•7 min read•from VentureBeat
Claude Mythos exposed a hard truth: Your enterprise patching process is way too slow
Our take
In 2024, research revealed a stark reality: enterprise patching processes are lagging as AI capabilities advance. With Claude Mythos now autonomously discovering thousands of zero-day vulnerabilities, organizations find themselves in a race against time. The average exploitation timeline is shrinking dramatically, challenging traditional patching assumptions. To combat this, it's essential to adopt a three-layer prioritization filter and implement event-driven patching. For deeper insights on the evolving landscape of AI in security, explore our article on "TechCrunch Mobility," highlighting the intersection of technology and innovation.
The recent revelations about Claude Mythos and its ability to autonomously discover zero-day vulnerabilities present a stark reality for enterprise security teams. The findings from the University of Illinois showed that while earlier AI models could exploit known vulnerabilities with high rates of success, it was still a relatively contained threat. However, the emergence of Claude Mythos has fundamentally changed the landscape, as it not only exploits but also creates new vulnerabilities at an unprecedented pace. This raises critical questions about the efficacy of current patching processes and the security measures organizations have in place. As we delve into this new paradigm, it becomes clear that organizations can no longer rely on outdated assumptions about patch windows and vulnerability management.
One of the most alarming aspects of this development is the accelerated timeline of exploitations. With instances like Langflow's CVE-2026-33017 being exploited a mere 20 hours after disclosure, it is evident that traditional patching processes are woefully inadequate. Security teams that adhere to the conventional wisdom of waiting for a maintenance cycle before applying patches are now at a significant disadvantage. The recent findings underscore the need for a paradigm shift in how vulnerabilities are prioritized and managed. As highlighted in the article, relying solely on CVSS scores is no longer sufficient. Organizations must adopt a more nuanced and dynamic approach, such as the proposed three-layer prioritization filter that integrates active exploitation data with predictions and severity metrics. This change not only increases efficiency but also dramatically reduces the workload associated with urgent remediation.
Moreover, the implications of Claude Mythos extend beyond mere technical adjustments; they challenge the very framework of how security policies are constructed and enforced. The mention of the need to close the agent authorization gap is particularly relevant. As AI agents become more integrated into enterprise systems, the potential for them to exceed their intended permissions becomes a pressing concern. The security community must grapple with the reality that existing authorization models may not account for AI behaviors, creating blind spots that malicious actors can exploit. This necessitates a proactive approach to testing and refining authorization boundaries, as well as a robust mapping of credential dependencies.
As organizations strive to adapt to this rapidly changing threat landscape, they must also consider the broader implications of these developments. The evolving capabilities of AI in security contexts can be both a boon and a bane. While they offer the potential for enhanced security measures, they also introduce new risks that require vigilance and adaptation. As seen in related discussions around the future of technology in various sectors, such as TechCrunch Mobility: It doesn’t matter that people hate the Ferrari Luce and the ethical considerations of AI in sports as explored in What happens in Vega$: steroids, swimmers, and a billion-dollar hustle, the discourse around AI's role in society is broadening.
Looking ahead, the question becomes: how quickly can organizations adapt their security strategies to keep pace with these advancements? The urgency is clear; as exploitation timelines shorten, so too must the speed of organizational responses. Enterprises that embrace proactive, AI-informed approaches to vulnerability management will not only safeguard their assets but also position themselves as leaders in an increasingly competitive digital landscape. The time for action is now, and the stakes have never been higher.
In 2024, researchers from the University of Illinois found that GPT-4, when provided with a common vulnerabilities and exposures (CVE) description, could autonomously exploit 87% of a curated 15-vulnerability one-day dataset. Without the description, it could only exploit 7%. This provided a “margin of safety” for the industry because while AI could exploit known vulnerabilities, it could not discover them.
However, on April 7, Anthropic announced that Claude Mythos Preview had closed that margin, with the model autonomously discovering thousands of zero-day vulnerabilities across major operating systems and browsers. Separately, Mythos scored 83.1% on the CyberGym vulnerability reproduction benchmark. In one campaign targeting OpenBSD across 1,000 scaffold runs, the total compute cost was less than $20,000.
Exploitation timelines are collapsing. Langflow’s CVE-2026-33017 (CVSS 9.8) was exploited 20 hours after disclosure with no public proof-of-concept. Marimo’s CVE-2026-39987 (CVSS 9.3) was hit in 9 hours and 41 minutes.
The defensive infrastructure most organizations rely on wasn’t designed for this. Rapid7’s 2026 threat landscape report states that the median time from CVE publication to CISA's known exploited vulnerabilities (KEV) listing is five days. Google’s M-Trends 2026 report found that exploitation is happening before a patch is even released. When the Langflow advisory was published, the first exploit arrived in 20 hours. When the Marimo advisory was published, it took under 10 hours.
The assumption that your patch window is safe because exploitation takes time is no longer true. Here are your building blocks.
Replace CVSS-only prioritization with a three-layer filter
Most vulnerability management programs still prioritize by CVSS score alone. CVSS quantifies a vulnerability’s “theoretical” severity without considering whether a vulnerability is being exploited in the wild or how quickly someone could weaponize it. A CVSS 8.8 vulnerability with a history of active exploitation (like Docker’s CVE-2026-34040) gets lower priority than a CVSS 9.8 vulnerability that may never be exploited in the wild.
A recent study validated against 28,377 real-world vulnerabilities offers a concrete replacement: A three-layer decision tree incorporating CISA KEV status, Exploit Prediction Scoring System (EPSS) scores, and CVSS, thus forming a singular prioritization filter.
Three-Layer Vulnerability Prioritization Filter
Layer | Data source | Threshold | Action | SLA |
1. Active exploitation | CISA KEV catalog | Listed | Immediate patching | Hours |
2. Predicted exploitation | EPSS via FIRST.org | Score ≥ 0.088 | Escalate to Tier 0 pipeline | 24 hours |
3. Severity baseline | CVSS via NVD | Score ≥ 7.0 | Typical remediation | Per policy |
Validated result: 18x efficiency gain, 85.6% coverage of exploited vulnerabilities, ~95% reduction in urgent remediation workload. All three data sources are open and free.
The described integration is entirely automatable. It’s possible to build a script to query the CISA KEV API, the EPSS API from FIRST.org, and the NVD, and have that script run against your asset inventory for every published CVE. The human in this process should remain in the loop as an approver, but not as the trigger.
Close the agent authorization gap
Creating exploits quickly not only changes how patches are prioritized, but how controls are configured for all the agent-driven systems that now possess privileged credentials. Your authorization policies have not been assessed against the behavior of AI agents, and that is now a measurable risk. CVE-2026-34040 showed that Docker’s authorization plugin architecture silently bypasses every plugin when the request body exceeds 1MB. Common AuthZ plugins (OPA, Casbin, Prisma Cloud) are unaware of this type of bypass, which occurs in Docker’s middleware before the request reaches the plugin.
When Cyera demonstrated this vulnerability, they showed that an AI agent debugging infrastructure could infer the bypass path while completing a legitimate task, without any instruction to exploit anything.
