This week, Las Vegas was the center of gravity for anyone serious about AI security. We saw research that proves zero-click agent compromises are real and practical. Tools emerged that test systems at the exact points real users—and attackers—interact with them. Vendors pushed AI into their core exposure and governance platforms. OWASP delivered resources that can act as both a blueprint and a pressure test for your current program.

Every announcement told the same story differently: agents are gaining autonomy faster than most organizations are gaining control. Security programs that treat AI as an experiment will discover it is already a production risk. Here are the top 10 from the week, followed by one significant development you probably have not heard about but should.

1) Zenity Labs’ “AgentFlayer” Demonstrates Zero-Click Enterprise AI Hijacks

Summary
Zenity Labs presented “AgentFlayer,” a series of exploit chains that can compromise enterprise AI assistants without user action. The attacks span multiple vendors, enabling persistence in agent memory, data exfiltration, and malicious tool execution. The release also introduced the GenAI Attack Matrix to guide detection and mitigation.

Why It Matters

• Proves zero-click attacks are practical against major AI assistants

• Moves the defensive focus from prompt filtering to runtime control

• Shows how persistence and tool chaining work in real workflows

What To Do About It

• Identify agent memory locations, tool scopes, and reachable systems

• Enforce runtime tracing and strict allowlists for actions

• Include memory and tool-chain exploits in adversarial testing

Rock’s Musings
Zero-click compromise is the moment where AI risk stops being a theoretical debate and becomes a measurable operational problem. An attacker does not need the user to do anything, which means your traditional “train the workforce” control is irrelevant here. If you do not know exactly what your agents can access, how they store and retrieve memory, and what calls they can make, you have already ceded too much control. That gap is not a technology problem; it is a governance failure. I talk to too many leaders who still assume agent compromise will be obvious when it happens. It will not.

The correct posture is not “let’s hope our filters hold,” but “let’s ensure our agents cannot act outside an approved scope and that we can see every action they take in real time.” This requires investment in runtime visibility and the ability to block or quarantine actions instantly. AgentFlayer is a proof point that this attack class is here and spreading. You can either learn that now and prepare, or learn it when an attacker uses your AI to steal from you.

2) Enkrypt AI Launches R.A.Y.D.E.R. for Browser-Level Red-Teaming

Summary
Enkrypt AI released R.A.Y.D.E.R., a Chrome extension that red-teams chatbots through their real web interfaces. It bypasses API-side restrictions, delivers contextual adversarial prompts, and generates compliance-ready reports.

Why It Matters

• Tests the same interface users and attackers use

• Low setup cost makes regular testing feasible

• Produces structured reports for audit and governance

What To Do About It

• Include UI-level tests in security review schedules

• Probe guardrails with contextual adversarial prompts

• Feed results into compliance and remediation workflows

Rock’s Musings
Most organizations test AI security where it is easiest through APIs. That is not where the real exposure is. Customers interact through web UIs, and so do attackers. R.A.Y.D.E.R. puts the test harness directly where those interactions happen, which is where the guardrails often break down first. When the UI is an afterthought in testing, you end up with a false sense of security. You may think your system is hardened when it has never been probed where it actually lives.

What I like about this tool is that it removes the operational friction that security teams use as an excuse for not testing more often. You do not need engineering cycles to run it, which means you can make it part of a weekly rhythm. If you are running production-facing bots and you are not doing this level of testing, you are not measuring the right risks. Treat it as a standing requirement, not an optional exercise.

3) Tenable Expands Exposure Management to AI Assistants

Summary
Tenable added AI Exposure to Tenable One, bringing AI assistants into enterprise exposure scoring. It detects shadow AI, finds misconfigurations, and integrates governance into its risk view.

Why It Matters

• Integrates AI usage into existing exposure management

• Flags unauthorized AI before it becomes an unmanaged risk

• Combines governance with technical detection in one platform

What To Do About It

• Test the preview for coverage and fit

• Map AI usage and connect detection to policy enforcement

• Treat AI exposures as first-class vulnerabilities

Rock’s Musings
AI is already embedded in workflows across most enterprises, often without formal approval. Shadow AI is not a side project; it is a real risk that lives outside your governance model. Tenable’s move matters because it brings that risk into the same prioritization process as everything else in your environment. Once AI shows up in your exposure dashboard, it becomes visible. That visibility drives accountability.

This will also expose a cultural challenge. Many teams still view AI usage as “experimentation” and not something to manage alongside other vulnerabilities. That mindset will not survive contact with incidents. If you treat AI exposures with the same urgency as infrastructure flaws, you can manage them. If you do not, they will quietly accumulate until they force your attention in the worst possible way.

