Weekly Musings Top 10 AI Security Wrapup: Issue 37 May 1-May 7, 2026
The Week Governments Decided Agentic AI Needs Adult Supervision
This was the week the supervisors stopped asking permission. Five Eyes intelligence agencies, the Pentagon, the Commerce Department, and ServiceNow all converged on the same conclusion at nearly the same time. Agentic AI is shipping without brakes, the brakes need to be added now, and nobody has a clean answer for who pays. Brussels blinked. Washington floated an FDA-style gate for frontier models. Researchers kept finding holes in the plumbing under every AI agent your developers are racing to deploy.
The pattern was governance catching up to deployment. Three governments and a $200 billion software company echoed what the security crowd has been saying since GPT-4 shipped. You bought the speedboat and forgot the kill switch. Below are the ten stories that mattered between Friday, May 1, and Thursday, May 7, 2026, plus one you missed.
1. Five Eyes Drop Joint Agentic AI Guidance
CISA, the NSA, Australia’s ASD ACSC, the Canadian Centre for Cyber Security, the UK’s NCSC, and New Zealand’s NCSC released “Careful Adoption of Agentic Artificial Intelligence (AI) Services” (CISA, 2026). The document identifies five risk categories: privilege; design and configuration; behavior, including goal misalignment and deception; structural risks across interconnected components; and accountability risks rooted in opacity. The Register summarized the message bluntly. Agentic AI is too dangerous for rapid rollout (Brandon, 2026).
Why it matters
Five intelligence agencies aligning sets a baseline for procurement, audit, and insurance underwriting across the English-speaking world.
The guide pressures vendors selling fully autonomous agents by recommending incremental deployment and human oversight.
Critical infrastructure operators gain a defensible reference document when business units demand agent rollouts in days.
What to do about it
Map every deployed agent against the five risk categories and grade each honestly.
Require attestation against this guide in procurement language for agentic capabilities.
Brief your board this quarter on how the guidance changes your residual risk posture.
Rock’s Musings
Five Eyes guidance is rare enough to mean something. When agencies that attribute nation-state intrusions speak with one voice, treat it as a soft mandate. The privilege risks section reads like a list of incidents I have seen at clients in the last twelve months. Stop deploying autonomy on top of access models you built for humans.
2. EU Strikes Provisional Deal to Delay Core AI Act Obligations
On May 7, 2026, after roughly nine hours of negotiation, the Council of the EU and the European Parliament reached provisional agreement on the Digital Omnibus on AI (Lewis Silkin, 2026). High-risk obligations under Annex III now apply from December 2, 2027. Annex I obligations apply from August 2, 2028. The transparency grace period for AI-generated content shrinks from six months to three, with a deadline of December 2, 2026 (Modulos, 2026).
Why it matters
The narrative that the EU is the world’s strictest AI regulator took a real hit, with industry pressure winning a delay measured in years.
Companies that scrambled for Annex III readiness by August 2026 spent their budget on a deadline that no longer exists.
The shortened transparency window makes deepfake labeling the most urgent compliance work of the year for consumer-facing AI.
What to do about it
Reset your AI Act program plan against the new deadlines and brief your audit committee on the freed-up budget.
Accelerate transparency labeling on generative output exposed to EU users by Q3 2026.
Watch the Council and Parliament endorsement votes because the deal can still shift.
Rock’s Musings
I told three clients in 2025 that betting on the original Annex III timeline was a coin flip. The coin landed on delay. The AI Act isn’t dead, but Brussels learned the lesson California learned with CCPA. With Brussels stretching its timeline, the White House gains room to argue that federal preemption beats a state patchwork. Bet on more state attorneys general filling the gap with UDAP actions before December.
3. Pentagon Clears Eight Vendors for AI on Classified Networks
The Department of War announced agreements with AWS, Google, Microsoft, NVIDIA, OpenAI, SpaceX, and Reflection AI, with Oracle added shortly after, to deploy AI tools on Impact Level 6 and Impact Level 7 networks (Breaking Defense, 2026). Those impact levels cover secret-classified and the most highly classified Defense systems. Anthropic was conspicuously absent, despite Claude already running inside Palantir’s Maven Smart System on classified networks (TechCrunch, 2026).