The Internet Engineering Task Force (IETF) is working on authorization models for agents. The document draft-klrc-aiagent-auth-01, published in March by participants from AWS, Zscaler, Ping Identity, and OpenAI, proposes the use of the current Secure Production Identity Framework for Everyone (SPIFFE) and OAuth 2.0 for AI agents to obtain dynamically provisioned and short-lived credentials.
Separately, the IETF Agent Identity Protocol draft (draft-prakash-aip-00) reports that out of about 2,000 surveyed model context protocol (MCP) servers, none had authentication.
But these standards are months to years away from implementation. For now, security teams must proactively incorporate agent-level test scenarios for all authorization boundaries, such as oversized requests, burst frequency, and multi-step escalation of privileged requests.
Map your credential blast radius
In a survey conducted by CSA/Zenity and published on April 16, 53% of organizations said they had already seen cases where AI agents exceeded their intended permissions, and 47% experienced a security incident involving an agent.
When AI builder tools such as Flowise (CVE-2025-59528, CVSS 10.0), Langflow, or n8n become compromised, the blast radius extends far beyond the host. These tools contain API keys to frontier models, database credentials, vector store tokens, and OAuth tokens to business systems. A compromised AI builder host is not just a single-system breach. It is a credential harvest that unlocks authenticated access to every connected service.
Without credential dependency maps for each AI tool host, incident response for agent compromise is guesswork. For every instance, document each credential, the extent of its access, and the relevant credential rotation process. Also begin migrating static API keys to short-lived tokens where downstream services allow.
Five actions for this quarter
1. Deploy the three-layer KEV-EPSS-CVSS filter
Substitute CVSS-only prioritization according to the table above. Automate the collection of data from all three APIs as part of a scheduled script against your asset inventory. Desired outcome: 18 times more efficient, 85.6% coverage of exploited vulnerabilities, 95% reduction in urgent remediation workload.
2. Implement event-driven patching for Tier 0 services.
Determine which services fall under the critical exposure tier: Services exposed directly to internet users, AI builder hosts, and container orchestration control plane. Trigger event-driven patching on a CVE publication instead of waiting for the next maintenance window for this tier.
Goal: deploy patch to canary within four hours of a CVE being declared critical. Use the CISA KEV and EPSS feeds to trigger event-driven patching. In situations where it is impossible to meet the goal of four-hour patching because of legacy dependencies, change-freeze windows, or rollback risk, immediately apply compensating controls such as removing internet exposure to the vulnerable service, rotating credentials for the vulnerable service, disabling affected functionality of the service (if applicable), and identifying an exception owner for the exposure until a patch can be deployed.
It is not acceptable to allow unbounded exposures for extended periods while awaiting a maintenance window.
3. Test authorization boundaries at agent scale.
Create test cases for every API that AI agents may communicate with via AuthZ policies. Specifically, include test cases for requests exceeding 1MB, 5MB, and 10MB body sizes. This includes test cases for burst rate > 100 requests per second and test cases for unusual parameter combinations (privileged flags, host mounts, capability additions). Additionally, patch to Docker Engine 29.3.1 to fix CVE-2026-34040.
4. Credential blast radius mapping for all AI builder hosts.
Document each credential for each Langflow, Flowise, n8n, and custom AI pipeline instance. Classify each credential by its lifespan (static key vs. short-lived token). Identify what each credential can access. Set up alerts for anomalous IP or identity for any credential access.
5. Shadow AI discovery scan for this week.
According to CSA data, there is a greater than 50% chance that your agents have exceeded their expected boundaries. Check your Security Information and Event Management (SIEM) and network monitoring tools for communications to the default ports of the AI builder: Langflow 7860, Flowise 3000, and n8n 5678. Any unauthorized instances are an unmonitored attack surface.
The takeaway
AI agents are emerging, and the standards bodies are responding. The IETF has multiple drafts related to agent authentication and authorization. The Coalition for Secure AI has published its MCP Security taxonomy and Secure-by-Design principles.
But these standards move at standards-body speed, and the exploit window is now measured in hours. Organizations that implement the three-layer filter and event-driven patching this quarter will have a measurable reduction in exposure. Those who wait will be running calendar-based patch cycles against an adversary that operates in less than 20 hours.
Nik Kale is a principal engineer specializing in enterprise AI platforms and security
Read on the original site
Open the publisher's page for the full experience
Related Articles
- CVSS scored these two Palo Alto CVEs as manageable. Chained, they gave attackers root access to 13,000 devices.During Operation Lunar Peek in November 2024, attackers gained unauthenticated remote admin access — and eventual root — across more than 13,000 exposed Palo Alto Networks management interfaces. Palo Alto Networks scored CVE-2024-0012 at 9.3 and CVE-2024-9474 at 6.9 under CVSS v4.0. NVD scored the same pair 9.8 and 7.2 under CVSS v3.1. Two scoring systems. Two different answers for the same vulnerabilities. The 6.9 fell below patch thresholds. Admin access appeared required. The 9.3 sat queued for maintenance. Segmentation would hold. "Adversaries circumvent [severity ratings] by chaining vulnerabilities together," Adam Meyers, SVP of Counter Adversary Operations at CrowdStrike, told VentureBeat in an exclusive interview on April 22, 2026. On the triage logic that missed the chain: "They just had amnesia from 30 seconds before." Both CVEs sit on the CISA Known Exploited Vulnerabilities catalog. Neither score flagged the kill chain. The triage logic that consumed those scores treated each CVE as an isolated event, and so did the SLA dashboards and the board reports those dashboards feed. CVSS did exactly what it was designed to do. Score one vulnerability at a time. The problem is that adversaries do not attack one vulnerability at a time. "CVSS base scores are theoretical measures of severity that ignore real-world context," wrote Peter Chronis, former CISO of Paramount and a security leader with Fortune 100 experience. By moving beyond CVSS-first prioritization at Paramount, Chronis reported reducing actionable critical and high-risk vulnerabilities by 90%. Chris Gibson, executive director of FIRST, the organization that maintains CVSS, has been equally direct: using CVSS base scores alone for prioritization is "the least apt and accurate" method, Gibson told The Register. FIRST's own EPSS and CISA's SSVC decision model address part of this gap by adding exploitation probability and decision-tree logic. Five triage failure classes CVSS was never designed to catch In 2025, 48,185 CVEs were disclosed, a 20.6% year-over-year increase. Jerry Gamblin, principal engineer at Cisco Threat Detection and Response, projects 70,135 for 2026. The infrastructure behind the scores is buckling under that weight. NIST announced on April 15 that CVE submissions have grown 263% since 2020, and the NVD will now prioritize enrichment for KEV and federal critical software only. 1. Chained CVEs that look safe until they aren't The Palo Alto pair from Operation Lunar Peek is the textbook. CVE-2024-0012 bypassed authentication. CVE-2024-9474 escalated privileges. Scored separately under both CVSS v4.0 and v3.1, the escalation flaw filtered below most enterprise patch thresholds because admin access appeared required. The authentication bypass upstream eliminated that prerequisite entirely. Neither score communicated the compound effect. Meyers described the operational psychology: teams assessed each CVE independently, deprioritized the lower score, and queued the higher one for maintenance. 