Your AI agents are about to get a lot more scrutiny. NIST dropped a Request for Information this week, asking the industry how to secure systems that can take autonomous actions affecting the real world. Meanwhile, a maximum-severity vulnerability in a popular workflow automation platform reminded everyone that AI tooling inherits all the security baggage of traditional software plus new attack surfaces nobody fully understands yet.

This week delivered a concentrated dose of reality for anyone running AI systems in production. The federal government signaled serious intent to develop security guidelines for agentic AI. Researchers demonstrated a new supply chain attack pattern against model repositories. Malicious browser extensions stole conversations from ChatGPT and DeepSeek users. And the annual crop of 2026 predictions painted a picture of deepfake-powered fraud that will test every identity verification system you have.

Share

1. NIST Requests Industry Input on Securing AI Agent Systems

The National Institute of Standards and Technology’s Center for AI Standards and Innovation published a Request for Information on January 8 seeking public comment on practices for securing AI agent systems. The RFI focuses specifically on autonomous systems capable of taking actions that impact real-world environments. NIST gave stakeholders 60 days to respond, with comments due March 9, 2026 (Federal Register).

The document identifies three primary risk categories: adversarial attacks during training or inference, including prompt injection, models with intentionally placed backdoors, and uncompromised models that pursue misaligned objectives. NIST’s own research has already demonstrated vulnerabilities to agent hijacking.

Why it matters

• Federal guidance on agentic AI security will set the baseline for enterprise adoption standards.

• The 60-day comment period creates a narrow window for vendors to shape requirements that will affect their products.

• NIST explicitly called out the gap between traditional cybersecurity best practices and the unique challenges of autonomous AI systems.

What to do about it

• Submit comments by March 9 at regulations.gov under docket NIST-2025-0035 if you have experience deploying agentic systems.

• Review your existing AI deployments against the five question categories in the RFI to identify documentation gaps.

• Begin mapping your AI agent architectures to the Zero Trust and least-privilege principles NIST references as starting points.

Rock’s Musings

NIST asking industry “how do we secure these things?” tells you exactly where we are on the maturity curve. The agency that produces standards for everything from weights and measures to cryptography is essentially saying, “We need help understanding what secure even means for systems that can act on their own.”

And I’m totally OK with that. It’s a pleasant surprise after NIST IR 8596, NIST’s preliminary Cyber AI Profile, which barely mentioned “non-human.”

What I find encouraging is the specificity of the questions. They’re not asking about AI safety in the abstract. They want to know about tool restrictions, human oversight controls, and patching strategies for agents. That signals practical guidance is coming, not philosophical frameworks. If you build or deploy agentic systems, the time to engage is now, not after the guidelines drop.

2. Critical n8n Vulnerability Allows Complete Takeover of Workflow Automation Instances

Security researchers disclosed CVE-2026-21858, a maximum-severity vulnerability in n8n, the open-source workflow automation platform. The flaw carries a CVSS score of 10.0 and allows unauthenticated remote code execution on self-hosted instances. Cyera Research Labs, which discovered the vulnerability, labeled it a “worst-case scenario” finding (The Hacker News, SOCRadar).

A related vulnerability, CVE-2026-21877, enables authenticated attackers to execute arbitrary code through file write operations. Both vulnerabilities affect n8n versions 1.65 through 1.120.4. The vendor released version 1.121.0 to address the issues.

Why it matters

• n8n serves as the connective tissue for AI workflows at thousands of organizations, connecting LLMs to databases, APIs, and business systems.

• Unauthenticated RCE in workflow automation software gives attackers a pivot point to any system the platform integrates with.

• Self-hosted instances running behind corporate firewalls may have delayed patching due to assumptions about network-level protection.

What to do about it

• Patch immediately to n8n version 1.121.0 or later. Do not wait for your normal patch cycle.

• Audit your n8n integrations to understand what systems an attacker could reach if they compromised your instance.

• Review authentication configurations on all self-hosted AI workflow tools, not just n8n.

Rock’s Musings

A CVSS 10.0 in workflow automation software hits differently than the same score in a random enterprise application. These platforms connect to everything. Your databases. Your APIs. Your AI models. Whatever permissions you gave n8n to orchestrate your automations are now potentially in an attacker’s hands.

The speed of disclosure-to-exploit is getting shorter. Horizon3.ai already has a technical analysis published. If you’re running a vulnerable version and you’re reading this before patching, close this newsletter and go update. The write-up will still be here when you get back.

