Trump pulled the executive order. Anthropic shipped a model that finds vulnerabilities by the thousand. Threat actors poisoned developer AI assistants with invisible characters. The week of May 22 through 28, 2026, didn’t give CISOs a quiet moment. The federal government cannot decide if AI is a threat or a savior. Attackers keep outpacing the policies meant to slow them.

The week’s signal lived in the contrast. Anthropic’s Mythos model surfaced 10,000 critical vulnerabilities in a month. The White House could not get a single executive order across the line. CISA sat at the table without a vote. Attackers poisoned AI coding assistant config files with invisible Unicode. A malicious npm package exfiltrated files from Claude AI’s working directory. AI capability keeps accelerating. AI governance keeps collapsing. Security teams who treat the next 90 days as business as usual will be explaining decisions to regulators they cannot defend.

Share

Agent Control Standard Launches Open Runtime Governance Framework for AI Agents

The Agent Control Standard launched on May 27, 2026 at the AI Agent Security Summit in San Francisco, releasing a vendor-agnostic, open framework for runtime governance of AI agents (BusinessWire, VMblog). Existing protocols govern how agents communicate with each other. None cover what they actually do once they start acting inside enterprise environments. ACS targets that gap with a common framework for runtime enforcement, intervention, and policy governance across agent ecosystems. The specification is released as open source under the MIT license, with no single company controlling the spec. Michael Bargury, co-founder and CTO of Zenity, is co-creator. Full disclosure, I serve as director of AI standards and governance at Zenity and contribute to ACS.

Why it matters

• The industry has a control-layer gap. MCP and other protocols cover communication, not what agents do once they act.

• Runtime governance has been a per-vendor build problem, which has been blocking enterprise procurement and audit.

• An open, vendor-neutral spec gives regulators and auditors a reference point that does not depend on a single platform’s roadmap.

What to do about it

• Read the spec at agentcontrolstandard.ai and map it against your current agent runtime controls.

• Ask your AI agent platform vendors which parts of ACS they will support and on what timeline.

• Add ACS-style runtime controls including policy enforcement, intervention, and kill switches to your 2027 agent governance roadmap.

Rock’s Musings

Full disclosure up top. I am leading ACS, so putting this up top is my prerogative 😀. Read this knowing that. The reason we built it is the same reason I keep writing about agent governance every week. Everyone I talk to is putting agents into production with no runtime enforcement layer, no intervention model, and no audit trail that survives a regulator’s question. The vendor-by-vendor approach was never going to scale. We needed a common spec that any platform could implement and any auditor could point to. That is what ACS is. Go read it at https://agentcontrolstandard.ai, push your vendors to support it, and tell us where it falls short.

2. Axios Publishes the Killed AI Executive Order Text

Axios published the full text of the canceled AI executive order on May 22, 2026, the day after President Trump pulled the signing ceremony (Axios, NPR). The draft included a voluntary Treasury clearinghouse for AI security vulnerabilities and a pre-launch review process where major AI companies would share frontier models with the government for up to 90 days. CEOs from OpenAI, Anthropic, and other major labs had been invited.

Why it matters

• The federal government walked away from the only proposed coordination mechanism for AI vulnerability sharing.

• Any serious U.S. AI security baseline now has to come from industry, state regulators, or international peers.

• AI vendors with CAISI evaluation agreements face uncertainty about whether voluntary testing remains the expectation.

What to do about it

• Set your own baseline using the NIST AI RMF and the joint CISA-Five Eyes agentic AI guidance from May 1.

• Map which AI vendors have signed CAISI evaluation agreements and treat that as third-party risk data.

• Engage with state AI laws including California SB 942 and Texas HB 149 rather than waiting on Washington.

Rock’s Musings

The administration spent months convening industry CEOs and threading a needle on voluntary frontier model review. Then it walked away because the work sounded like regulation. Plan as if no federal framework is coming for the rest of this administration. State attorneys general will probe your AI governance posture soon enough. More at https://www.rockcybermusings.com.

3. Anthropic’s Project Glasswing Finds 10,000 Critical Vulnerabilities in One Month

Anthropic published an update to Project Glasswing on May 22, 2026, reporting that Claude Mythos Preview, working with roughly 50 partner organizations, identified more than 10,000 high or critical-severity vulnerabilities in about four weeks (Anthropic, CSO Online). Cloudflare alone surfaced about 2,000 bugs, 400 rated high or critical. Mozilla patched 271 vulnerabilities in Firefox 150, ten times the count from an earlier Claude Opus 4.6 run. Six independent firms validated 1,752 findings, with 90.6% confirmed as true positives.