2. Nation-state adversaries who weaponize patches within days The CrowdStrike 2026 Global Threat Report documented a 42% year-over-year increase in vulnerabilities exploited as zero-days before public disclosure. Average breakout time across observed intrusions: 29 minutes. Fastest observed breakout: 27 seconds. China-nexus adversaries weaponized newly patched vulnerabilities within two to six days of disclosure. "Before it was Patch Tuesday once a month. Now it's patch every day, all the time. That's what this new world looks like," said Daniel Bernard, Chief Business Officer at CrowdStrike. A KEV addition treated as a routine queue item on Tuesday becomes an active exploitation window by Thursday. 3. Stockpiled CVEs that nation-state actors hold for years Salt Typhoon accessed senior U.S. political figures' communications during the presidential transition by chaining CVE-2023-20198 with CVE-2023-20273 on internet-facing Cisco devices, a privilege escalation pair patched in October 2023 and still unapplied more than a year later. Compromised credentials provided a parallel entry vector. The patches existed. Neither was applied. Sixty-seven percent of vulnerabilities exploited by China-nexus adversaries in 2025 were remote code execution flaws providing immediate system access, according to the CrowdStrike 2026 Global Threat Report. CVSS does not degrade priority based on how long a CVE has gone unpatched. No board metric tracks aging KEV exposure. That silence is the vulnerability. 4. Identity gaps that never enter the scoring system A 2023 help desk social engineering call against a major enterprise produced more than $100 million in losses. No CVE was assigned. No CVSS score existed. No patch pipeline entry was created. The vulnerability was a human process gap in identity verification, sitting entirely outside the scoring system's aperture. "A pro needs a zero day if all you have to do is call the help desk and say I forgot my password," Meyers said. Agentic AI systems now carry their own identity credentials, API tokens, and permission scopes, operating outside traditional vulnerability management governance. Merritt Baer, CSO at Enkrypt AI, has argued on record that identity-surface controls are vulnerability equivalents belonging in the same reporting pipeline as software CVEs. In most organizations, help desk authentication gaps and agentic AI credential inventories live in a separate governance silo. In practice, nobody's governance. 5. AI-accelerated discovery that breaks pipeline capacity Anthropic's Claude Mythos Preview demonstrated autonomous vulnerability discovery, finding a 27-year-old signed integer overflow in OpenBSD's TCP SACK implementation across roughly 1,000 scaffold runs at a total compute cost under $20,000. Meyers offered a thought-experiment projection in the exclusive interview with VentureBeat: if frontier AI drives a 10x volume increase, the result is approximately 480,000 CVEs annually. Pipelines built for 48,000 break at 70,000 and collapse at 480,000. NVD enrichment is already gone for non-KEV submissions. "If the adversary is now able to find vulnerabilities faster than the defenders or the business, that's a huge problem, because those vulnerabilities become exploits," said Daniel Bernard, Chief Business Officer at CrowdStrike. CrowdStrike on Thursday launched Project QuiltWorks, a remediation coalition with Accenture, EY, IBM Cybersecurity Services, Kroll, and OpenAI formed to address the vulnerability volume that frontier AI models are now generating in production code. When five major firms build a coalition around a pipeline problem, no single organization's patch workflow can keep pace. Security director action plan The five failure classes above map to five specific actions. Run a chain-dependency audit on every KEV CVE in the environment this month. Flag any co-resident CVE scored 5.0 or above, the threshold where privilege escalation and lateral movement capabilities typically appear in CVSS vectors. Any pair chaining authentication bypass to privilege escalation gets triaged as critical regardless of individual scores. Compress KEV-to-patch SLAs to 72 hours for internet-facing systems. The CrowdStrike 2026 Global Threat Report breakout data, 29-minute average and 27-second fastest, makes weekly patch windows indefensible in a board presentation. Build a monthly KEV aging report for the board. Every unpatched KEV CVE, days since disclosure, days since patch availability, and owner. Salt Typhoon exploited a Cisco CVE patched 14 months earlier because no escalation path existed for aging exposure. Add identity-surface controls to the vulnerability reporting pipeline. Help desk authentication gaps and agentic AI credential inventories belong in the same SLA framework as software CVEs. If they sit in a separate governance silo, they sit in nobody's governance. Stress-test pipeline capacity at 1.5x and 10x current CVE volume. Gamblin projects 70,135 for 2026. Meyers's thought-experiment projection: frontier AI could push annual volume past 480,000. Present the capacity gap to the CFO before the next budget cycle, not after the breach that proves the gap existed.
- Most enterprises can't stop stage-three AI agent threats, VentureBeat survey findsA rogue AI agent at Meta passed every identity check and still exposed sensitive data to unauthorized employees in March. Two weeks later, Mercor, a $10 billion AI startup, confirmed a supply-chain breach through LiteLLM. Both are traced to the same structural gap. Monitoring without enforcement, enforcement without isolation. A VentureBeat three-wave survey of 108 qualified enterprises found that the gap is not an edge case. It is the most common security architecture in production today. Gravitee’s State of AI Agent Security 2026 survey of 919 executives and practitioners quantifies the disconnect. 82% of executives say their policies protect them from unauthorized agent actions. Eighty-eight percent reported AI agent security incidents in the last twelve months. Only 21% have runtime visibility into what their agents are doing. Arkose Labs’ 2026 Agentic AI Security Report found 97% of enterprise security leaders expect a material AI-agent-driven incident within 12 months. Only 6% of security budgets address the risk. VentureBeat's survey results show that monitoring investment snapped back to 45% of security budgets in March after dropping to 24% in February, when early movers shifted dollars into runtime enforcement and sandboxing. The March wave (n=20) is directional, but the pattern is consistent with February’s larger sample (n=50): enterprises are stuck at observation while their agents already need isolation. CrowdStrike’s Falcon sensors detect more than 1,800 distinct AI applications across enterprise endpoints. The fastest recorded adversary breakout time has dropped to 27 seconds. Monitoring dashboards built for human-speed workflows cannot keep pace with machine-speed threats. The audit that follows maps three stages. Stage one is observe. Stage two is enforce, where IAM integration and cross-provider controls turn observation into action. Stage three is isolate, sandboxed execution that bounds blast radius when guardrails fail. VentureBeat Pulse data from 108 qualified enterprises ties each stage to an investment signal, an OWASP ASI threat vector, a regulatory surface, and immediate steps security leaders can take. The threat surface stage-one security cannot see The OWASP Top 10 for Agentic Applications 2026 formalized the attack surface last December. The ten risks are: goal hijack (ASI01), tool misuse (ASI02), identity and privilege abuse (ASI03), agentic supply chain vulnerabilities (ASI04), unexpected code execution (ASI05), memory poisoning (ASI06), insecure inter-agent communication (ASI07), cascading failures (ASI08), human-agent trust exploitation (ASI09), and rogue agents (ASI10). Most have no analog in traditional LLM applications. The audit below maps six of these to the stages where they are most likely to surface and the controls that address them. Invariant Labs disclosed the MCP Tool Poisoning Attack in April 2025: malicious instructions in an MCP server’s tool description cause an agent to exfiltrate files or hijack a trusted server. CyberArk extended it to Full-Schema Poisoning. The mcp-remote OAuth proxy patched CVE-2025-6514 after a command-injection flaw put 437,000 downloads at risk. Merritt Baer, CSO at Enkrypt AI and former AWS