my own and do not represent the positions of my employer or any organization I’m affiliated with.

Share RockCyber Musings

References

AI Security Institute. (2026, April 10). Frontier AI Trends Report. https://www.aisi.gov.uk/frontier-ai-trends-report

Cloud Security Alliance. (2026, April 14). SANS Institute, Cloud Security Alliance, [un]prompted, and OWASP GenAI Security Project release emergency strategy briefing as AI-driven vulnerability discovery compresses exploit timelines from weeks to hours. https://cloudsecurityalliance.org/press-releases/2026/04/14/sans-institute-cloud-security-alliance-un-prompted-and-owasp-genai-security-project-release-emergency-strategy-briefing-as-ai-driven-vulnerability-discovery-compresses-exploit-timelines-from-weeks-to-hours

Computing. (2026, April 10). Claude Mythos Preview shows “unprecedented” attack capability, warns AI Safety Institute. https://www.computing.co.uk/news/2026/security/claude-mythos-preview-shows-unprecedented-attack-capability

CSO Online. (2026, April 15). Behind the Mythos hype, Glasswing has just one confirmed CVE. https://www.csoonline.com/article/4159617/behind-the-mythos-hype-glasswing-has-just-one-confirmed-cve.html

CNBC. (2026, April 10). Man arrested after Sam Altman’s house hit with Molotov cocktail, OpenAI headquarters threatened. https://www.cnbc.com/2026/04/10/sam-altman-house-hit-with-molotov-cocktail-openai-office-threatened.html

CNBC. (2026, April 11). OpenAI identifies security issue involving third-party tool, says user data was not accessed. https://www.cnbc.com/2026/04/11/openai-identifies-security-issue-involving-third-party-tool.html

Elastic Security Labs. (2026, April). Inside the Axios supply chain compromise: One RAT to rule them all. https://www.elastic.co/security-labs/axios-one-rat-to-rule-them-all

GuardianMSSP. (2026, April 14). AI-driven Pushpaganda scam exploits Google Discover to spread scareware and ad fraud. https://www.guardianmssp.com/2026/04/14/ai-driven-pushpaganda-scam-exploits-google-discover-to-spread-scareware-and-ad-fraud/

Infosecurity Magazine. (2026, April 15). Systemic flaw in MCP protocol could expose 150 million downloads. https://www.infosecurity-magazine.com/news/systemic-flaw-mcp-expose-150/

INSEAD. (2026, April 14). INSEAD and KPMG launch global AI Board Governance Principles as AI reshapes board oversight. https://www.insead.edu/news/insead-and-kpmg-launch-global-ai-board-governance-principles-ai-reshapes-board-oversight

KPMG International. (2026, April 14). KPMG and INSEAD launch global AI Board Governance Principles as AI reshapes board oversight. https://kpmg.com/xx/en/media/press-releases/2026/04/kpmg-and-insead-launch-global-ai-board-governance-principles.html

OpenAI. (2026, April 14). Trusted access for the next era of cyber defense. https://openai.com/index/scaling-trusted-access-for-cyber-defense/

OX Security. (2026, April 15). The mother of all AI supply chains: Critical, systemic vulnerability at the core of Anthropic’s MCP. https://www.ox.security/blog/the-mother-of-all-ai-supply-chains-critical-systemic-vulnerability-at-the-core-of-the-mcp/

Plural Policy. (2026, April). AI Governance Watch: Nineteen new AI bills passed into law. https://pluralpolicy.com/blog/the-ai-governance-watch-april-2026-nineteen-new-ai-bills-passed-into-law/

SiliconANGLE. (2026, April 14). OpenAI launches GPT-5.4-Cyber model for vetted security professionals. https://siliconangle.com/2026/04/14/openai-launches-gpt-5-4-cyber-model-vetted-security-professionals/

Sysdig. (2026, April). Marimo OSS Python notebook RCE: From disclosure to exploitation in under 10 hours. https://www.sysdig.com/blog/marimo-oss-python-notebook-rce-from-disclosure-to-exploitation-in-under-10-hours

The Hacker News. (2026, April 14). AI-driven Pushpaganda scam exploits Google Discover to spread scareware and ad fraud. https://thehackernews.com/2026/04/ai-driven-pushpaganda-scam-exploits.html

The Hacker News. (2026, April). Marimo RCE flaw CVE-2026-39987 exploited within 10 hours of disclosure. https://thehackernews.com/2026/04/marimo-rce-flaw-cve-2026-39987.html

The Hacker News. (2026, April). OpenAI revokes macOS app certificate after malicious Axios supply chain incident. https://thehackernews.com/2026/04/openai-revokes-macos-app-certificate.html

The Register. (2026, April 15). Anthropic’s Project Glasswing CVE count is still guesswork. https://www.theregister.com/2026/04/15/project_glasswing_cves/

Troutman Pepper Locke. (2026, April 13). Proposed state AI law update: April 13, 2026. https://www.troutmanprivacy.com/2026/04/proposed-state-ai-law-update-april-13-2026/

Washington Post. (2026, April 13). Man accused in Molotov cocktail attack of OpenAI CEO’s home charged with attempted murder. https://www.washingtonpost.com/business/2026/04/13/chatgpt-sam-altman-fire-arrest/098c4bce-376c-11f1-90c4-9772c7fabc03_story.html