Why it matters

• The model is doing in days what well-staffed AppSec teams take quarters to complete.

• Software vendors are now expected to keep pace with AI-found bugs at speeds no human team can match.

• Vulnerability management economics change when triage volume jumps an order of magnitude in a month.

What to do about it

• Pressure software vendors for AI-assisted vulnerability discovery details and patch SLA commitments.

• Update patch and risk acceptance policies for a world where critical bugs surface at machine speed.

• Pilot AI-assisted code review inside your own engineering organization before your competitors do.

Rock’s Musings

Project Glasswing is the first credible public demonstration of large-scale AI vulnerability discovery. Mozilla’s 271 Firefox patches in one release is a confession that we have all been underspending on AppSec for a decade. The harder question is what happens when threat actors get this capability. If your patch SLA is 30 days, you are living on borrowed time.

4. CISA Sidelined in White House AI Cyber Response

Axios reported on May 26, 2026 that CISA has been pushed to the margins of the administration’s AI cyber response, with one industry source describing the agency as “at the table, not in the game” (Axios, Newsmax). CISA leadership joins early White House calls led by the Office of the National Cyber Director, but has little influence. The agency has lost roughly one-third of its workforce since the start of 2025. The FY2027 budget proposal calls for another quarter of staff cut and $707 million in funding reductions.

Why it matters

• The federal civilian operational cyber agency is being structurally weakened as AI reshapes the threat picture.

• Private sector relationships built on CISA’s information sharing face uncertainty about continuity.

• State and local governments who depend on CISA for technical support face longer response times.

What to do about it

• Diversify your federal cyber relationships. Build direct ties to FBI cyber, Secret Service, and your sector ISAC.

• Review incident response plans for assumptions about CISA support and revise where federal assistance is uncertain.

• Engage with state cyber programs in your operating jurisdictions, since state authorities will inherit the burden.

Rock’s Musings

CISA was supposed to be the federal cyber civilian backstop. Watching it get hollowed out while the threat surface explodes is one of the most demoralizing things I have seen in this field. Build your federal incident response playbook around the assumption that CISA will be slow, understaffed, and unable to provide the level of technical assistance you got in 2024. The federal cavalry is not coming this year.

5. Check Point Report Finds 51-Point Gap Between AI Security Intent and Capability

Check Point released its 2026 Cloud Security Report on May 26, 2026, finding that 77% of organizations have updated their cloud security strategy for AI, while only 26% have the architecture to enforce those policies (Check Point, PR Newswire). The 51-point gap pairs with 78% of organizations reporting confirmed or suspected AI-related security incidents in the past year. Seventy percent now run generative AI in production. Only 5% have full visibility into AI usage. Only 14% actively enforce and audit AI security policies.

Why it matters

• AI adoption has structurally outpaced security architecture at a board-level scale.

• Shadow AI is no longer a future risk. It is the current operating reality.

• Vendors building generative AI security controls now have a credible commercial story for board-level investment cases.

What to do about it

• Run an AI usage discovery exercise this quarter. You cannot govern what you cannot see.

• Tie generative AI policy enforcement to identity controls and DLP systems rather than standalone AI proxies.

• Make AI visibility metrics a recurring agenda item for your risk committee with a 12-month target.

Rock’s Musings

Almost 80% of organizations have already had an AI security incident, and only 1 in 20 know what AI is running across their environment. We are in the consequences phase, and most security teams are still arguing about which AI proxy vendor to evaluate. The fix is not buying another tool. The fix is treating AI like data, applying the same identity, access, and monitoring discipline you apply to every critical workload. More at https://www.rockcyber.com.

6. TrapDoor Supply Chain Attack Poisons AI Coding Assistants

Researchers at Socket and partner firms disclosed TrapDoor, a coordinated supply chain campaign that pushed more than 34 malicious packages across npm, PyPI, and Crates.io (The Hacker News, Socket, Phoenix Security). The earliest package appeared on May 22, 2026. TrapDoor’s novel component injects hidden instructions into .cursorrules and CLAUDE.md files using zero-width Unicode characters. The payload looks invisible in a code editor. AI coding assistants process the hidden text as live prompts. The campaign also opened pull requests against open-source AI projects including LangChain, MetaGPT, LangFlow, and OpenHands.

Why it matters

• The attack weaponizes the AI coding assistant itself as the execution layer, a new class of supply chain compromise.

• Existing software composition analysis tooling does not detect zero-width Unicode payloads in editor configuration files.