Deputy CISO, framed the gap in an exclusive VentureBeat interview: “Enterprises believe they’ve ‘approved’ AI vendors, but what they’ve actually approved is an interface, not the underlying system. The real dependencies are one or two layers deeper, and those are the ones that fail under stress.” CrowdStrike CTO Elia Zaitsev put the visibility problem in operational terms in an exclusive VentureBeat interview at RSAC 2026: “It looks indistinguishable if an agent runs your web browser versus if you run your browser.” Distinguishing the two requires walking the process tree, tracing whether Chrome was launched by a human from the desktop or spawned by an agent in the background. Most enterprise logging configurations cannot make that distinction. The regulatory clock and the identity architecture Auditability priority tells the same story in miniature. In January, 50% of respondents ranked it a top concern. By February, that dropped to 28% as teams sprinted to deploy. In March, it surged to 65% when those same teams realized they had no forensic trail for what their agents did. HIPAA’s 2026 Tier 4 willful-neglect maximum is $2.19M per violation category per year. In healthcare, Gravitee’s survey found 92.7% of organizations reported AI agent security incidents versus the 88% all-industry average. For a health system running agents that touch PHI, that ratio is the difference between a reportable breach and an uncontested finding of willful neglect. FINRA’s 2026 Oversight Report recommends explicit human checkpoints before agents that can act or transact execute, along with narrow scope, granular permissions, and complete audit trails of agent actions. Mike Riemer, Field CISO at Ivanti, quantified the speed problem in a recent VentureBeat interview: “Threat actors are reverse engineering patches within 72 hours. If a customer doesn’t patch within 72 hours of release, they’re open to exploit.” Most enterprises take weeks. Agents operating at machine speed widen that window into a permanent exposure. The identity problem is architectural. Gravitee's survey of 919 practitioners found only 21.9% of teams treat agents as identity-bearing entities, 45.6% still use shared API keys, and 25.5% of deployed agents can create and task other agents. A quarter of enterprises can spawn agents that their security team never provisioned. That is ASI08 as architecture. Guardrails alone are not a strategy A 2025 paper by Kazdan and colleagues (Stanford, ServiceNow Research, Toronto, FAR AI) showed a fine-tuning attack that bypasses model-level guardrails in 72% of attempts against Claude 3 Haiku and 57% against GPT-4o. The attack received a $2,000 bug bounty from OpenAI and was acknowledged as a vulnerability by Anthropic. Guardrails constrain what an agent is told to do, not what a compromised agent can reach. CISOs already know this. In VentureBeat's three-wave survey, prevention of unauthorized actions ranked as the top capability priority in every wave at 68% to 72%, the most stable high-conviction signal in the dataset. The demand is for permissioning, not prompting. Guardrails address the wrong control surface. Zaitsev framed the identity shift at RSAC 2026: “AI agents and non-human identities will explode across the enterprise, expanding exponentially and dwarfing human identities. Each agent will operate as a privileged super-human with OAuth tokens, API keys, and continuous access to previously siloed data sets.” Identity security built for humans will not survive this shift. Cisco President Jeetu Patel offered the operational analogy in an exclusive VentureBeat interview: agents behave “more like teenagers, supremely intelligent, but with no fear of consequence.” VentureBeat Prescriptive Matrix: AI Agent Security Maturity Audit Stage Attack Scenario What Breaks Detection Test Blast Radius Recommended Control 1: Observe Attacker embeds goal-hijack payload in forwarded email (ASI01). Agent summarizes email and silently exfiltrates credentials to an external endpoint. See: Meta March 2026 incident. No runtime log captures the exfiltration. SIEM never sees the API call. The security team learns from the victim. Zaitsev: agent activity is “indistinguishable” from human activity in default logging. Inject a canary token into a test document. Route it through your agent. If the token leaves your network, stage one failed. Single agent, single session. With shared API keys (45.6% of enterprises): unlimited lateral movement. Deploy agent API call logging to SIEM. Baseline normal tool-call patterns per agent role. Alert on the first outbound call to an unrecognized endpoint. 2: Enforce Compromised MCP server poisons tool description (ASI04). Agent invokes poisoned tool, writes attacker payload to production DB using inherited service-account credentials. See: Mercor/LiteLLM April 2026 supply-chain breach. IAM allows write because agent uses shared service account. No approval gate on write ops. Poisoned tool indistinguishable from clean tool in logs. Riemer: “72-hour patch window” collapses to zero when agents auto-invoke. Register a test MCP server with a benign-looking poisoned description. Confirm your policy engine blocks the tool call before execution reaches the database. Run mcp-scan on all registered servers. Production database integrity. If agent holds DBA-level credentials: full schema compromise. Lateral movement via trust relationships to downstream agents. Assign scoped identity per agent. Require approval workflow for all write ops. Revoke every shared API key. Run mcp-scan on all MCP servers weekly. 3: Isolate Agent A spawns Agent B to handle subtask (ASI08). Agent B inherits Agent A’s permissions, escalates to admin, rewrites org security policy. Every identity check passes. Source: CrowdStrike CEO George Kurtz, RSAC 2026 keynote. No sandbox boundary between agents. No human gate on agent-to-agent delegation. Security policy modification is a valid action for admin-credentialed process. CrowdStrike CEO George Kurtz disclosed at RSAC 2026 that the agent “wanted to fix a problem, lacked permissions, and removed the restriction itself.” Spawn a child agent from a sandboxed parent. Child should inherit zero permissions by default and require explicit human approval for each capability grant. Organizational security posture. A rogue policy rewrite disables controls for every subsequent agent. 97% of enterprise leaders expect a material incident within 12 months (Arkose Labs 2026). Sandbox all agent execution. Zero-trust for agent-to-agent delegation: spawned agents inherit nothing. Human sign-off before any agent modifies security controls. Kill switch per OWASP ASI10. Sources: OWASP Top 10 for Agentic Applications 2026; Invariant Labs MCP Tool Poisoning (April 2025); CrowdStrike RSAC 2026 Fortune 50 disclosure; Meta March 2026 incident (The Information/Engadget); Mercor/LiteLLM breach (Fortune, April 2, 2026); Arkose Labs 2026 Agentic AI Security Report; VentureBeat Pulse Q1 2026. The stage-one attack scenario in this matrix is not hypothetical. Unauthorized tool or data access ranked as the most feared failure mode in every wave of VentureBeat’s survey, growing from 42% in January to 50% in March. That trajectory and the 70%-plus priority rating for prevention of unauthorized actions are the two most mutually reinforcing signals in the entire dataset. CISOs fear the exact attack this matrix describes, and most have not deployed the controls to stop it. Hyperscaler stage readiness: observe, enforce, isolate The maturity audit tells you where your security program stands. The next question is whether your cloud platform can get you to stage two and stage three, or whether you are building those capabilities yourself. Patel put it bluntly: “It’s not just about authenticating once and then letting the agent run wild.” A stage-three platform running a stage-one deployment pattern gives you stage-one risk. VentureBeat Pulse data surfaces a structural tension in this grid. OpenAI leads enterprise AI security deployments at 21% to 26% across the three survey waves, making the same provider that creates the AI risk also the primary security layer. The provider-as-security-vendor pattern holds across Azure, Google, and AWS. Zero-incremental-procurement convenience is winning by default. Whether that concentration is a feature or a single point of failure depends on how far the enterprise has progressed past stage one. Provider