Why it matters
Defense AI procurement consolidated around eight vendors, with Anthropic frozen out despite a working production deployment.
IL-7 deployments mean general-purpose models will reason over the most sensitive U.S. government data, with limited public visibility into evaluation rigor.
Defense contractors and integrators have a vendor shortlist that will shape program decisions for the next five years.
What to do about it
If you sell into DoD, align your AI roadmap with these eight vendors.
If you advise federal agencies, push for transparency on red-team results before production at IL-6 and IL-7.
Expect this vendor list in prime contractor solicitations within a quarter.
Rock’s Musings
Commercial AI is now inseparable from national security infrastructure. Eight vendors. Two impact levels. Decisions that will shape how the U.S. military thinks, plans, and fights for a decade. Where are the public test results? When the FDA approves a drug, you can read the trial data. When the Pentagon approves a model for IL-7, you cannot. That asymmetry will eventually break.
4. CAISI Locks Pre-Deployment Testing Deals With Google, Microsoft, and xAI
The Center for AI Standards and Innovation announced agreements on May 5, 2026 that allow the U.S. government to evaluate frontier AI models from Google, Microsoft, and xAI before public release (CNBC, 2026). The deals expand a program that already included OpenAI and Anthropic, with the older agreements renegotiated to align with America’s AI Action Plan (Al Jazeera, 2026). The arrangements remain voluntary.
Why it matters
Five frontier labs now run pre-deployment evaluations through one federal channel, creating a de facto standard for “tested” at the top of the AI supply chain.
Voluntary agreements give the government influence without legislation.
Smaller and open-source providers face an emerging market expectation they can’t match.
What to do about it
Add CAISI evaluation status to vendor risk questionnaires for frontier model dependencies.
Track CAISI’s published evaluation criteria, since they will shape your internal evaluation programs.
Treat models without CAISI evaluation as higher inherent risk in supply chain assessments.
Rock’s Musings
Voluntary regulation by reputational pressure is the Trump administration’s preferred AI playbook. The upside is speed. The downside is that voluntary agreements dissolve when a CEO decides the political winds have shifted. If CAISI becomes the gravitational center for AI evaluation, insurers and enterprise buyers will start citing it in contracts. That is how soft governance becomes hard governance.
5. ServiceNow Adds AI Agent Kill Switches as the 9-Second Story Goes Mainstream
ServiceNow announced on May 5, 2026 at Knowledge 2026 that it has expanded AI Control Tower with real-time pause, redirect, and stop capabilities for any AI agent across the enterprise estate (ServiceNow, 2026). The expansion adds 30 new connectors spanning AWS, Google Cloud, Microsoft Azure, SAP, Oracle, and Workday. CEO Bill McDermott told Fortune the marketing message in plain English, citing a real incident where an AI agent gained elevated permissions and deleted a production database with all backups in nine seconds (Fortune, 2026).
Why it matters
Selling kill switches as a primary feature validates the security community’s argument that agentic AI requires runtime governance.
The 30-connector expansion makes ServiceNow the de facto governance layer above other clouds and SaaS apps.
The 9-second story shifts the default purchasing posture toward “show me the brakes.”
What to do about it
Inventory every AI agent with write access to production systems and document its maximum blast radius in seconds.
Require a documented kill switch capability as a procurement gate for any agentic AI vendor.
Run a tabletop exercise this quarter where an autonomous agent acts destructively at machine speed.
Rock’s Musings
I have been waiting for a vendor to put “kill switch” on the price list. ServiceNow finally did it. The 9-second story is not hypothetical. Every CISO I know has heard a similar war story from a peer in the last year. A kill switch is only as good as its blast-radius coverage and detection latency. If your agent can do irreversible damage in seconds and your governance layer needs minutes, the kill switch is theater. Test the latency before signing.
6. White House Floats FDA-Style Gate for Frontier AI
National Economic Council Director Kevin Hassett told Bloomberg on May 6, 2026 that the White House is studying an executive order to create a vetting system for new AI models like Anthropic’s Mythos, comparing the approach to FDA drug evaluation (Bloomberg, 2026). The directive comes weeks after Anthropic disclosed that Mythos is unusually capable at finding network vulnerabilities, prompting the company to limit access through Project Glasswing (Insurance Journal, 2026).