• Open-source AI orchestration projects are now an active target for adversary-supplied configuration via pull request.

What to do about it

• Scan repositories for non-printable Unicode characters in AI assistant config files including .cursorrules and CLAUDE.md.

• Treat AI assistant configuration files as security-sensitive artifacts subject to code review and CI controls.

• Restrict outbound traffic from developer machines and CI/CD systems to known good destinations.

Rock’s Musings

The AI coding assistant is a trusted, privileged execution context with access to credentials, source code, and tokens. Compromise its configuration and you compromise everything the assistant can touch. Pin versions, review changes, restrict what assistants can read and write, and treat any pull request touching .cursorrules or CLAUDE.md as malicious until proven otherwise.

7. Malicious npm Package Targets Claude AI User Directory

Researchers disclosed on May 27, 2026 a malicious npm package called “mouse5212-super-formatter” designed to exfiltrate files from /mnt/user-data, the directory Claude AI uses for user uploads and outputs (The Hacker News, The Register). The campaign, named Malware-Slop, walks the directory and uploads every file through the GitHub Contents API. The attacker leaked their own GitHub private token, which let OX Security trace the stolen data. The package reached 676 downloads before npm removed it.

Why it matters

• Threat actors are now writing supply chain malware that specifically targets AI assistant user data directories.

• AI-generated malware is creating new operational security mistakes that defenders can sometimes exploit.

• Claude users who installed the package have working sessions, uploads, and outputs exposed to the attacker.

What to do about it

• Inventory which developers use Claude or similar AI tools with a user-data directory and audit recent package installs.

• Add file integrity monitoring and outbound network controls on AI assistant working directories.

• Require token scoping reviews for any developer credential an AI agent might use.

Rock’s Musings

The operator burned themselves with a leaked GitHub token. The next operator will not make that mistake. AI assistant working directories are now a named target. If your developers run Claude, Cursor, Copilot, or any equivalent, those tools have privileged access to source code and uploaded files. Treat the AI assistant runtime like a privileged build server.

8. Microsoft Warns of AI Chatbot Cryptojacking Campaign

Microsoft published a threat advisory on May 26, 2026 detailing an active cryptojacking campaign that uses AI chatbot interactions to deliver malicious download links (Microsoft, Help Net Security). Users searching for system utility software were directed to attacker-controlled lookalike sites through poisoned search results and AI chatbot responses. The archive contains a legitimate utility plus a malicious DLL that sideloads a fake Visual C++ Redistributable and installs ScreenConnect for persistent remote access.

Why it matters

• AI chatbot recommendations now sit alongside search results as an attack surface for SEO poisoning-style campaigns.

• Legitimate software brands plus credible AI responses bypass user skepticism that traditional malvertising would trigger.

• Persistent ScreenConnect access means cryptomining is the visible threat, with data theft available on demand.

What to do about it

• Block known cryptojacking command and control infrastructure and watch for unauthorized ScreenConnect installations.

• Educate users on verifying download URLs even when they come from AI chatbot suggestions.

• Prevent employees from installing system utilities outside an approved software catalog.

Rock’s Musings

People have been trained for two decades to distrust the top three Google search ads. They have not been trained to distrust an AI chatbot suggesting a download link inside a friendly conversation. The cryptojacking is the low-stakes test. The ScreenConnect persistence is the actual play. Outbound traffic to AI services needs the same scrutiny you give to any shadow IT category.

9. Anthropic Signals Plans for Public Mythos-Class Release

The Register reported on May 25, 2026, that Anthropic plans to release Mythos-class models to the public once stronger safeguards are in place, tied to the May 22 Project Glasswing announcement (The Register, Help Net Security). The Mythos preview was limited to a small group of trusted organizations due to its cybersecurity capabilities. Anthropic’s stated rationale is that defenders need access to the same tools attackers can build. Project Glasswing partners now exceed 50 organizations including Cloudflare and Mozilla.

Why it matters

• A widely available frontier model with proven offensive cyber capability changes the threat model for every software vendor.

• Vendors without AI-assisted vulnerability discovery in their SDLC will fall behind attackers using the same tooling for free.

• EU and UK regulators are likely to revisit gatekeeping rules for high-capability cyber models if the defender-attacker gap closes.

What to do about it

• Assume Mythos-class capability reaches motivated attackers within 18 months. Plan patch cadence around that timeline.

• Engage your AppSec vendor on AI-assisted vulnerability discovery roadmaps tied to broader model availability.

• Track Anthropic’s Responsible Scaling Policy updates as a leading indicator of public release timing.