Identity Primitive (Stage 2) Enforcement Control (Stage 2) Isolation Primitive (Stage 3) Gap as of April 2026 Microsoft Azure Entra ID agent scoping. Agent 365 maps agents to owners. GA. Copilot Studio DLP policies. Purview for agent output classification. GA. Azure Confidential Containers for agent workloads. Preview. No per-agent sandbox at GA. No agent-to-agent identity verification. No MCP governance layer. Agent 365 monitors but cannot block in-flight tool calls. Anthropic Managed Agents: per-agent scoped permissions, credential mgmt. Beta (April 8, 2026). $0.08/session-hour. Tool-use permissions, system prompt enforcement, and built-in guardrails. GA. Managed Agents sandbox: isolated containers per session, execution-chain auditability. Beta. Allianz, Asana, Rakuten, and Sentry are in production. Beta pricing/SLA not public. Session data in Anthropic-managed DB (lock-in risk per VentureBeat research). GA timing TBD. Google Cloud Vertex AI service accounts for model endpoints. IAM Conditions for agent traffic. GA. VPC Service Controls for agent network boundaries. Model Armor for prompt/response filtering. GA. Confidential VMs for agent workloads. GA. Agent-specific sandbox in preview. Agent identity ships as a service account, not an agent-native principal. No agent-to-agent delegation audit. Model Armor does not inspect tool-call payloads. OpenAI Assistants API: function-call permissions, structured outputs. Agents SDK. GA. Agents SDK guardrails, input/output validation. GA. Agents SDK Python sandbox. Beta (API and defaults subject to change before GA per OpenAI docs). TypeScript sandbox confirmed, not shipped. No cross-provider identity federation. Agent memory forensics limited to session scope. No kill switch API. No MCP tool-description inspection. AWS Bedrock model invocation logging. IAM policies for model access. CloudTrail for agent API calls. GA. Bedrock Guardrails for content filtering. Lambda resource policies for agent functions. GA. Lambda isolation per agent function. GA. Bedrock agent-level sandboxing on roadmap, not shipped. No unified agent control plane across Bedrock + SageMaker + Lambda. No agent identity standard. Guardrails do not inspect MCP tool descriptions. Status as of April 15, 2026. GA = generally available. Preview/Beta = not production-hardened. “What’s Missing” column reflects VentureBeat’s analysis of publicly documented capabilities; gaps may narrow as vendors ship updates. No provider in this grid ships a complete stage-three stack today. Most enterprises assemble isolation from existing cloud building blocks. That is a defensible choice if it is a deliberate one. Waiting for a vendor to close the gap without acknowledging the gap is not a strategy. The grid above covers hyperscaler-native SDKs. A large segment of AI builders deploys through open-source orchestration frameworks like LangChain, CrewAI, and LlamaIndex that bypass hyperscaler IAM entirely. These frameworks lack native stage-two primitives. There is no scoped agent identity, no tool-call approval workflow, and no built-in audit trails. Enterprises running agents through open-source orchestration need to layer enforcement and isolation on top, not assume the framework provides it. VentureBeat’s survey quantifies the pressure. Policy enforcement consistency grew from 39.5% to 46% between January and February, the largest consistent gain of any capability criterion. Enterprises running agents across OpenAI, Anthropic, and Azure need enforcement that works the same way regardless of which model executes the task. Provider-native controls enforce policy within that provider’s runtime only. Open-source orchestration frameworks enforce it nowhere. One counterargument deserves acknowledgment: not every agent deployment needs stage three. A read-only summarization agent with no tool access and no write permissions may rationally stop at stage one. The sequencing failure this audit addresses is not that monitoring exists. It is that enterprises running agents with write access, shared credentials, and agent-to-agent delegation are treating monitoring as sufficient. For those deployments, stage one is not a strategy. It is a gap. Allianz shows stage-three in production Allianz, one of the world’s largest insurance and asset management companies, is running Claude Managed Agents across insurance workflows, with Claude Code deployed to technical teams and a dedicated AI logging system for regulatory transparency, per Anthropic’s April 8 announcement. Asana, Rakuten, Sentry, and Notion are in production on the same beta. Stage-three isolation, per-agent permissioning, and execution-chain auditability are deployable now, not roadmap. The gating question is whether the enterprise has sequenced the work to use them. The 90-day remediation sequence Days 1–30: Inventory and baseline. Map every agent to a named owner. Log all tool calls. Revoke shared API keys. Deploy read-only monitoring across all agent API traffic. Run mcp-scan against every registered MCP server. CrowdStrike detects 1,800 AI applications across enterprise endpoints; your inventory should be equally comprehensive. Output: agent registry with permission matrix, MCP scan report. Days 31–60: Enforce and scope. Assign scoped identities to every agent. Deploy tool-call approval workflows for write operations. Integrate agent activity logs into existing SIEM. Run a tabletop exercise: What happens when an agent spawns an agent? Conduct a canary-token test from the prescriptive matrix. Output: IAM policy set, approval workflow, SIEM integration, canary-token test results. Days 61–90: Isolate and test. Sandbox high-risk agent workloads (PHI, PII, financial transactions). Enforce per-session least privilege. Require human sign-off for agent-to-agent delegation. Red-team the isolation boundary using the stage-three detection test from the matrix. Output: sandboxed execution environment, red-team report, board-ready risk summary with regulatory exposure mapped to HIPAA tier and FINRA guidance. What changes in the next 30 days EU AI Act Article 14 human-oversight obligations take effect August 2, 2026. Programs without named owners and execution trace capability face enforcement, not operational risk. Anthropic’s Claude Managed Agents is in public beta at $0.08 per session-hour. GA timing, production SLAs, and final pricing have not been announced. OpenAI Agents SDK ships TypeScript support for sandbox and harness capabilities in a future release, per the company’s April 15 announcement. Stage-three sandbox becomes available to JavaScript agent stacks when it ships. What the sequence requires McKinsey’s 2026 AI Trust Maturity Survey pegs the average enterprise at 2.3 out of 4.0 on its RAI maturity model, up from 2.0 in 2025 but still an enforcement-stage number; only one-third of the ~500 organizations surveyed report maturity levels of three or higher in governance. Seventy percent have not finished the transition to stage three. ARMO’s progressive enforcement methodology gives you the path: behavioral profiles in observation, permission baselines in selective enforcement, and full least privilege once baselines stabilize. Monitoring investment was not wasted. It was stage one of three. The organizations stuck in the data treated it as the destination. The budget data makes the constraint explicit. The share of enterprises reporting flat AI security budgets doubled from 7.9% in January to 16% in February in VentureBeat's survey, with the March directional reading at 20%. Organizations expanding agent deployments without increasing security investment are accumulating security debt at machine speed. Meanwhile, the share reporting no agent security tooling at all fell from 13% in January to 5% in March. Progress, but one in twenty enterprises running agents in production still has zero dedicated security infrastructure around them. About this research Total qualified respondents: 108. VentureBeat Pulse AI Security and Trust is a three-wave VentureBeat survey run January 6 through March 15, 2026. Qualified sample (organizations 100+ employees): January n=38, February n=50, March n=20. Primary analysis runs from January to February; March is directional. Industry mix: Tech/Software 52.8%, Financial Services 10.2%, Healthcare 8.3%, Education 6.5%, Telecom/Media 4.6%, Manufacturing 4.6%, Retail 3.7%, other 9.3%. Seniority: VP/Director 34.3%, Manager 29.6%, IC 22.2%, C-Suite 9.3%.
