Weekly Musings Top 10 AI Security Wrapup: Issue 33 April 3-April 9, 2026
AI’s Dual-Use Reckoning: Restricted Models, Supply Chain Fallout, and the Governance Gap Nobody Is Closing
Two of the three largest AI labs announced restricted-access cybersecurity models on the same day. A supply chain attack that started 10 days ago cost an AI startup its $10 billion contract with Meta. Nineteen new AI laws were signed across America in two weeks. Multiple independent research reports confirmed most enterprises have no idea what their AI agents are doing right now. The dual-use reckoning is no longer a future event. This week it produced products, paused contracts, and named casualties.
The week’s dominant pattern: the industry is admitting, out loud, that its most capable models are too dangerous to ship without restrictions. Meanwhile, the governance infrastructure meant to keep pace with AI deployment is running badly behind. Government employees are using GenAI tools daily at an 82% adoption rate on systems that remain vulnerable to prompt injection attacks documented in 2023. FedRAMP, the federal program enterprise CISOs treat as a security attestation, is operating as what former employees call a rubber stamp. The gap between AI capability and AI governance did not close this week. It widened, with better documentation.
1. Anthropic locks its most powerful model behind a 50-partner gate
On April 7, Anthropic announced Project Glasswing, a controlled-access program giving approximately 50 organizations early access to Claude Mythos Preview (Fortune, TechCrunch). Partner organizations include Amazon Web Services, Apple, Cisco, CrowdStrike, Google, JPMorgan Chase, Microsoft, and Nvidia, plus roughly 40 organizations responsible for critical software infrastructure. Anthropic described Mythos as “by far the most powerful AI model” it has ever created, with exceptional capabilities in autonomous coding and cybersecurity tasks. The company acknowledged the model’s capabilities “could be weaponized by attackers” and stated it has no plans for general availability until new safeguards are established.
Why it matters
This is the first time a major AI lab has built a commercial product strategy explicitly around restricting access due to offensive cyber capability. The precedent matters more than the model.
Every enterprise security team outside the 50-partner cohort is now competing against organizations with months of head start deploying the most capable defensive AI available.
The partner list reads as the critical infrastructure vendor stack. If Mythos finds vulnerabilities before general availability, defenders benefit. If the model leaks before that happens, the calculus reverses.
What to do about it
Assess now whether your organization qualifies for Glasswing access or partnership with one of the 50 current participants. Waiting for general availability puts you behind.
Build your responsible AI deployment policy before your board asks you to justify restricted model use. The framework you create for Mythos applies to every dual-use model that follows.
Read Anthropic’s stated rationale carefully. It functions as a working template for your own internal policies on AI capability gating.
Rock’s Musings
I’ve watched this industry congratulate itself on “responsible AI release” for years without actually restricting access to anything dangerous. Anthropic did something different this week. It built a product designed to stay out of the wrong hands and publicly named the hands it’s trusting. Anthropic made a liability calculation public and called it product strategy.
What I want to know is how they enforce it. Fifty organizations sharing API access, running evals, and passing findings back sounds clean in the press release. In practice, you’re dealing with 50 separate security cultures, 50 different interpretations of “defensive use,” and 50 sets of employees who walk out the door with operational knowledge. The kill switch isn’t in the contract. It’s in the monitoring. I’d love to see the audit framework Anthropic built to go with this, because without it, Project Glasswing is a hope, not a control.
2. OpenAI, Anthropic, and Google share intelligence to stop Chinese model distillation
On April 6-7, Bloomberg and The Japan Times reported that OpenAI, Anthropic, and Google are sharing attack pattern data through the Frontier Model Forum to detect and block adversarial distillation attempts by Chinese AI companies. Three firms were named: DeepSeek, Moonshot AI, and MiniMax. The coordinated effort focuses on detecting when frontier model outputs are being used to train competing models without authorization. The Forum, established in 2023 for safety coordination, now functions as an active competitive intelligence sharing network.