Why it matters
An FDA-style gate would mark the first concrete pre-market regulatory framework for frontier AI in the U.S., even by executive order.
The Mythos disclosure shifts the political center of gravity, with a frontier lab effectively asking for more regulation.
Framing AI as public safety reshapes which agencies and committees own the issue.
What to do about it
Track which federal agency the order designates as the gating body, since that agency’s authorities will determine how real the regime becomes.
Prepare your own internal “model approval” process now, modeled on how you approve cryptographic libraries.
Engage with industry comment processes early, before draft text leaks and positions harden.
Rock’s Musings
The FDA analogy is compelling and imperfect. Drugs have measurable endpoints. AI capability evaluations are partly subjective and dependent on who designed the test. The reason I take this seriously is the political logic. An administration that has emphasized deregulation is signaling it might gate frontier AI at the federal level. If the national security argument has won inside the West Wing, the rest of the Western world will follow within twelve months.
7. One in Four MCP Servers Carries Code Execution Risk
Help Net Security reported on May 5, 2026, that one in four Model Context Protocol servers exposes AI agents to code execution risk through skill-handling and configuration blind spots (Help Net Security, 2026b). The research builds on an OX Security disclosure from April 2026 that covered an architectural choice in Anthropic’s official MCP SDKs for Python, TypeScript, Java, and Rust, in which STDIO transport executes OS commands without sanitization (VentureBeat, 2026). Vulnerable MCP integrations affect Cursor, VS Code, Windsurf, Claude Code, and Gemini-CLI.
Why it matters
MCP is the connective tissue between AI agents and enterprise systems, with 150 million downloads and 7,000-plus public servers.
A 25% vulnerability rate across the supply chain means most enterprises running MCP-based agents are running known-vulnerable infrastructure now.
Anthropic’s stance that the behavior is “expected” leaves customers holding the remediation burden alone.
What to do about it
Inventory MCP servers, including developer workstations, and segment them from sensitive data and production credentials.
Force allowlisting on MCP tool calls, with explicit human approval for anything outside the allowlist.
Add MCP server compromise to your incident response runbooks.
Rock’s Musings
MCP is the USB-C of AI agents, and it is shipping with the equivalent of a hot socket. The architectural pattern is fine. The default behavior is dangerous. Treat MCP like browser extensions in a regulated environment. Default deny. Document exceptions. Audit quarterly.
8. Lenovo Survey Confirms One in Three Employees Use AI Without IT Oversight
Lenovo’s Work Reborn Research Series 2026, surveying 6,000 enterprise workers globally, was reported on May 1, 2026. Between one-fifth and one-third of employees use AI outside IT governance (Help Net Security, 2026a). Almost half of large enterprises in Protiviti’s AI Pulse Survey 2026 lack full visibility into which AI tools employees use. ISACA’s 2026 AI Pulse Poll found 38% of organizations report a formal AI policy, up from 28% the prior year.
Why it matters
Shadow AI is the dominant AI risk category for most enterprises.
The gap between employee AI adoption and IT governance is widening faster than policy alone can close it.
Generative AI accounts for roughly a third of unauthorized data movement in measured environments.
What to do about it
Deploy DLP controls that recognize generative AI as a defined egress channel, not an undifferentiated browser session.
Offer a sanctioned AI tool path that is genuinely useful, because banning AI without alternatives has not worked anywhere.
Track AI policy adoption as a KPI alongside traditional security awareness metrics.
Rock’s Musings
I have watched this story play out several times. Personal email in the 2000s. SaaS in the 2010s. Now AI. Ban the tool. Watch usage go underground. Find the breach. Reverse the ban two years too late. Short-circuit the cycle now. Your highest performers are the ones doing shadow AI work because the sanctioned tools are slower or dumber.
9. Researchers Scan One Million Exposed AI Services, Find Default Authentication Off
The Hacker News reported a large-scale scan of one million publicly exposed AI services. AI infrastructure is more vulnerable, exposed, and misconfigured than any other software category investigators have recently studied (The Hacker News, 2026). Many hosts run without authentication because it is not the default in many AI projects. Over 90 exposed instances were identified across government, marketing, and finance, with chatbots, prompts, workflows, and outward access all open to the public internet.