- Agent authorization is broken — and authentication passing makes it worseAnthony Grieco, Cisco’s SVP and chief security and trust officer, did not hesitate when VentureBeat asked whether rogue agent incidents are reaching Cisco’s customer base. "A hundred percent. We see them regularly," Grieco told VentureBeat in an exclusive interview at RSAC 2026. "I've heard some that I can't repeat, but they do get to the places of, you know, agents are doing things that they think are the right things to do." The incidents Grieco described follow a consistent pattern: authentication passes, identity checks clear. The agent is exactly who it claims to be. Then it accesses data it was never scoped to touch or takes an action nobody authorized at that level of granularity. The failure is not identity; it's authorization. "The business is saying things like, we're gonna have 500 agents per employee," Grieco told VentureBeat. "The security leaders are really focused on how to make sure that we do that securely." Cisco’s State of AI Security 2026 report found that 83% of organizations planned to deploy agentic capabilities, but only 29% felt prepared to secure them. Five vendors shipped agent identity frameworks at RSAC 2026. None closed every gap. That includes Cisco. VentureBeat mapped four authorization gaps across Grieco’s exclusive interview and five independent sources. The prescriptive matrix at the end of this story is what to do about them. The authorization gap nobody has closed yet Grieco came up through Cisco's engineering and threat research organizations before taking a role that straddles both sides of the company's security operation: building the products Cisco sells and running the program that defends Cisco itself. The authorization gap he described is specific and operational. "This agent here is a finance agent, but even if it's a finance agent, it shouldn't access all finance data," Grieco told VentureBeat. "It should access the expense reports, and not just expense reports, but the individual expense reports at a particular time. Getting that sort of granular control is really one of the biggest things that are gonna help us say yes to a lot of the agentic developments." Independent practitioners confirmed the pattern across RSAC 2026. Kayne McGladrey, an IEEE senior member, told VentureBeat that organizations default to cloning human user profiles for agents, and permission sprawl starts on day one. Carter Rees, VP of AI at Reputation, identified the structural reason. The flat authorization plane of an LLM fails to respect user permissions, Rees told VentureBeat. An agent on that flat plane does not need to escalate privileges. It already has them. "The biggest challenge that we see is knowing what's going on," Grieco said. "Being able to have identity and access control maps to those, that's really crucial." Elia Zaitsev, CTO of CrowdStrike, described the visibility dimension in an exclusive VentureBeat interview at RSAC 2026. In most default logging configurations, an agent’s activity is indistinguishable from a human’s. Distinguishing the two requires walking the process tree. Most enterprise logging cannot make that distinction. Five vendors shipped agent identity frameworks at RSAC, including Cisco's Duo IAM and MCP gateway controls. None closed every gap VentureBeat identified. The four gaps below are what remains open. Standards bodies are converging on the same diagnosis The authorization and identity gaps Grieco described are not just vendor observations. Three independent standards bodies reached parallel conclusions in early 2026. NIST’s NCCoE published a concept paper in February 2026, "Accelerating the Adoption of Software and AI Agent Identity and Authorization," explicitly calling for demonstration projects on how existing identity standards apply to autonomous agents. The OWASP Top 10 for Agentic Applications, released in December 2025, identified tool misuse from over-privileged access and unsafe delegation as top-tier risks. And the Cloud Security Alliance launched the CSAI Foundation at RSAC 2026 with a mission of "Securing the Agentic Control Plane," including a dedicated Agentic AI IAM framework built around decentralized identifiers and zero trust principles. When NIST, OWASP, and CSA all independently flag the same gap class in the same market cycle, the signal is structural, not vendor-specific. MCP security requires discovery before control VentureBeat asked Grieco about the paradox of MCP, the Model Context Protocol that every vendor at RSAC 2026 embraced while acknowledging its security gaps. Grieco did not argue that the protocol is safe. He argued that blocking it is no longer realistic. "There is no saying no to that in today's day and age as a security leader," Grieco told VentureBeat. "And so it's how do we manage that." Inside Cisco’s own environment, Grieco’s team added MCP discovery, proxying, and inspection capabilities to AI Defense and Cisco Secure Access. The approach treats MCP servers the way enterprises treat shadow IT: find them before you govern them. Etay Maor, VP of threat intelligence at Cato Networks, validated that approach from the adversarial side. At RSAC 2026, Maor demonstrated a Living Off the AI attack chaining Atlassian's MCP and Jira Service Management. Attackers do not separate trusted tools, services, and models. They chain all three. "We need an HR view of agents," Maor told VentureBeat. "Onboarding, monitoring, offboarding." Nearly half of the critical infrastructure is obsolete and unpatched Agent authorization failures are harder to detect and contain when the infrastructure underneath has not received a security patch in years — and that gap compounds every other vulnerability in this story. Cisco commissioned UK-based advisory firm WPI Strategy to examine end-of-life technology risk across the US, UK, France, Germany, and Japan. The report found that nearly half of the critical network infrastructure across those geographies is aging or already obsolete. Vendors no longer patch it. "Almost 50% of the critical infrastructure across these geographies was aging, it was end of life or almost end of life," Grieco told VentureBeat. "It means vendors are not providing security patches for them anymore." Cisco’s Resilient Infrastructure initiative disables unused features by default and phases out legacy protocols on a three-release deprecation schedule. Grieco pushed back on the assumption that secure by default is a static achievement. "One of the things that most people don't think about is that those are not static points in time," Grieco told VentureBeat. "It's not like you do it once and you're done." Agentic enterprise security gap matrix The four gaps below are what security directors can act on Monday morning. Each row maps from what breaks to why it breaks to what to do about it, cross-validated by five independent sources. Sources: VentureBeat analysis of Grieco's exclusive interview at RSAC 2026, cross-validated against independent reporting from McGladrey (IEEE), Rees (Reputation), Maor (Cato Networks), and Zaitsev (CrowdStrike). May 2026. Security Gap | What fails and what it costs Why your current stack doesn't catch it Where vendor controls stand now First action for your team Infrastructure aging Nearly half of critical network assets are end of life or approaching it (WPI Strategy); agents operating on unpatched systems inherit vulnerabilities no vendor will fix Annual patching cadence cannot keep pace with threat velocity; EoL systems receive zero security updates and zero vendor support Resilient Infrastructure disables insecure defaults, warns on risky configurations, deprecates legacy protocols on a three-release schedule Infra team: audit every network asset against vendor EoL dates this quarter. Reclassify EoL replacement from IT upgrade to security investment in next budget cycle MCP discovery MCP servers proliferate across environments without security visibility; developers spin up agent tool connections that bypass existing governance Shadow MCP deployments bypass existing discovery tools; no standard inventory mechanism exists; Maor demonstrated attackers chaining MCP + Jira in a Living Off the AI attack AI Defense adds MCP discovery, proxying, and inspection; treats MCP servers like shadow IT Security ops: run an MCP server inventory across all environments before deploying any agent governance controls. If you cannot enumerate your MCP surface, you cannot secure it Agent over-permissioning Agents inherit broad human-level access on a flat authorization plane; the agent does not need to escalate privileges because it already has them (Rees) IAM teams clone human profiles for agents by default (McGladrey); no scoped, time-bound permissions exist for non-human identities Duo IAM registers agents as distinct identity objects with granular, time-bound permissions per tool call IAM team: stop cloning human accounts for agents immediately. Scope every agent permission to a specific data set, specific action, and specific time window. Grieco's test: can this finance agent access only the individual expense report it needs at this moment? Agent behavioral visibility Agent actions are indistinguishable from human actions in security logs (Zaitsev); an over-permissioned agent that looks like a human in logs is invisible to the SOC Default logging does not capture process tree lineage; no vendor has shipped a complete cross-platform behavioral baseline for agent activity SOC telemetry integration with Splunk for agent-specific detection and response SOC lead: update logging to capture process tree lineage so agent-initiated actions are distinguishable from human-initiated actions. If your SIEM cannot answer "was this a human or an agent?" for every session, the gap is open "Frankly, we must move this quickly and evolve this quickly to keep up with where the adversaries are gonna go," Grieco told VentureBeat. The gaps mapped above are not theoretical. Grieco confirmed the incidents are already happening. The controls exist in pieces across multiple vendors. No single vendor has assembled the complete stack.