4) OWASP Publishes “State of Agentic AI Security and Governance v1.0”

Summary
OWASP’s Agentic Security Initiative released a comprehensive report on agentic AI threats, controls, and governance models. It maps risks to ISO/IEC 42001, NIST AI RMF, and the EU AI Act, covering development, testing, and runtime phases.

Why It Matters

• Provides a shared baseline for technical and governance teams

• Links controls to established regulatory frameworks

• Calls out the lack of real-time governance in most current programs

What To Do About It

• Embed the threat taxonomy in design reviews and red-team planning

• Map controls to compliance frameworks and track evidence

• Instrument runtime monitoring for inputs, outputs, and agent actions

Rock’s Musings
I’m proud to be a co-lead on this report. This report is a shortcut for any leader who needs to get their AI security and governance on the same page. Too often, technical teams talk about threats while executives talk about compliance, and they end up in parallel conversations. OWASP’s work bridges that gap, giving both sides a common language and a direct mapping between risks and obligations. That alone is worth adopting.

The threat list is the part I would operationalize immediately. It is detailed enough to guide architecture decisions and focused enough to drive incident response planning. You do not need to reinvent the wheel to define AI risk in your environment. This report hands you a wheel that is already in motion. The only decision left is whether you will use it to steer.

5) OWASP Releases Q3 2025 Agentic AI Security Solutions Cheat Sheet

Summary
The cheat sheet maps agent security tasks across the lifecycle to relevant tools and shows which vendors support the OWASP threat taxonomy. It also defines responsibilities for DevOps and SecOps at each phase.

Why It Matters

• Assigns concrete duties to the right teams

• Encourages vendor adoption of a shared taxonomy

• Emphasizes runtime and zero-trust controls

What To Do About It

• Require taxonomy mapping in vendor evaluations

• Apply least-privilege policies for agent identities

• Implement runtime guardrails and authorization between agents

Rock’s Musings
One of the fastest ways AI security fails in practice is when no one knows who owns which control. This cheat sheet eliminates that ambiguity. It makes each phase of the lifecycle explicit about who is responsible and what tools can support them. That clarity forces accountability.

It also gives you a lever with vendors. You can ask them to show precisely how their features map to recognized threat categories rather than accepting broad claims. If your DevOps and SecOps leads cannot point to their responsibilities on this sheet, you have a gap. And gaps in AI security are not benign; they are entry points.

6) “Invitation Is All You Need” Shows Prompt Injection via Calendar Invites

Summary
Researchers showed how malicious calendar events and document titles can be used to inject prompts into Google’s Gemini, triggering unauthorized actions without user interaction.

Why It Matters

• Expands the scope of prompt injection beyond chat

• Uses ordinary business data as an attack vector

• Exploits the trust model of integrated AI systems

What To Do About It

• Gate high-risk actions with confirmation requirements

• Sanitize untrusted metadata before ingestion

• Monitor for unusual activity sequences

Rock’s Musings
This is a perfect example of why you cannot trust any external input, no matter how mundane it looks. A calendar invite does not look like an exploit, but once ingested by an AI system with connected tools, it can become one. That makes it a delivery mechanism that is both effective and invisible to most defenses. The fact that this works without direct user engagement makes it more dangerous.

If your AI integrations consume metadata from external systems, you need to treat that data as hostile by default. That means sanitizing inputs and applying controls before any tool or system action is triggered. Waiting for human review is not a viable safeguard in these flows. The time between ingestion and action is too short, and the surface is too broad.

7) Semperis Introduces SAMLSmith and EntraGoat at Black Hat Arsenal

Summary
Semperis unveiled SAMLSmith for SAML response forgery testing and EntraGoat, a vulnerable Microsoft Entra ID environment for hands-on security practice.

Why It Matters

• Brings identity attack simulation into a safe environment

• Highlights persistent SAML-related risks

• Supports skill development in defending identity systems

What To Do About It

• Incorporate SAML forgery into tabletop and red-team drills

• Use lab environments to validate detection and response capabilities

• Map results to policy and configuration changes

Rock’s Musings
AI security is built on top of identity security. If the identity layer is compromised, your AI defenses are irrelevant. Tools like SAMLSmith and EntraGoat let teams practice on realistic scenarios without risking production systems. That hands-on repetition builds the muscle memory you need before an incident, not during one.