Why it matters
Three competing companies sharing security intelligence without a government mandate represents a structural shift in how the industry protects IP. Watching the next DeepSeek emerge on stolen training signal was apparently less appealing than coordinating with rivals.
This sets a precedent for industry-led AI IP enforcement that regulators haven’t built yet. Policymakers will either ratify or complicate what the Forum is quietly doing.
For enterprise buyers, this coordination signals frontier model providers now treat IP integrity as shared infrastructure, which is reassuring until you realize your own model training pipelines may need similar monitoring.
What to do about it
Audit your AI vendor contracts for provisions covering how your organization’s data and API interactions are used. The Forum’s distillation concerns apply downstream to enterprise deployments.
Ask vendors directly what controls they have in place to detect adversarial use of their model outputs. Most aren’t ready for the question.
Watch the Frontier Model Forum’s governance structure. Three companies sharing threat intelligence today is a small coalition. In two years it becomes the de facto standard for AI security coordination.
Rock’s Musings
Three direct competitors sharing security intelligence tells you the distillation problem is worse than any of them want to admit publicly. DeepSeek’s emergence was the wake-up call: model training shortcuts were further along than anyone expected. The Forum is doing what the industry always resists, treating a shared problem as a shared problem.
What nobody says out loud is that adversarial distillation runs through enterprise deployments too. When your employees push 10,000 API calls through GPT-5.3 or Claude Mythos to build an internal tool, those outputs sit somewhere. The providers are focused on Chinese actors right now. The same technique scales to every bad actor with API access. Build that assumption into your threat model before someone builds a business around exploiting it.
3. Meta freezes its $10 billion Mercor contract after the LiteLLM supply chain breach
On April 4, The Next Web and Fortune confirmed Meta paused its contract with Mercor, a $10 billion AI training data company whose customers include Anthropic, OpenAI, and Meta (The Next Web, Fortune). The pause followed a March 27 attack in which threat group TeamPCP published malicious PyPI packages for LiteLLM, a widely used open-source AI gateway library, after stealing a maintainer credential through an earlier Trivy supply chain compromise. The tainted packages were live for roughly 40 minutes. Mercor confirmed it was among “thousands” of affected organizations. Lapsus$ claimed responsibility and possession of 4TB of Mercor data including source code, databases, and VPN credentials. Google Mandiant reported over 1,000 impacted SaaS environments at RSAC 2026.
Why it matters
A 40-minute PyPI window produced a paused $10 billion contract. That ratio of exposure time to business consequence should recalibrate how you think about open-source AI supply chain risk.
Meta’s pause affects AI training pipelines, not software. Training data provenance, labeling protocols, and selection criteria worth billions in R&D may now be in hostile hands.
TeamPCP’s chained attack, Trivy to LiteLLM, demonstrates adversaries are mapping AI infrastructure dependency graphs specifically to maximize downstream blast radius.
What to do about it
Inventory open-source AI libraries in your production environment immediately. LiteLLM and similar tools are in most ML and security pipelines.
Require software bills of materials for AI infrastructure. You need to know which versions of which AI libraries are running in production, with provenance attestation for critical packages.
Brief your CISO and CTO on the chained supply chain model. TeamPCP demonstrated that AI library ecosystems are attack surfaces with compounding impact.
Rock’s Musings
Forty minutes. That’s how long it takes to turn a credential theft into a paused $10 billion contract. The security community debates sophisticated nation-state tactics while basic supply chain hygiene stays on the backlog. LiteLLM is in everything. If you’re running AI in production and can’t tell me which version is deployed or whether it was compromised, you have a problem you haven’t measured yet.
The Meta piece is what keeps me up. Their AI training secrets, data selection criteria, and labeling methodology in hostile hands gives a competitor a two-year shortcut on billions in R&D. A breach in the traditional sense costs you records. This one costs you competitive advantage. Your AI supply chain carries security risk and strategic risk simultaneously. Start treating both.