3. Malicious Chrome Extensions Steal ChatGPT and DeepSeek Conversations

Security researchers at Reco AI identified a campaign of malicious browser extensions targeting users of AI chatbots. The extensions, downloaded over 900,000 times, masqueraded as AI-powered productivity tools while exfiltrating user conversations with ChatGPT and DeepSeek to command-and-control servers. The campaign demonstrates attackers adapting traditional browser extension attack vectors to target AI users specifically (The Hacker News, Dark Reading).

The extensions also captured browsing data and session information. Several prominent fake extensions mimicked legitimate tools, making visual identification difficult for users.

Why it matters

• Conversations with AI assistants routinely contain proprietary code, strategic plans, and sensitive business information.

• Browser extensions operate with permissions that users rarely audit after initial installation.

• The targeting of multiple AI platforms suggests an organized interest in AI conversation data specifically, not incidental collection.

What to do about it

• Implement browser extension allow-listing for corporate-managed browsers, restricting installations to vetted tools only.

• Audit existing extensions across your user base for AI-related tools that were not centrally approved.

• Educate users that conversations with AI assistants carry the same sensitivity classification as any other data they would put in a document.

Rock’s Musings

We’ve spent years telling users not to paste sensitive data into random websites. Now they paste it into AI chatbots, which feels somehow different to them. It’s not different. If you wouldn’t email it, you shouldn’t paste it into an AI interface running through an extension you downloaded because it promised to “enhance your ChatGPT experience.”

The 900,000 download count should give every CISO pause. That’s a lot of potential corporate conversations flowing to servers you don’t control. Your acceptable use policy for AI tools needs teeth, and enforcement needs tooling that goes beyond “please don’t do that.”

4. Identity Fraud Expected to Surge as Deepfake Detection Falters

Multiple security vendors issued 2026 predictions warning that consumer-grade identity verification systems will fail against AI-generated deepfakes. Nametag’s analysis suggests organizations must shift toward hardware-based continuous identity verification as software detection proves inadequate. DeepStrike estimates the number of online deepfakes grew from 500,000 in 2023 to approximately 8 million in 2025 (HR Dive, Digit.fyi).

The National Cybersecurity Alliance’s 2026 predictions highlighted voice cloning for payment fraud and deepfake-driven business email compromise as specific attack patterns likely to accelerate.

Why it matters

• KYC and identity verification processes built on video and voice checks face fundamental reliability questions.

• Voice cloning attacks against payment authorization create liability exposure that existing fraud policies may not address.

• The gap between deepfake creation capability and detection capability continues to widen.

What to do about it

• Audit your identity verification workflows for any step that relies solely on video or voice confirmation.

• Implement out-of-band verification for high-value transactions, using channels and methods that cannot be spoofed with synthetic media.

• Review your fraud response procedures to ensure they account for scenarios where “the CEO’s voice” authorized something the CEO never requested.

Rock’s Musings

Every vendor selling identity verification is running scared right now. Their pitch used to be “we can tell the difference.” Increasingly, they can’t. The shift toward hardware-based and continuous verification isn’t an upgrade. It’s an admission that the previous generation of controls no longer works.

For security leaders, this means re-evaluating any process where identity confirmation happens through a channel an attacker could synthesize. Phone calls. Video conferences. Even recorded video for KYC. If a machine can generate it, a machine can fake it. Plan accordingly.

5. EU AI Act Countdown Intensifies as August 2026 Deadline Approaches

Legal and compliance analyses published throughout the week emphasized the approaching August 2, 2026, deadline for compliance with the EU AI Act for high-risk AI systems. Requirements include technical documentation, human oversight mechanisms, and post-market monitoring. Forbes coverage on January 8 noted the Act’s creation of harmonized rules for trustworthy AI with specific provisions for finance sector use cases like creditworthiness assessment (Forbes, Norton Rose Fulbright).

The Institute for Law and AI published research examining the regulatory pipeline flowing from the AI Act, identifying gaps between legislative intent and technical compliance capacity.

Why it matters

• Organizations with EU market exposure have roughly seven months to achieve compliance for high-risk AI systems.

• The documentation requirements demand evidence trails that most current AI deployments cannot produce retroactively.

• Compliance costs will concentrate in 2026 as organizations discover their AI governance gaps.

What to do about it

• Classify your AI systems against the EU AI Act risk categories to identify which require compliance action by August.