Many organizations have never actually run a full SAML forgery detection drill. They assume their controls will work when needed. That is a risky bet. Practicing in an environment designed to break will show you where your real weaknesses are, and that is the starting point for meaningful improvement.

8) SPLX Adds AI Runtime Protection to its Security Platform

Summary
SPLX introduced a runtime protection layer aimed at stopping malicious tool calls, poisoned memory, and policy violations as they happen.

Why It Matters

• Enforces guardrails during live operation

• Claims coverage from build to runtime

• Addresses threats that bypass pre-deployment checks

What To Do About It

• Demand runtime enforcement in AI platforms

• Test controls with adversarial scenarios

• Map runtime features to governance frameworks

Rock’s Musings
Visibility without enforcement is not security; it is observation. If your platform cannot stop a dangerous action while it is happening, it is not protecting you. Runtime control is the only effective way to govern an agent that is making decisions and taking actions in production. Without it, you are left to clean up after the fact.

The key is to verify that these protections work on your actual workloads. Many vendors can demonstrate them in a controlled demo. Fewer can handle the unpredictability of your environment. That is where the real value lies.

9) Concentric AI Focuses on Data Security for GenAI

Summary
Concentric AI showcased tools for discovering sensitive data in AI workflows and detecting shadow AI usage.

Why It Matters

• Data security is foundational for AI governance

• Shadow AI is a source of unmanaged risk

• Blocking unapproved model use protects sensitive assets

What To Do About It

• Inventory where sensitive data enters AI systems

• Block unapproved AI endpoints

• Apply DLP controls to AI pipelines

Rock’s Musings
AI security starts with knowing where your data is and who or what can access it. Without that, all other controls are cosmetic. Shadow AI is often the first place data governance fails, because it bypasses official channels entirely. If you are not actively looking for it, you will not find it until it causes damage.

The right move is to bring data discovery and AI usage monitoring together. You cannot protect what you cannot see, and in AI, that blind spot expands quickly. Make shadow AI detection a recurring task, not a one-time project.

10) Black Hat AI Summit Expands to Full-Day Program

Summary
The AI Summit at Black Hat ran as a full-day track on August 5th, alongside CISO and industry programs. Recordings will be available later this month.

Why It Matters

• Establishes AI security as a primary conference track

• Combines technical and strategic discussions

• Extends learning through recorded sessions

What To Do About It

• Use recordings for structured team training

• Require takeaways and action items from each talk

• Track trends and update policies accordingly

Rock’s Musings
The AI Summit, being a full-day program, signals a shift that AI security is no longer an experimental or side topic. AI security is treated as a primary discipline. That change should be mirrored inside organizations. If AI is in your products or workflows, its security should have a seat at the main table.

The recordings remove the barrier of attendance, which means there is no reason your team cannot learn from them. Assign talks, capture key takeaways, and turn them into concrete improvements. Passive consumption will not move the needle. Structured follow-up will.

The One Thing You Won’t Hear About But You Need To

Summary
Prophet Security revealed an AI SOC platform featuring an autonomous “Agentic AI SOC Analyst.” This entity can ingest alerts, triage threats, investigate incidents, and even initiate responses—with minimal human intervention. The announcement appeared in coverage of the AI Summit but did not receive the attention its implications warrant (blackhat.com).

Why It Matters

• Marks a shift from augmenting analysts with AI to granting autonomy in decision-making.

• Can reduce SOC workload while tackling fatigue and rising alert volumes.

• Raises questions about trust, accountability, and governance for agentic decision-making.

What To Do About It

• Test agentic containment: can you detect and override autonomous actions before they execute?

• Define clear boundaries for autonomous decisions—what actions can the agent initiate on its own?

• Treat agentic analysts like human ones—with audit records, escalation paths, and fail-safes.

Rock’s Musings

We have been talking about AI augmenting human analysts for years. This feels different because it grants autonomy, not assistance. An “Agentic SOC Analyst” sounds cutting edge, but without explicit oversight, it could make defensible decisions or dangerous ones. You need to treat this capability like you would a junior analyst on autopilot with clear guardrails, logs, and escape hatches.

If this becomes mainstream, SOC workflow and accountability change. Your program must predefine what this agent can do and who reviews its decisions. The question is not whether its alerts save time. It is whether you can catch its mistakes fast. That is where governance and control still come first.

👉 What do you think? Ping me with the story that keeps you up at night—or the one you think I overrated.

👉 The Wrap-Up drops every Friday. Stay safe, stay skeptical.

👉 For deeper dives, visit RockCyber.