4. Keeper Security: 76% of AI agents operate outside privileged access policies
Keeper Security released a survey of 109 cybersecurity professionals at RSAC 2026 on April 7, revealing that 46% of organizations have granted AI-powered tools access to critical systems and data, with 76% of those identities ungoverned under privileged access management policies (Keeper Security, BetaNews). Only 28% report full visibility into non-human identities across cloud, on-premises, and SaaS environments. Over 40% experienced a security incident involving machine credentials or non-human identities in the past year. Another 32% couldn’t confirm whether they’d been hit.
Why it matters
AI agents operate as de facto privileged users in most enterprise environments, without the monitoring, credential rotation, or access controls applied to humans with equivalent permissions.
The 32% who can’t confirm NHI-related incidents are running blind. An agent with write access to email, code repositories, and collaboration tools that you can’t monitor is an insider threat waiting for attribution.
Traditional PAM tools were built for human users and won’t stretch to cover autonomous agents at scale without architectural change.
What to do about it
Extend your privileged access management program explicitly to cover AI agents, service accounts, and API keys. Treat an AI agent with production database access the same way you treat a privileged database administrator.
Mandate credential rotation and access logging for every non-human identity. If you can’t name every agent with write access to email or code right now, that gap is your first priority.
Ask your PAM vendor this week whether their product covers non-human identities natively. Many don’t, and most won’t tell you that unprompted.
Rock’s Musings
Here’s the pattern showing up in research right now: organizations rush to deploy AI agents, grant them sweeping access to prove the use case, then spend the next 18 months trying to reconstruct what those agents touched. That’s the same mistake we made with cloud infrastructure in 2013. We provisioned everything with admin keys because it was faster and cleaned it up later. “Later” is still ongoing for most enterprises.
The 32% who aren’t sure about NHI incidents are the most honest number in the Keeper report. Detecting agent-related incidents requires logging you likely haven’t enabled, correlation rules you haven’t built, and a behavioral baseline you haven’t established. Before you deploy the next AI agent, ask your team to demonstrate they can detect one behaving badly. If they can’t show you in a live demo, slow down.
5. Salt Security: nearly half of enterprises are blind to their AI agents’ API traffic
Salt Security published its 1H 2026 State of AI and API Security Report on April 8, surveying over 300 security leaders (Salt Security). Key findings: 48.9% of organizations cannot monitor machine-to-machine traffic from autonomous agents, and 48.3% cannot distinguish legitimate AI agents from malicious bots in their API traffic. Only 23.5% of respondents rate their existing tools as “very effective” against AI-driven attacks. An additional 47% have delayed production releases because of security concerns about APIs exposed to autonomous systems, meaning the gap is surfacing in shipping decisions, not survey responses alone.
Why it matters
Your API gateway is your AI agent’s operational layer. No visibility into that traffic means no indication of whether your agents are working as designed, being abused, or actively exfiltrating data.
The bot detection problem is concrete. Attackers are masquerading autonomous tools as legitimate agent traffic. Without behavioral baselines for your own agents, there’s no way to tell the difference.
Legacy web application firewalls were built for human browsing patterns. AI agent traffic looks nothing like that, making existing perimeter controls largely irrelevant to this threat class.
What to do about it
Inventory every API your AI agents call in production. Map expected request patterns, volumes, and data flows to establish a behavioral baseline for detecting deviations.
Evaluate whether your API security tooling supports non-human identity traffic analysis. If the vendor demo focuses on OWASP Top 10 for human users, it’s the wrong tool for this problem.
Build rate limiting and anomaly detection specifically for agent API traffic. An agent calling APIs at 658 times normal frequency because of a malicious MCP server injection is a documented attack pattern from this week’s research.
Rock’s Musings
Half your enterprise has zero visibility into what their AI agents are doing on the wire. You spent years building SOC capabilities, deploying SIEMs, tuning correlation rules, integrating threat intelligence feeds. Then you deployed AI agents that operate through an entirely different channel that bypasses all of it. The old security stack can’t see the new threat surface.