• Begin building documentation pipelines now. The technical documentation requirements cannot be assembled at the deadline.

• Engage legal counsel familiar with EU AI Act specifics to map your systems to regulatory obligations.

Rock’s Musings

Seven months sounds like a lot of time until you try to reverse-engineer documentation for AI systems that were deployed under “move fast” mandates. The EU AI Act requires you to show your work. Most organizations don’t have work to show.

Don’t treat August 2026 as a distant planning horizon. The organizations that will meet compliance without major disruption started their programs in 2024. Everyone else is in catch-up mode, and the consultants who actually understand this stuff are getting expensive.

6. Trend Micro Forecasts AI-Powered Scam Evolution for 2026

Trend Micro published its 2026 scam predictions on January 8, identifying AI-powered attacks as the dominant threat vector for the year. The analysis predicts scams will increasingly move across multiple platforms, with relationship and investment fraud driving the largest financial losses. Instant-payment fraud is expected to surge as attackers exploit the speed and irreversibility of modern payment systems (Trend Micro).

The report emphasizes that AI enables faster iteration on social engineering campaigns, allowing attackers to customize approaches at scale.

Why it matters

• Multi-platform attack chains complicate detection because no single security tool has visibility across all channels.

• AI-generated content allows attackers to maintain convincing personas across longer engagement periods.

• Instant payment infrastructure removes the delay that historically allowed fraud detection and reversal.

What to do about it

• Implement cross-channel monitoring for high-value account activity, particularly where multiple communication methods touch the same transaction.

• Add friction to instant payment processes for amounts above your risk threshold, even when customers prefer speed.

• Train employees and customers on the pattern of multi-platform scams, where initial contact happens separately from the financial ask.

Rock’s Musings

Trend Micro calling AI the enabler of “most scams” in 2026 is more of an observation, rather than a prediction, of what’s already happening. The scam playbooks that used to require human operators scaling slowly now run with AI assistance, customizing the pitch for each target.

The instant-payment angle worries me most. We built payment infrastructure for convenience, then forgot to build in the fraud-safety valves that legacy systems provided through delay. When the money moves in seconds, and the attacker disappears in minutes, your detection window is essentially zero.

7. Expert Panel Identifies AI Policy Stakes for 2026

Tech Policy Press published expert predictions on January 6 examining the political and legal battles that will define AI governance in 2026. Contributors identified key decision points around who controls AI development, who bears liability for AI harms, and whether regulatory efforts can keep pace with capability advancement. The analysis highlighted tension between innovation acceleration and harm prevention frameworks (Tech Policy Press).

The piece also addressed international dynamics, noting that different regulatory approaches across jurisdictions create compliance complexity for global organizations.

Why it matters

• Policy outcomes in 2026 will shape enterprise AI strategy for the next decade.

• Liability frameworks remain unsettled, creating risk exposure that security and legal teams cannot fully quantify.

• Regulatory divergence across jurisdictions increases the cost and complexity of global AI deployments.

What to do about it

• Track pending AI legislation in your primary operating jurisdictions to anticipate compliance requirements before they finalize.

• Document your AI decision-making processes now, regardless of current requirements, to create defensible records if liability standards tighten.

• Engage with industry associations providing input on AI policy to ensure practitioner perspectives reach policymakers.

Rock’s Musings

The question of who bears the cost of AI harms is one nobody wants to answer definitively because the answer has massive financial implications. Vendors want to disclaim liability. Deployers want to point at vendors. And regulators want someone accountable when things go wrong.

For security leaders, the uncertainty means building conservative records. Document everything. Capture your risk assessments. Log your decisions. When the liability framework finally crystallizes, the organizations with paper trails will be in defensible positions. The ones who moved fast and didn’t document will be writing large checks.

8. Researchers Map European AI Governance Implementation Gaps

An arXiv paper published on January 8 analyzed the regulatory pipeline from the EU AI Act to technical implementation, identifying bottlenecks between legislative requirements and the practical capacity for compliance. The “Bathtub of European AI Governance” research examines how regulatory pressure flows through guidance documents, standards bodies, and ultimately to deployed systems (arXiv).

The analysis identifies capacity constraints in standards development and gap areas where guidance does not yet provide actionable implementation pathways.

Why it matters

• Compliance depends on guidance that may not exist yet at the level of specificity implementers need.

• Standards body capacity limitations create single points of failure in the regulatory ecosystem.