Why it matters
Default-open AI infrastructure puts attackers ahead of defenders on basic asset discovery.
Government, marketing, and finance exposure shows the problem is not confined to the unregulated long tail of startups.
LLM conversation history exposure leaks strategy, contracts, and personal data in ways traditional data leakage models miss.
What to do about it
Treat AI infrastructure like internet-facing crown jewels and harden it accordingly.
Run attack surface management scans tuned for AI service fingerprints, including n8n, Flowise, Langflow, and LiteLLM.
Make default-deny authentication non-negotiable for any AI workflow touching enterprise data.
Rock’s Musings
This is the cybersecurity equivalent of finding every front door wide open. The mistake is older than AI. Project maintainers and platform vendors should answer for shipping with authentication disabled by default. Default secure beats secure-by-checklist every time. Until AI projects ship safely, assume the defaults are wrong and configure your way out of them.
10. Trellix Discloses Source Code Repository Breach
Cybersecurity company Trellix disclosed on May 4, 2026 that it suffered unauthorized access to a portion of its source code repository (BleepingComputer, 2026). Trellix protects more than 50,000 customers and over 200 million endpoints. The company says it has found no evidence the source code release process was affected or that the code has been exploited (SecurityWeek, 2026). Trellix has not named the actor or disclosed dwell time.
Why it matters
A defensive software vendor losing source code ripples through every customer.
The breach feeds AI-augmented vulnerability discovery against Trellix products, given how attackers now use LLMs to mine source for exploits.
Federal customers will require new attestations on code provenance and pipeline integrity within weeks.
What to do about it
Trellix customers should demand a full incident report covering IOCs, scope of stolen code, and pipeline changes.
Audit detection coverage for TTPs that exploit knowledge of the affected products.
Treat defensive software vendors as potential single points of failure in your supply chain risk register.
Rock’s Musings
Defensive vendors getting popped is a now-quarterly story. The interesting wrinkle is what an attacker does with stolen source code in the AI era. Two years ago, source theft was slow-burn. Today, an attacker can feed thousands of files into an LLM and ask for likely vulnerability classes in hours. Trellix saying the code has not been exploited is a snapshot, not a guarantee.
The One Thing You Won’t Hear About But You Need To: ARGUS and the Quiet Admission That Today’s Agent Defenses Don’t Hold
Researchers published the ARGUS paper to arXiv on May 5, 2026. It introduces a benchmark, AgentLure, that captures context-aware prompt-injection attacks across four agentic domains and eight attack vectors, along with a defense mechanism that enforces provenance-aware decision auditing for LLM agents (ARGUS, 2026). ARGUS reduces attack success rate to 3.8% while preserving 87.5% task utility. Without provenance-aware controls, undefended agents fail at much higher rates.
Why it matters
Provenance tracking inside agent reasoning is a real shift from perimeter-style defenses most vendors sell today.
Context-aware prompt injection is the dominant unaddressed risk in production agentic deployments.
Benchmarks like AgentLure will become reference points enterprise red teams use, much as MITRE ATT&CK reshaped traditional red teaming.
What to do about it
Read the ARGUS paper and use its threat model to evaluate your current agent deployments.
Push vendors to publish performance against context-aware benchmarks, not only static jailbreak datasets.
Build provenance tracking into your internal agent platforms, even if commercial vendors do not yet support it.
Rock’s Musings
The reason this matters is what it implies about everything else. If 3.8% is the new state of the art with strong defenses in place, the rate without those defenses is much higher. That is the gap most production agents sit in today. Vendor marketing on agent safety has been measured against weak benchmarks for two years. Get ahead of the curve, or be the case study in someone else’s incident report.
For more on agentic AI risk and CISO governance, see the library at RockCyber and analysis at RockCyber Musings.
👉 For ongoing analysis of agentic AI governance frameworks, the conversation continues at RockCyber Musings.
👉 Visit RockCyber.com to learn more about how we can help with your traditional Cybersecurity and AI Security and Governance journey.
👉 Want to save a quick $100K? Check out our AI Governance Tools at AIGovernanceToolkit.com
👉 As a bonus, check out my conversation with CISO Tradecraft® where we talked about the OWASP GenAI Security Project Agentic Top 10
👉 Subscribe for more AI and cyber insights with the occasional rant.