The market hasn’t caught up. Most API security vendors will confidently tell you their product handles agentic traffic. Ask them to demo detection of an agent that’s been redirected by a malicious MCP server. Watch the room go quiet. Ongoing analysis of where the real gaps are lives at RockCyber Musings. The gap between “we have API security” and “we can detect compromised agent behavior” is wider than most boards realize.
6. RSAC 2026: attackers move laterally in 22 seconds while defenders plan in minutes
At RSA Conference 2026 on April 3, Google Mandiant’s Consulting CTO Charles Carmakal told reporters that the median time from initial access to secondary lateral movement has dropped from 8 hours to 22 seconds, making human-only incident response structurally impossible at those speeds (SiliconAngle, Dark Reading). IBM’s Mark Hughes called post-quantum migration an immediate operational priority, noting three finalized NIST post-quantum encryption standards are available now with adoption remaining low. The conference’s dominant theme was agentic AI’s dual role: attackers using autonomous tools to accelerate campaigns while defenders attempt to use the same tools to keep pace.
Why it matters
A 22-second lateral movement window eliminates the human-in-the-loop response model. Your SOC procedures assume minutes. Your threat actors operate in seconds. That gap is where incidents become breaches.
Post-quantum urgency moved from theoretical concern to present operational priority at RSAC. Three finalized NIST standards exist today. Any organization with long-lived encrypted data needs a migration timeline now.
The agentic AI identity theme at RSAC confirmed the industry has aligned around non-human identities as the defining security challenge of the next 24 months.
What to do about it
Test your incident response playbooks against a 22-second lateral movement scenario. If your playbook assumes human review before containment actions, it needs a machine-speed trigger layer.
Publish a post-quantum migration roadmap internally before your next board meeting. “We’re monitoring it” is no longer a defensible position when finalized standards exist.
Pull one CISO peer debrief from RSAC this month. Hallway intelligence from that conference is often more actionable than the keynote content.
Rock’s Musings
Twenty-two seconds. The number got nodding agreement in San Francisco, then people walked into vendor booths and looked at detection tools that still alert in minutes. The gap between attacker speed and defender speed is the core problem of modern security, measured in the wrong units for years. When the unit is seconds, your SIEM alert queue is not a security control. It’s a log archive with a UI.
The quantum conversation shifted at RSAC from awareness to urgency, and the shift is warranted. “Harvest now, decrypt later” is a real operation: adversaries collecting encrypted traffic today and storing it for the day quantum breaks the key. If you have long-lived secrets, your CTO’s timeline estimate is probably too generous. RockCyber has been running post-quantum migration frameworks for clients since last year. Most enterprise conversations are still stuck on the awareness slide.
7. Nineteen AI laws signed in two weeks: chatbot liability, healthcare disclosure, private right of action
On April 6, PluralPolicy reported that 19 new AI laws were signed in the preceding two weeks, bringing the 2026 total to 25 enacted laws with 27 additional bills having cleared both legislative chambers (PluralPolicy, Troutman Pepper Locke). Tennessee, Oregon, and Idaho signed chatbot regulation bills during the week of April 3-9. Oregon’s law includes a private right of action with statutory damages. Utah signed 8 bills covering AI literacy requirements, classroom restrictions, deepfake intimate image bans, and insurance transparency mandates. Massachusetts, Rhode Island, and South Carolina moved healthcare AI bills out of committee, with Rhode Island’s version requiring healthcare providers to inform patients when AI is involved in their care.
Why it matters
Chatbot liability laws with private right of action create litigation exposure your legal team needs to model before the next customer-facing AI deployment goes live. Oregon’s law is already in effect.
The geographic spread creates a patchwork compliance problem with no federal preemption in sight. Your AI product team is shipping into 50 different state frameworks that change weekly.