- Four AI supply-chain attacks in 50 days exposed the release pipeline red teams aren't coveringFour supply-chain incidents hit OpenAI, Anthropic and Meta in 50 days: three adversary-driven attacks and one self-inflicted packaging failure. None targeted the model, and all four exposed the same gap: release pipelines, dependency hooks, CI runners, and packaging gates that no system card, AISI evaluation, or Gray Swan red-team exercise has ever scoped. On May 11, 2026, a self-propagating worm called Mini Shai-Hulud published 84 malicious package versions across 42 @tanstack/* npm packages in six minutes flat. The worm rode in on release.yml, chaining a pull_request_target misconfiguration, GitHub Actions cache poisoning, and OIDC token extraction from runner memory to hijack TanStack’s own trusted release pipeline. The packages carried valid SLSA Build Level 3 provenance because they were published from the correct repository, by the correct workflow, using a legitimately minted OIDC token. No maintainer password was phished. No 2FA prompt was intercepted. The trust model worked exactly as designed and still produced 84 malicious artifacts. Two days later, OpenAI confirmed that two employee devices were compromised and credential material was exfiltrated from internal code repositories. OpenAI is now revoking its macOS security certificates and forcing all desktop users to update by June 12, 2026. OpenAI noted that it had already been hardening its CI/CD pipeline after an earlier supply-chain incident, but the two affected devices had not yet received the updated configurations. That is the response profile of a build-pipeline breach, not a model-safety incident. Four incidents, one finding Model red teams do not cover release pipelines. The four incidents below are evidence for a single architectural finding that belongs in every AI vendor questionnaire. OpenAI Codex command injection (disclosed March 30, 2026). BeyondTrust Phantom Labs researcher Tyler Jespersen found that OpenAI Codex passed GitHub branch names directly into shell commands with zero sanitization. An attacker could inject a semicolon and a backtick subshell into a branch name, and the Codex container would execute it, returning the victim’s GitHub OAuth token in cleartext. The flaw affected the ChatGPT website, Codex CLI, Codex SDK, and the IDE Extension. OpenAI classified it Critical Priority 1 and completed remediation by February 2026. The Phantom Labs team used Unicode characters to make a malicious branch name visually identical to "main" in the Codex UI. One branch name. That is where the attack started. LiteLLM supply-chain poisoning and Mercor breach (March 24–27, 2026). The threat group TeamPCP used credentials stolen in a prior compromise of Aqua Security’s Trivy vulnerability scanner to publish two poisoned versions of the LiteLLM Python package to PyPI. LiteLLM is a widely adopted open-source LLM proxy gateway used across major AI infrastructure teams. The malicious versions were live for roughly 40 minutes and received nearly 47,000 downloads before PyPI quarantined them. That was enough. The attack cascaded downstream into Mercor, the $10 billion AI data startup that supplies training data to Meta, OpenAI, and Anthropic. Four terabytes exfiltrated, including proprietary training methodology references from Meta. Meta froze the partnership indefinitely. A class action followed within five days. One compromised open-source dependency sitting 40 minutes on PyPI created a cross-industry blast radius that no single vendor’s model red team would have caught. Anthropic Claude Code source map leak (March 31, 2026). This incident was not adversary-driven. Anthropic shipped Claude Code version 2.1.88 to the npm registry with a 59.8 MB source map file that should never have been included. The map file pointed to a zip archive on Anthropic’s own Cloudflare R2 bucket containing 513,000 lines of unobfuscated TypeScript across 1,906 files. Agent orchestration logic. 44 feature flags. System prompts. Multi-agent coordination architecture. All public. All downloadable. No authentication required. Security researcher Chaofan Shou flagged the exposure within hours, and Anthropic pulled the package. Anthropic confirmed it was a “release packaging issue caused by human error.” This was the second such leak in 13 months. The root cause was a missing line in .npmignore. No attacker was involved, but the release-surface gap is identical. No human review gate existed between the build artifact and the registry publish step. TanStack worm and downstream propagation (May 11–14, 2026). Wiz Research attributed the Mini Shai-Hulud attack to TeamPCP with high confidence. StepSecurity detected the compromise within 20 minutes. The worm spread beyond TanStack to Mistral AI, UiPath, and 160-plus packages within hours. Mini Shai-Hulud even impersonated the Anthropic Claude GitHub App identity by authoring commits under the fabricated identity “claude <claude@users.noreply.github.com>” to bypass code review. Four incidents. Three frontier labs. One finding. The red-team scope stops at the model boundary, and the build pipeline sits on the other side of it. The timing no system card can explain On May 10, 2026, OpenAI launched Daybreak, a cybersecurity initiative built on GPT-5.5 and a new permissive model called GPT-5.5-Cyber designed for authorized red teaming, penetration testing, and vulnerability discovery. Daybreak pairs Codex Security with partners, including Cisco, CrowdStrike, Akamai, Cloudflare, and Zscaler. OpenAI positioned the launch as proof that frontier AI can tilt the balance toward defenders. The next day, the TanStack worm compromised two OpenAI employee devices. OpenAI’s own incident disclosure acknowledged the gap directly. The company had already been hardening its CI/CD pipeline after the earlier Axios supply-chain attack, but the two affected devices “did not have the updated configurations that would have prevented the download.” The controls existed. The deployment was in progress. The worm arrived first. The security community saw the same gap: Security researcher @EnTr0pY_88 noted on X that the real signal was the certificate rotation, not the exfiltrated code. "The cert rotation…is what you do when the blast radius reached signing trust, not just source access." @OpenMatter_ put the SLSA provenance failure in one sentence. "If an attacker controls your CI runner, they control your attestations. Policy-based security is failing at scale." And @The_Calda compressed the disclosure's internal contradiction into seven words. "'Limited impact' but the next sentence is 'we're rotating signing certs.'" A company that launched a cyber defense platform on Sunday and disclosed a build-pipeline breach on Tuesday is not failing at model safety. OpenAI is demonstrating the exact gap this audit grid exists to close. The model red team and the release-pipeline red team are two different disciplines; four incidents in 50 days suggest only one of them is being funded consistently. The VentureBeat Prescriptive