• Early adopters face uncertainty about whether current implementations will satisfy requirements as guidance evolves.

What to do about it

• Monitor European standards body publications, particularly harmonized standards referenced in AI Act compliance documentation.

• Build flexibility into your compliance architecture to accommodate guidance changes without complete reimplementation.

• Participate in standards development processes where your organization has relevant expertise to contribute.

Rock’s Musings

Academics calling it the “bathtub model” is apt. Everything is supposed to flow from high-level requirements down through standards and into implementation. The problem is the pipes are clogged. Standards bodies don’t have the capacity to produce guidance fast enough, and practitioners are left implementing against requirements that don’t yet have actionable specifications.

For those of us building compliance programs, this means accepting some uncertainty. You’re implementing against moving targets. Build modular. Document your interpretations. And stay close to the standards development process so you see changes coming before they arrive.

9. AI Supply Chain Visibility Challenges Demand New Approaches

VentureBeat published an analysis on January 2 examining the seven steps organizations need to achieve AI supply chain visibility. The article highlighted limitations of traditional Software Bills of Materials for AI systems and emphasized Hugging Face’s response protocols as a case study in model repository security. The JFrog 2025 Software Supply Chain Report noted over 1 million new models added to Hugging Face in 2024, with a 6.5x increase in malicious model detections (VentureBeat).

The analysis also addressed sovereign AI deployment considerations where regulatory requirements restrict model provenance.

Why it matters

• Traditional software composition analysis tools do not capture AI model dependencies and provenance.

• The volume of models on public repositories overwhelms manual security review processes.

• Malicious model growth outpaces improvements in detection capability.

What to do about it

• Implement model provenance tracking that captures origin, training data sources, and modification history for all models entering your environment.

• Evaluate models from public repositories against the same third-party risk criteria you apply to software vendors.

• Build or acquire capability to scan models for known malicious patterns before deployment.

Rock’s Musings

A 6.5x increase in malicious model detections tells you exactly what’s happening. Attackers figured out that Hugging Face is the npm of the AI world, and they’re applying the same supply chain poisoning techniques that worked against package managers.

The SBOM problem for AI is real. We don’t have standardized ways to describe what’s inside a model, where it came from, or what it’s capable of. Until we solve that, every model download is a trust decision you’re making with incomplete information. Treat it accordingly.

10. Criminals Adopt “Vibe-Coding” Approach to AI-Assisted Malware Development

The Register reported on January 8 that threat actors are increasingly using AI tools to develop malware through an iterative “vibe-coding” approach. The technique involves using AI assistants to generate code fragments, test them, and refine based on results without requiring deep programming expertise. Security researchers note this lowers the barrier to malware creation while also introducing unique vulnerabilities into AI-assisted code (The Register).

The same AI security weaknesses that affect legitimate development, including prompt injection and model manipulation, also affect criminal use cases.

Why it matters

• AI tools democratize malware creation, expanding the pool of potential threat actors.

• AI-generated malware may exhibit novel patterns that signature-based detection misses.

• Ironically, AI-assisted criminal development introduces the same security flaws as legitimate AI-assisted development.

What to do about it

• Update threat models to account for increased attacker capability across skill levels.

• Evaluate whether your detection tools can identify AI-generated code patterns.

• Consider how AI-assisted attack development changes the speed at which new variants emerge.

Rock’s Musings

The “vibe-coding” term is perfect because it captures exactly what’s happening. Attackers don’t need to understand buffer overflows or memory management. They describe what they want, iterate until it works, and deploy. The competence barrier that used to filter out less-skilled attackers has disappeared.

The silver lining, if you can call it that, is that AI-generated malware often carries the same bugs as AI-generated legitimate code. Sloppy logic. Security anti-patterns. Sometimes the malware is detectable specifically because it looks AI-generated. Cold comfort, but a useful signal if your detection teams know what to look for.

The One Thing You Won’t Hear About But You Need To

AI Model Confusion: A Supply Chain Attack Pattern Targeting Model Repositories

Checkmarx Zero published research on January 6 demonstrating “AI Model Confusion,” a supply chain attack pattern targeting model registries like Hugging Face. The technique applies concepts from traditional package manager attacks on dependency confusion to AI model downloads. When organizations configure model paths that check private repositories before falling back to public sources, attackers can register malicious models with matching names on public repositories to achieve code execution (Checkmarx).