Healthcare AI disclosure requirements set a transparency floor that buyers, patients, and regulators will increasingly apply across other sectors.
What to do about it
Map your current AI deployments against emerging state chatbot disclosure and liability requirements immediately. Oregon’s private right of action is live and applies now.
Brief your GC and CMO together. AI product launches carry legal exposure marketing teams don’t typically model, and chatbot liability surfaces in headlines, not just settlement columns.
Build a state AI law tracking function into your compliance program. Static annual reviews don’t work when the law count moves by double digits in two weeks.
Rock’s Musings
When I tell clients that AI regulation is coming, I usually get a polite nod and a “we’ll handle it when we have to.” Twenty-five enacted laws in 2026 with the year barely three months old. Oregon telling enterprises their customers can sue with statutory damages when a chatbot fails to identify itself. Regulation isn’t coming. It’s been here for two weeks.
The private right of action piece is what executives aren’t tracking closely enough. FTC enforcement requires agency resources and case selection. Private litigants require only a lawyer and a grievance. If your customer-facing AI system fails to disclose its nature and a user in Oregon has a bad experience, you have a plaintiff class with no regulatory gatekeeping standing between that plaintiff and your legal team. Build that into your AI deployment approval checklist before the next product launch.
8. OpenAI readies its own restricted cybersecurity model the same day as Anthropic
On April 9, Axios broke the news that OpenAI is finalizing a cybersecurity product for restricted release through its Trusted Access for Cyber pilot program (Axios, Security Boulevard). The model, built on GPT-5.3-Codex, is described by OpenAI as “our most cyber-capable frontier reasoning model to date.” OpenAI committed $10 million in API credits to pilot participants at the February program launch. The Axios scoop published the same day as broad coverage of Anthropic’s Project Glasswing, with multiple security reporters noting two competing labs had each moved to restrict their most capable cyber models on the same day.
Why it matters
Two frontier labs restricted their most capable cybersecurity models on the same day. Whether coordinated or coincidental, the signal is identical: the industry has reached a shared threshold assessment of offensive AI capability.
The OpenAI pilot started in February. Participants are already months ahead on advanced defensive AI adoption. Enterprise buyers outside the program are behind.
GPT-5.3-Codex positioned as an autonomous vulnerability researcher represents a qualitative shift in what AI security tools can do. Your red team needs exposure to this capability level before attackers deploy it against you.
What to do about it
Apply to OpenAI’s Trusted Access for Cyber program today. Not applying guarantees exclusion.
Treat the simultaneous OpenAI and Anthropic announcements as an inflection point in your AI security roadmap. Model access strategy is now a CISO decision, not a procurement question.
Start a conversation with your red team about what AI-assisted penetration testing looks like inside your environment. The offensive tools are being built. Defensive capabilities need to keep pace.
Rock’s Musings
Two companies, same day, both announcing restricted access to their most capable cyber models. In thirty years I’ve never seen two direct competitors make functionally identical risk disclosures simultaneously without prior coordination. Either the Frontier Model Forum conversation from earlier in the week triggered parallel announcements, or both teams hit the same risk threshold independently. Neither explanation is entirely comforting, because it means the models in question worry the people who built them.
Here’s what this week’s announcements tell me: the dual-use problem is no longer an abstract ethics debate. It’s a product management constraint. The labs are building features that concern them enough to restrict access. That’s progress, because it means honest risk assessment is making it into the room where launch decisions happen. Build that same instinct into your own AI deployment process.
9. Government GenAI hits 82% daily adoption with prompt injection attacks still unaddressed
On April 9, Help Net Security published Center for Internet Security analysis showing 82% of state and territorial government employees now use GenAI tools daily, up from 53% the year prior (Help Net Security, Center for Internet Security). CIS cited prompt injection as the primary unaddressed vulnerability in that deployment base, distinguishing two attack categories: direct injection where users attempt to bypass safety guidelines, and indirect injection where attackers embed malicious instructions in external content such as documents, webpages, or emails the agent processes. Incidents cited include a code assistant that transmitted AWS API keys to an external server after processing hidden instructions, and the GeminiJack attack that exploited enterprise data sources to trigger data exfiltration.