The views and opinions expressed in RockCyber Musings are my own and do not represent the positions of my employer or any organization I’m affiliated with.
References
ARGUS. (2026, May 5). ARGUS: Defending LLM agents against context-aware prompt injection. arXiv. https://arxiv.org/abs/2605.03378
BleepingComputer. (2026, May 4). Trellix discloses data breach after source code repository hack. https://www.bleepingcomputer.com/news/security/trellix-discloses-data-breach-after-source-code-repository-hack/
Bloomberg. (2026, May 6). AI security order under review as White House responds to Anthropic’s Mythos. https://www.bloomberg.com/news/articles/2026-05-06/white-house-preps-order-to-boost-ai-security-hassett-says
Brandon, R. (2026, May 4). Five Eyes warn agentic AI is too dangerous for rapid rollout. The Register. https://www.theregister.com/2026/05/04/five_eyes_agentic_ai_recommendations/
Breaking Defense. (2026, May 1). Pentagon clears 8 tech firms to deploy their AI on its classified networks. https://breakingdefense.com/2026/05/pentagon-clears-7-tech-firms-to-deploy-their-ai-on-its-classified-networks/
CISA. (2026, May 1). Careful adoption of agentic AI services. Cybersecurity and Infrastructure Security Agency. https://www.cisa.gov/resources-tools/resources/careful-adoption-agentic-ai-services
CNBC. (2026, May 5). Trump admin moves further into AI oversight, will test Google, Microsoft and xAI models. https://www.cnbc.com/2026/05/05/ai-oversight-trump-google-microsoft-xai.html
Al Jazeera. (2026, May 5). Microsoft, Google, xAI give US access to AI models for security testing. https://www.aljazeera.com/economy/2026/5/5/microsoft-google-xai-give-us-access-to-ai-models-for-security-testing
Fortune. (2026, May 6). Your company’s AI could delete everything in 9 seconds. ServiceNow wants to be the kill switch. https://fortune.com/2026/05/06/servicenow-kill-switch-ai-agents-bill-mcdermott/
Help Net Security. (2026a, May 1). Shadow AI risks deepen as 31% of users get no employer training. https://www.helpnetsecurity.com/2026/05/01/shadow-ai-risks-it-oversight/
Help Net Security. (2026b, May 5). One in four MCP servers opens AI agent security to code execution risk. https://www.helpnetsecurity.com/2026/05/05/ai-agent-security-skills-blind-spots/
Insurance Journal. (2026, May 7). White House prepares order to boost AI security, says economic advisor. https://www.insurancejournal.com/news/national/2026/05/07/868812.htm
Lewis Silkin. (2026, May 7). The Council and Parliament agree to slim down and delay parts of the EU AI Act. https://www.lewissilkin.com/insights/2026/05/07/the-council-and-parliament-agree-to-slim-down-and-delay-parts-of-the-eu-ai-act-102ms0v
Modulos. (2026, May 7). EU AI Act delayed: The Omnibus deal closed on 7 May 2026. https://www.modulos.ai/blog/eu-ai-act-omnibus-deal/
SecurityWeek. (2026, May 4). Trellix source code repository breached. https://www.securityweek.com/trellix-source-code-repository-breached/
ServiceNow. (2026, May 5). ServiceNow expands AI Control Tower across systems. https://newsroom.servicenow.com/press-releases/details/2026/ServiceNow-expands-AI-Control-Tower-to-discover-observe-govern-secure-and-measure-AI-deployed-across-any-system-in-the-enterprise/default.aspx
TechCrunch. (2026, May 1). Pentagon inks deals with Nvidia, Microsoft, and AWS to deploy AI on classified networks. https://techcrunch.com/2026/05/01/pentagon-inks-deals-with-nvidia-microsoft-and-aws-to-deploy-ai-on-classified-networks/
The Hacker News. (2026, May). We scanned 1 million exposed AI services. Here’s how bad the security is. https://thehackernews.com/2026/05/we-scanned-1-million-exposed-ai.html
VentureBeat. (2026, April). 200,000 MCP servers expose a command execution flaw that Anthropic calls a feature. https://venturebeat.com/security/mcp-stdio-flaw-200000-ai-agent-servers-exposed-ox-security-audit