Rock’s Musings

Anthropic has a model that finds vulnerabilities faster than human researchers, they want defenders to have access, and they cannot release it without arming any nation state with the same capability. Holding it inside a curated partner program is the right short-term move. Start building the operational muscle now to consume an order of magnitude more findings.

10. Help Net Security Adds Detail on Enterprise AI Governance Failure

Help Net Security published a follow-up on May 28, 2026 on the Check Point 2026 Cloud Security Report, noting that more than half of companies have experienced at least one AI-related security incident (Help Net Security). The most common categories were unauthorized or shadow AI use, AI-generated phishing and deepfake content, and sensitive data leaks tied to AI services. Some companies permit source code in generative AI tools. Many cannot trace sensitive data flow through AI processing environments.

Why it matters

• AI policy and AI control are two different things in most organizations.

• The categories of AI-related incidents match the threat model security teams have been describing for a year, meaning predicted incidents are now actual.

• Source code exposure through generative AI tools is a top-line legal and IP issue, not a future risk.

What to do about it

• Set a quarterly AI incident review cadence in your risk committee, broken out by incident category.

• Implement DLP controls on outbound traffic to consumer generative AI services and require enterprise tenant routing.

• Require legal review of generative AI tool acceptable use policies focused on IP, training data rights, and breach notification.

Rock’s Musings

The added detail is the part you take to your board. AI-related incidents are happening now, the categories are predictable, and most organizations are not running controls that would catch them. Read your generative AI vendor contracts again. The second time around you should walk in with a list of demands.

The One Thing You Won’t Hear About But You Need To: Cisco Quietly Rewrites Its Vulnerability Disclosure for the AI Era

Cisco’s security blog published a post on May 22, 2026, with Help Net Security follow-up on May 25, announcing changes to vulnerability disclosure in the AI era (Cisco Blogs, Help Net Security). For internally found vulnerabilities assessed as lower likelihood and lower impact, Cisco said it “may change the level of detail shared,” with some bugs that would have warranted a standalone advisory no longer getting one. Cisco will post high-level data on its website pointing customers toward security-hardened releases.

Why it matters

• A major networking vendor is moving toward suppressing standalone disclosure of lower-rated vulnerabilities.

• Enterprise vulnerability management programs that rely on vendor advisories will see a coverage drop on Cisco issues.

• The shift is likely to be followed by other vendors as AI-assisted discovery generates more findings than traditional disclosure can support.

What to do about it

• Update vendor patching policy to prioritize installation of all security-hardened releases, not just releases addressing named advisories.

• Track which other major vendors are making similar disclosure changes. Adjust your asset inventory to match.

• Push vendor management to ask hard questions during renewals about disclosure practices and AI-discovered vulnerability handling.

Rock’s Musings

This is the story everyone slept on, and it will bite enterprise vulnerability management teams in the next two quarters. Cisco found a polite way to say that AI is generating too many internal findings to disclose every one in the old format. Patch by release, not by advisory. Cisco will not be the last vendor to do this. The vendors will not give you transparency unless you make them.

👉 For ongoing analysis of agentic AI governance frameworks, the conversation continues at RockCyber Musings.

👉 Visit RockCyber.com to learn more about how we can help with your traditional Cybersecurity and AI Security and Governance journey.

👉 Want to save a quick $100K? Check out our AI Governance Tools at AIGovernanceToolkit.com

👉 As a bonus, check out my conversation with AI Cyber Magazine, where we talked about everything from Context Rot to Least Agency.

📣📣📣 The Weekly Musings will take a week off next week as I am taking a very much needed vacation 📣📣📣

The views and opinions expressed in RockCyber Musings are my own and do not represent the positions of my employer or any organization I’m affiliated with.

Share RockCyber Musings

References

Agent Control Standard. (2026). Agent Control Standard specification and community resources. https://agentcontrolstandard.ai/

Anthropic. (2026, May 22). Project Glasswing: An initial update. https://www.anthropic.com/research/glasswing-initial-update

Axios. (2026, May 22). Read the AI executive order thwarted by Trump tech allies. https://www.axios.com/2026/05/22/ai-executive-order-cancelled-white-house

Axios. (2026, May 26). CISA takes backseat in White House AI cyber response. https://www.axios.com/2026/05/26/cisa-white-house-cybersecurity-ai

BusinessWire. (2026, May 27). Agent Control Standard launches open framework for runtime governance of AI agents. https://www.businesswire.com/news/home/20260527326259/en/Agent-Control-Standard-Launches-Open-Framework-for-Runtime-Governance-of-AI-Agents