Why it matters
Government employees are generating official outputs using AI that remains manipulable through documents those systems process. A single malicious PDF submitted through a government portal can redirect an agent’s behavior.
Deployment outpaced security controls by a wide margin. State and local government security teams were not staffed or funded to keep pace with that adoption curve.
Prompt injection in government contexts is a policy integrity issue, not a privacy issue. An AI assistant that processes manipulated input and produces a compromised output informing a real government decision is a governance failure with material real-world consequences.
What to do about it
Require any GenAI deployment processing external documents, emails, or web content to implement input sanitization and instruction-boundary enforcement. Your AI shouldn’t follow commands embedded in documents it summarizes.
Test your enterprise AI deployments against indirect prompt injection scenarios before the next rollout. The attack is not sophisticated. The absence of testing is the problem.
Report AI usage rates alongside security control maturity to your board. An 82% adoption rate combined with 7% real-time governance effectiveness, the number from Cybersecurity Insiders research, belongs on a risk register.
Rock’s Musings
A government employee pastes a document into an AI assistant, and that document silently redirects the assistant to send AWS credentials to an external server. An attack category from 2023 that government AI deployments in 2026 still haven’t addressed, running at 82% daily adoption. The attack surface grew to near-universal usage while the defense posture stayed at “we have an acceptable use policy.”
Government IT security teams are underfunded, understaffed, and now responsible for securing AI deployments at a scale they didn’t request and weren’t resourced for. Before the next state AI bill gets signed requiring healthcare providers to disclose AI use to patients, lawmakers should ask how they’re funding the security infrastructure to keep those same deployments from being turned against the citizens they’re meant to serve.
10. OpenAI’s national security lead says humans must stay in the loop for defense decisions
At a Special Competitive Studies Project conference on April 9, Sasha Baker, OpenAI’s head of national security policy, stated that defense personnel need a “workforce transformation” to apply “appropriate human judgment” when AI informs national security operations (Nextgov). Baker noted no current large language model is foolproof, and incorrect AI-driven decisions in defense contexts carry “much greater” consequences. She tied the statement to OpenAI’s pre-deployment safety reviews and the controlled rollout of models including GPT-5.3-Codex, the same model featured in the restricted cybersecurity announcement reported the same day.
Why it matters
OpenAI’s national security lead publicly endorsed human-in-the-loop for defense decisions in the same week the company announced its most capable autonomous cyber model. That tension deserves examination in your own governance policies.
“Workforce transformation” is a budget line, not a strategy. Organizations deploying AI in sensitive contexts need explicit training, decision authority maps, and accountability structures for human oversight.
Baker’s statement creates a public record regulators and litigants can reference when evaluating whether organizations maintained adequate human oversight in AI-assisted decisions.
What to do about it
Map every AI-assisted decision in your organization where error consequences are asymmetric. Finance, safety, hiring, and security operations are the obvious categories. Build human override requirements into the workflow before the system goes live.
Assess your “workforce transformation” budget. Deploying AI in high-stakes contexts without investing in training humans to supervise it transfers the liability Baker is explicitly naming.
Document your human oversight model for AI decisions affecting personnel, customers, or critical systems. When the inevitable incident arrives, regulators will ask whether oversight was designed in from the start or retrofitted after the fact.
Rock’s Musings
OpenAI hired a national security lead. That person is publicly calling for human judgment to override AI in defense decisions. In the same week OpenAI announced a restricted-access autonomous hacking model. If that pairing doesn’t communicate the gap between capability development speed and governance readiness, nothing will.