The attack exploits the trust_remote_code=True parameter commonly enabled for model loading. When this parameter is set, the Python code bundled with a model is executed automatically during loading. A malicious actor who successfully confuses the model resolution path gains code execution on any system that loads their poisoned model.

Why it matters

• Most organizations have not applied the lessons from npm and PyPI supply chain attacks to their AI model acquisition processes.

• The attack requires no vulnerability exploitation. It leverages intended functionality in how model loaders resolve dependencies.

• Detection is difficult because the malicious model passes all the functional checks a legitimate model would pass.

What to do about it

• Audit your model loading configurations for any use of trust_remote_code=True and implement explicit allow-listing for trusted sources.

• Configure model resolution to use fully qualified paths that cannot be confused with public repository names.

• Implement model hash verification against known-good values rather than relying solely on repository trust.

Rock’s Musings

This is the attack I’ve been waiting for someone to name. We knew it was coming because we’ve seen this movie before with package managers. The security community learned painful lessons about typosquatting and dependency confusion in npm, PyPI, and Maven. Now those same lessons need to be re-learned for model repositories.

The scary part isn’t that this attack exists. It’s that most organizations haven’t even started thinking about their AI supply chain with the same rigor they apply to software dependencies. When your model loading code sets trust_remote_code=True and your path resolution checks public repos, you’ve created exactly the attack surface this research describes. Assume someone will exploit it.

If you found this analysis useful, subscribe at rockcybermusings.com for weekly intelligence on AI security developments.

👉 Visit RockCyber.com to learn more about how we can help you in your traditional Cybersecurity and AI Security and Governance Journey

👉 Want to save a quick $100K? Check out our AI Governance Tools at AIGovernanceToolkit.com

👉 Subscribe for more AI and cyber insights with the occasional rant.

Share

References

Checkmarx. (2026, January 6). AI model confusion: An LLM/AI model supply chain attack. https://checkmarx.com/zero-post/hugs-from-strangers-ai-model-confusion-supply-chain-attack/

Digit.fyi. (2026, January 8). Identity fraud set to explode in 2026, warn security pros. https://www.digit.fyi/identity-fraud-set-to-explode-in-2026-warn-security-pros/

Forbes. (2026, January 8). The expanding role of AI in global markets. https://www.forbes.com/councils/forbestechcouncil/2026/01/08/the-expanding-role-of-ai-in-global-markets/

HR Dive. (2026, January 6). Fraud attacks expected to ramp up in AI ‘perfect storm’. https://www.hrdive.com/news/fraud-attacks-expected-ramp-up-amid-ai-perfect-storm/808895/

National Institute of Standards and Technology. (2026, January 8). Request for information regarding security considerations for artificial intelligence agents (Document No. 2026-00206). Federal Register. https://www.federalregister.gov/documents/2026/01/08/2026-00206/request-for-information-regarding-security-considerations-for-artificial-intelligence-agents

Norton Rose Fulbright. (2026, January 6). How businesses can thrive under the EU’s AI Act. https://www.nortonrosefulbright.com/en/knowledge/publications/228538a2/preparing-for-change-how-businesses-can-thrive-under-the-eus-ai-act

Reco AI. (2026, January 6). Fake AI browser extensions target ChatGPT and DeepSeek users. Dark Reading.

https://www.darkreading.com/

SOCRadar. (2026, January 7). CVE-2026-21877: Max-severity n8n flaw allows authenticated RCE. https://socradar.io/blog/cve-2026-21877-n8n-authenticated-rce/

Tech Policy Press. (2026, January 6). Expert predictions on what’s at stake in AI policy in 2026. https://www.techpolicy.press/expert-predictions-on-whats-at-stake-in-ai-policy-in-2026

The Hacker News. (2026, January 8). Critical n8n vulnerability (CVSS 10.0) allows unauthenticated RCE. https://thehackernews.com/2026/01/critical-n8n-vulnerability-cvss-100.html

The Register. (2026, January 8). Criminals use AI for ‘vibe-coding’ malware development.

https://www.theregister.com/

Trend Micro. (2026, January 8). Scams in 2026: Trend Micro’s predictions for what’s coming next. https://news.trendmicro.com/en-au/2026/01/08/scams-in-2026-trend-micros-predictions-for-whats-coming-next/

VentureBeat. (2026, January 2). Seven steps to AI supply chain visibility.

https://venturebeat.com/

arXiv. (2026, January 8). The bathtub of European AI governance: Identifying implementation gaps. https://arxiv.org/html/2601.04094v1