Check Point Software. (2026, May 26). AI adoption creates critical cloud security gaps for enterprises, new Check Point report shows. https://www.checkpoint.com/press-releases/ai-adoption-creates-critical-cloud-security-gaps-for-enterprises-new-check-point-report-shows/

Cisco. (2026, May 22). Cisco’s risk-based vulnerability disclosure in the age of AI. Cisco Blogs. https://blogs.cisco.com/security/ciscos-risk-based-vulnerability-disclosure-in-the-age-of-ai

CNBC. (2026, May 21). Trump postpones AI executive order signing: ‘I didn’t like certain aspects’. https://www.cnbc.com/2026/05/21/trump-ai-executive-order-postponed.html

CSO Online. (2026, May 26). Project Glasswing has uncovered 10,000 vulnerabilities: Anthropic. https://www.csoonline.com/article/4176865/project-glasswing-has-uncovered-10000-vulnerabilities-anthropic.html

Help Net Security. (2026, May 25). Cisco refines its risk-based vulnerability disclosure for the AI era. https://www.helpnetsecurity.com/2026/05/25/cisco-risk-based-vulnerability-disclosure-ai/

Help Net Security. (2026, May 26). Anthropic: Claude Mythos identified 10,000+ software flaws. https://www.helpnetsecurity.com/2026/05/26/anthropic-project-glasswing-update/

Help Net Security. (2026, May 27). AI chatbot recommendations lure users to cryptojacking malware sites. https://www.helpnetsecurity.com/2026/05/27/ai-chatbot-cryptojacking-campaign/

Help Net Security. (2026, May 28). Companies built AI into core systems before figuring out how to govern it. https://www.helpnetsecurity.com/2026/05/28/check-point-genai-security-controls-report/

Microsoft Security Blog. (2026, May 26). From poisoned search results to GPU mining: A cryptojacking campaign abusing ScreenConnect and Microsoft .NET utilities. https://www.microsoft.com/en-us/security/blog/2026/05/26/poisoned-search-results-gpu-mining-cryptojacking-campaign-abusing-screenconnect-microsoft-net-utilities/

Newsmax. (2026, May 26). CISA faces AI threat wave amid deep staffing cuts. https://www.newsmax.com/politics/cisa-sean-plankey-ai/2026/05/26/id/1257509/

NPR. (2026, May 22). Trump cancels AI executive order signing. https://www.npr.org/2026/05/22/nx-s1-5829908/trump-cancels-ai-executive-order-signing

Phoenix Security. (2026, May). TrapDoor supply chain attack: AI poisoning via npm, PyPI, Crates. https://phoenix.security/trapdoor-supply-chain-ai-poisoning-npm-pypi-crates/

PR Newswire. (2026, May 26). AI adoption creates critical cloud security gaps for enterprises, new Check Point report shows. https://www.prnewswire.com/news-releases/ai-adoption-creates-critical-cloud-security-gaps-for-enterprises-new-check-point-report-shows-302780612.html

Socket. (2026, May). TrapDoor crypto stealer supply chain attack hits 34 packages across npm, PyPI, Crates.io. https://socket.dev/blog/trapdoor-crypto-stealer-npm-pypi-crates

The Hacker News. (2026, May). TrapDoor supply chain attack spreads credential-stealing malware via npm, PyPI, CratesIO. https://thehackernews.com/2026/05/trapdoor-supply-chain-attack-spreads.html

The Hacker News. (2026, May 27). Malicious npm package stole files from Claude AI user directory via GitHub. https://thehackernews.com/2026/05/malicious-npm-package-stole-files-from.html

The Hacker News. (2026, May 27). AI chatbot recommendations redirect users to cryptojacking malware sites. https://thehackernews.com/2026/05/ai-chatbot-recommendations-redirect.html

The Register. (2026, May 25). Anthropic to release Mythos-class models to the public. https://www.theregister.com/security/2026/05/25/anthropic-to-release-mythos-class-models-to-the-public/5245596

The Register. (2026, May 27). Malware dev tries to steal Claude users’ secrets, writes npm slop, leaks own GitHub private token. https://www.theregister.com/cyber-crime/2026/05/27/supply-chain-brain-drain-npm-attacker-foolishly-leaks-own-github-private-token/5247424

VMblog. (2026, May 27). Agent Control Standard launches open framework for runtime governance of AI agents. https://vmblog.com/news/agent-control-standard-launches-open-framework-for-runtime-governance-of-ai-agents/