I’ve run security operations for thirty years, and the hardest thing to get organizations to do is slow down, especially when a competitor is moving fast. Baker’s statement is a reminder that speed without oversight produces accountability gaps that become congressional hearings. The enterprises that build human oversight structures now are the ones that avoid spending 2027 explaining to a federal committee why their AI made a decision that hurt someone.
The One Thing You Won’t Hear About But You Need To
FedRAMP is a rubber stamp and the AI vendors deploying through it know it
On April 6, ProPublica published a detailed investigation examining three cautionary tales from the federal government’s rush to AI adoption (ProPublica). The most damaging finding: FedRAMP, the federal security authorization program enterprise CISOs treat as a validation signal for cloud products, is now described by former employees as “little more than a rubber stamp.” The program operates with minimal staff, overwhelmed by vendor volume. Third-party assessors who evaluate cloud providers for FedRAMP authorization are paid by the companies they assess. FedRAMP established a confidential back channel for assessors to raise concerns they wouldn’t document in official reports. Microsoft used timeline pressure and volume to effectively compress the GCC High approval process.
Why it matters
FedRAMP authorization signals to enterprise buyers that a product meets federal security standards. A degraded signal means every procurement decision relying on it as a security input draws from a compromised source.
The paid-by-vendor assessor model creates structural incentives to under-report findings. The unofficial back channel means the official report is not the complete picture.
Federal AI deployment at 82% daily government usage rates, built on FedRAMP authorizations produced under these conditions, is a systemic governance failure, not an isolated product risk.
What to do about it
Stop treating FedRAMP authorization as a complete security evaluation for AI products. Use it as a starting point, then conduct your own targeted assessment focused on AI-specific risks the framework wasn’t designed to evaluate.
Ask AI vendors directly whether their FedRAMP assessment surfaced any findings submitted through the confidential back channel. A vendor that can’t answer hasn’t done adequate diligence on their own authorization.
Engage your government affairs function to advocate for FedRAMP reform as AI deployment scales. The current model was built for traditional SaaS and is not equipped to evaluate the risk surface of autonomous AI systems.
Rock’s Musings
Here’s the story nobody put on a slide at RSAC. The federal government is deploying AI at record speed through a security authorization program that former insiders describe as a rubber stamp. The assessors evaluating these vendors get paid by those vendors. The uncomfortable findings go into a back channel that never reaches the official record. Those authorizations then get used by enterprise security teams as proxies for security validation.
I’ve said for years that governance certifications are often theater. FedRAMP was supposed to be one of the more rigorous ones. The ProPublica investigation suggests the volume and complexity of AI products broke the model. If you’re a CISO using FedRAMP status as a risk reduction input in AI procurement decisions, you’re relying on a control that may not be working as designed. That’s the kind of hidden assumption that converts an undetected vulnerability into a breach narrative. Read the ProPublica piece. Then recalibrate what “government certified” means for your program.
👉 For ongoing analysis of agentic AI governance frameworks, the conversation continues at RockCyber Musings.
👉 Visit RockCyber.com to learn more about how we can help with your traditional Cybersecurity and AI Security and Governance journey.
👉 Want to save a quick $100K? Check out our AI Governance Tools at AIGovernanceToolkit.com
👉 Subscribe for more AI and cyber insights with the occasional rant.
The views and opinions expressed in RockCyber Musings are my own and do not represent the positions of my employer or any organization I’m affiliated with.