Matrix The matrix below maps the seven release-surface classes missing from AI vendor questionnaires, with vendor hit, failure mechanism, detection gap, technical mitigation, and priority tier a security team can execute before Q2 renewals close. For teams that need to map these rows into existing GRC tooling, rows 2, 3, and 5 align with NIST SSDF PS.1.1 (protect all forms of code from unauthorized access and tampering). Row 4 maps to SSDF PS.2.1 (provide mechanisms for verifying software release integrity). Row 6 maps partially to SLSA Source Track requirements for verified contributor identity, though no published framework directly addresses upstream dependency maintainer credential provenance. Row 7 is not yet addressed by any published framework, which is itself the finding. Release-surface class Vendor hit Failure mechanism Detection gap Technical mitigation Priority Model capability evals (jailbreak, misuse, exfiltration) All three (ongoing) Covered. System cards, AISI Expert suite, Gray Swan scope this today. None. This row is the baseline. Continue requiring the system card at every renewal. Baseline CI runner trust boundary (pull_request_target) TanStack; OpenAI downstream (May 11–14, 2026) TanStack pwn-request ran fork code in base-repo context. Poisoned pnpm cache. Extracted OIDC token from runner memory. Two OpenAI employee devices compromised. No system card covers CI runner isolation. No AISI eval tests fork-to-base trust boundaries. Audit every repo for pull_request_target + fork SHA checkout. Block fork code from base-repo context. Pin cache keys to commit SHA. Do this week OIDC trusted-publisher + SLSA provenance TanStack; OpenAI downstream (May 11, 2026) TanStack minted valid SLSA Build Level 3 provenance for all 84 malicious packages. First known npm worm with valid cryptographic attestation. SLSA attestation confirms build origin, not build intent. No vendor questionnaire distinguishes the two. Pin trusted publisher to branch + workflow, not just repository. Add behavioral analysis at install time. Do this week Release packaging review (human gate before publish) Anthropic (Mar 31, 2026) Missing .npmignore shipped 59.8 MB source map in Claude Code npm package. 513K lines exposed including agent logic, 44 feature flags, system prompts. Second leak in 13 months. Self-inflicted, not adversary-driven. No red-team exercise checks artifact contents before registry publish. Human review between build artifact and registry publish. Enforce .npmignore in CI. Fail build on unexpected artifact size. Before renewal Dependency lifecycle hooks (prepare, postinstall) TanStack; OpenAI + downstream (May 11, 2026) router_init.js executes on import. tanstack_runner.js self-propagates via optionalDependencies prepare hook. Spread to Mistral AI, UiPath, 160+ packages in hours. Lifecycle hooks execute before any scanner runs. Model evals never test package install behavior. Disable lifecycle scripts in CI by default. Explicit allowlist for production. Flag new optionalDependencies in PR review. Set minimumReleaseAge. Do this week Vendor maintainer credential hygiene Meta via Mercor (Mar 24–27, 2026) TeamPCP stole LiteLLM maintainer credential via prior Trivy compromise. Two poisoned PyPI versions live 40 min. Mercor cache held Meta training methodology references. 4 TB exfiltrated. Meta froze the partnership. Vendor questionnaires ask about encryption and access control, not maintainer credential provenance for upstream dependencies. Require hardware-key auth from every maintainer before onboarding. Add package-manager cooldown. Audit transitive dependency tree quarterly. Add to vendor contract Agent container input sanitization OpenAI Codex (disclosed Mar 30, 2026) BeyondTrust Phantom Labs injected shell commands through GitHub branch-name parameter. Stole OAuth tokens from Codex container. Scalable across shared repos. Rated Critical P1, patched Feb 2026. Agent red teams test prompt injection, not input-parameter injection at the container level. Sanitize all external input before shell execution. Audit OAuth token scope and lifetime per agent session. Enforce least-privilege on every container. Do this week Security director action plan The matrix tells your team what to fix. Three actions tell security directors how to move it forward. Add one question to every AI vendor questionnaire. "Does your organization red-team its release pipeline, including CI runner trust boundaries, OIDC token scoping, dependency lifecycle hooks, and registry publish gates? Provide the last assessment date and scope." No date and no scope document is the finding. Run rows 2 through 7 against your own CI pipelines this week. StepSecurity and Snyk both published detection and remediation steps for the TanStack worm patterns. Dev teams pull OpenAI SDKs, Anthropic packages, and Llama weights through npm, PyPI, and HuggingFace every week. The same patterns that got exploited are in your CI right now. Brief the board on the provenance gap. The TanStack worm proved that valid cryptographic provenance can sit on top of a malicious package. Attestation tells the board where a package was built. Behavioral analysis tells the board what it does after install. Q2 renewal requires both. Snyk's analysis recommends pinning trusted publisher configurations to specific branches and workflows, not just repositories. That is the language the board presentation needs. The worm already knows where your AI credentials live Mini Shai-Hulud does not stop at CI secrets. Datadog Security Labs documented that the payload reads ~/.claude.json and exfiltrates it. It scans for 1Password and Bitwarden vaults, Kubernetes service accounts, cloud provider tokens, and shell history files where developers paste API keys. StepSecurity's deobfuscation confirmed that Mini Shai-Hulud harvests Claude and Kiro MCP server configurations, which store API keys and auth tokens for external services. For developers using AI coding agents, the worm already knows where their credentials live. OpenAI, Anthropic, and Meta will keep publishing system cards. They will keep funding red-team competitions. They will keep passing model evaluations. None of that stops the next worm from riding in on release.yml. The TanStack postmortem team said it directly. Modern supply-chain defenses are important but not sufficient on their own. Teams must proactively identify and close workflow gaps rather than relying solely on the security features of their tools.
Tagged with
#generative AI for data analysis#Excel alternatives for data analysis#natural language processing for spreadsheets#enterprise data management#self-service analytics tools#real-time data collaboration#data visualization tools#data analysis tools#big data management in spreadsheets#financial modeling with spreadsheets#spreadsheet API integration#AI-driven spreadsheet solutions#business intelligence tools#conversational data analysis#rows.com#intelligent data visualization#big data performance#self-service analytics#data cleaning solutions#collaborative spreadsheet tools