References
Axios. (2026, April 9). Scoop: OpenAI plans new product for cybersecurity use. https://www.axios.com/2026/04/09/openai-new-model-cyber-mythos-anthopic
BetaNews. (2026, April 7). New report highlights critical gaps in securing AI agents and non-human IDs. https://betanews.com/article/new-report-highlights-critical-gaps-in-securing-ai-agents-and-non-human-ids/
Bloomberg. (2026, April 6). OpenAI, Anthropic, Google unite to combat model copying in China. https://www.bloomberg.com/news/articles/2026-04-06/openai-anthropic-google-unite-to-combat-model-copying-in-china
Center for Internet Security. (2026). Prompt injection tags along as GenAI enters daily government use. Referenced via Help Net Security, April 9, 2026. https://www.helpnetsecurity.com/2026/04/09/genai-prompt-injection-enterprise-data-risk/
Dark Reading. (2026, April 3). RSAC 2026: How AI is reshaping cybersecurity faster than ever. https://www.darkreading.com/cybersecurity-operations/rsac-2026-how-ai-is-reshaping-cybersecurity-faster-than-ever
Fortune. (2026, April 2). Mercor, a $10 billion AI startup, confirms it was caught up in a major security incident. https://fortune.com/2026/04/02/mercor-ai-startup-security-incident-10-billion/
Fortune. (2026, April 7). Anthropic is giving some firms early access to Claude Mythos to bolster cybersecurity defenses. https://fortune.com/2026/04/07/anthropic-claude-mythos-model-project-glasswing-cybersecurity/
Hackread. (2026, April 7). AI agents and non-human identities creating critical security gaps, report. https://hackread.com/ai-agents-non-human-identities-security-gaps/
Help Net Security. (2026, April 9). Prompt injection tags along as GenAI enters daily government use. https://www.helpnetsecurity.com/2026/04/09/genai-prompt-injection-enterprise-data-risk/
Japan Times. (2026, April 7). OpenAI, Anthropic and Google cooperate to fend off Chinese bids to clone models. https://www.japantimes.co.jp/business/2026/04/07/tech/openai-anthropic-google-china-copy/
Keeper Security. (2026, April 7). Keeper Security research exposes critical gaps in securing AI agents, machines and non-human identities [Press release]. https://www.prnewswire.com/news-releases/keeper-security-research-exposes-critical-gaps-in-securing-ai-agents-machines-and-non-human-identities-302735305.html
Nextgov/FCW. (2026, April 9). OpenAI national security lead endorses ‘appropriate human judgment’ in AI. https://www.nextgov.com/artificial-intelligence/2026/04/openai-national-security-lead-endorses-appropriate-human-judgment-ai/412738/
PluralPolicy. (2026, April 6). AI governance watch: Nineteen new AI bills passed into law. https://pluralpolicy.com/blog/the-ai-governance-watch-april-2026-nineteen-new-ai-bills-passed-into-law/
ProPublica. (2026, April 6). As the federal government rushes toward AI, here are three cautionary tales. https://www.propublica.org/article/federal-government-ai-cautionary-tales
Salt Security. (2026, April 8). The era of agentic security is here: Key findings from the 1H 2026 State of AI and API Security Report. https://salt.security/blog/the-era-of-agentic-security-is-here-key-findings-from-the-1h-2026-state-of-ai-and-api-security-report
Security Boulevard. (2026, April 9). OpenAI readies rollout of new cyber model as industry shifts to defense. https://securityboulevard.com/2026/04/openai-readies-rollout-of-new-cyber-model-as-industry-shifts-to-defense/
SiliconAngle. (2026, April 3). Three insights on AI attack from theCUBE at RSAC 2026. https://siliconangle.com/2026/04/03/three-insights-ai-attack-thecube-rsac-2026-rsac26/
TechCrunch. (2026, April 7). Anthropic debuts preview of powerful new AI model Mythos in new cybersecurity initiative. https://techcrunch.com/2026/04/07/anthropic-mythos-ai-model-preview-security/
The Next Web. (2026, April 4). Meta freezes AI data work after breach puts training secrets at risk. https://thenextweb.com/news/meta-mercor-breach-ai-training-secrets-risk
The Register. (2026, April 2). Mercor says it was ‘one of thousands’ hit in LiteLLM attack. https://www.theregister.com/2026/04/02/mercor_supply_chain_attack/
Troutman Pepper Locke. (2026, April 6). Proposed state AI law update: April 6, 2026. https://www.troutmanprivacy.com/2026/04/proposed-state-ai-law-update-april-6-2026/