<?xml version="1.0" encoding="utf-8"?>
<rss version="2.0">
    <channel>
        <title>VentureBeat</title>
        <link>https://venturebeat.com/feed/</link>
        <description>Transformative tech coverage that matters</description>
        <lastBuildDate>Sat, 18 Jul 2026 03:37:27 GMT</lastBuildDate>
        <docs>https://validator.w3.org/feed/docs/rss2.html</docs>
        <generator>https://github.com/jpmonette/feed</generator>
        <language>en</language>
        <copyright>Copyright 2026, VentureBeat</copyright>
        <item>
            <title><![CDATA[Capital One releases VulnHunter, an open-source AI tool that finds software flaws before hackers do]]></title>
            <link>https://venturebeat.com/technology/capital-one-releases-vulnhunter-an-open-source-ai-tool-that-finds-software-flaws-before-hackers-do</link>
            <guid isPermaLink="false">7lSvlcZNy8zSumukpEdyoQ</guid>
            <pubDate>Fri, 17 Jul 2026 20:51:30 GMT</pubDate>
            <description><![CDATA[<p><a href="https://www.capitalone.com/">Capital One</a> on Thursday released <a href="https://github.com/capitalone/vulnhunter">VulnHunter</a>, an open-source, agentic AI security tool that scans source code for exploitable vulnerabilities, maps out how an attacker would reach them, and proposes targeted fixes — all before a single line ships to production. The tool, built internally and <a href="https://github.com/capitalone/vulnhunter">now available on GitHub</a> under an Apache 2.0 license, is one of the most ambitious attempts by a major financial institution to turn offensive AI capabilities into a public defensive resource.</p><p>At a time when security teams are facing a rising tide of new AI threats, Capital One&#x27;s decision to open-source the tool reflects an effort, according to CISO Chris Nims, to address &quot;an increasingly brief window before sophisticated, next-generation AI attack capabilities become affordable and accessible to virtually every adversary.&quot;</p><p>Capital One is not simply releasing another vulnerability scanner. VulnHunter introduces what the company calls an &quot;<a href="https://github.com/capitalone/vulnhunter">attacker-first forward analysis</a>&quot; — a workflow in which the tool begins at the points where a real adversary would enter a system, such as APIs, network messages, or file uploads, and reasons forward through the application&#x27;s logic to determine whether an exploit path actually survives the code&#x27;s existing defenses. Conventional scanners typically work in reverse, flagging a dangerous-looking code pattern and then searching backward for a hypothetical attacker. That approach, security practitioners widely acknowledge, buries engineering teams under avalanches of false positives.</p><p><a href="https://github.com/capitalone/vulnhunter">VulnHunter</a> attacks that problem head-on with a second innovation: a built-in &quot;falsification engine&quot; that tries to disprove its own findings before a developer ever sees them. After the tool surfaces a potential vulnerability, a structured reasoning workflow hunts for logical gaps, unsupported assumptions, and conditions that would prevent the attack from succeeding. Only findings the engine fails to rule out reach a human reviewer — and when they do, VulnHunter delivers not just an alert but a full explanation of the exploit path and a proposed code fix ready for engineering review.</p><p>The tool currently runs on Anthropic&#x27;s <a href="https://www.anthropic.com/news/claude-opus-4-8">Claude Opus 4.8 model</a> inside a Claude Code environment, though Capital One says the framework has the potential to work across other foundation models and coding harnesses.</p><h2><b>Why Capital One is giving the tool away</b></h2><p>Asked why Capital One decided to open-source a tool this consequential, Nims pointed to the communal nature of the problem. </p><p>&quot;We felt an imperative to open-source VulnHunter because modern software supply chains are very connected, and the scale of the AI threat is larger than any single organization,&quot; Nims told VentureBeat. &quot;Securing software and our digital environments is a shared foundation that benefits developers, enterprises, and the people who depend on the systems we all build. The defensive tools to address this reality need to be just as widely distributed, tested, and improved as the codebases they protect.&quot;</p><p>&quot;Rather than wait,&quot; he added, &quot;we decided that the right response was to build a product that is purpose-fit for today&#x27;s complex security landscape, and put it into the hands of defenders everywhere.&quot;</p><h2><b>Why Capital One believes open-sourcing VulnHunter strengthens everyone&#x27;s defenses</b></h2><p>The release nonetheless arrives against a backdrop the company knows well. <!-- -->On July 19, 2019, <a href="https://www.capitalone.com/digital/facts2019/">Capital One disclosed </a>that an outside individual — later identified as a former Amazon Web Services employee named Paige Thompson — had gained unauthorized access to names, addresses, self-reported income, Social Security numbers, and linked bank account numbers belonging to credit card customers and applicants. The breach, which Capital One says occurred on March 22 and 23, 2019, was discovered only after an external security researcher flagged a configuration vulnerability through the company&#x27;s <a href="https://www.capitalone.com/digital/responsible-disclosure/">Responsible Disclosure Program</a> on July 17 of that year.</p><p>The damage was sweeping. Approximately <a href="https://www.npr.org/2019/07/30/746687015/100-million-people-in-the-u-s-affected-by-capital-one-data-breach">100 million people in the United States</a> and 6 million in Canada were affected. Roughly 140,000 Social Security numbers, about 80,000 linked bank account numbers, and approximately 1 million Canadian Social Insurance Numbers were compromised. The FBI arrested Thompson, and the government stated it believed the data had been recovered with no evidence of fraud. But the reputational and regulatory toll was enormous.</p><p>In August 2020, the Office of the Comptroller of the Currency <a href="https://www.occ.gov/news-issuances/news-releases/2020/nr-occ-2020-101.html">fined Capital One $80 million</a>, finding that the bank had failed to adequately identify and manage risks as it migrated significant technology operations to the cloud. As Reuters reported at the time, the OCC&#x27;s consent order cited insufficient network security controls, inadequate data loss prevention measures, and a board that failed to hold management accountable when internal auditing surfaced problems. The OCC also ordered Capital One to overhaul its operations and submit new cybersecurity plans for regulatory review.</p><p>CyberScoop at the time called the incident &quot;<a href="https://cyberscoop.com/capital-one-hack-banking-security/">a cautionary tale for companies rushing to embrace new tech</a>.&quot; Capital One&#x27;s own CEO, Richard D. Fairbank, acknowledged the gravity of the moment. &quot;While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened,&quot; Fairbank said at the time. &quot;I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right.&quot;</p><h2><b>How Capital One rebuilt its security reputation through open-source investment</b></h2><p>What followed was not a retreat from technology but a doubling down — with security explicitly at the center.</p><p>Capital One began releasing open-source projects in 2014 and <!-- -->declared itself an &quot;<a href="https://capitalonesoftware.com/blog/cloud-migration-journey">open-source first</a>&quot; company in 2015 as part of a broader technology transformation that began over a decade ago. <!-- -->The company has continued to invest<!-- --> in software supply chain security, open-source governance, and AI-driven defense. In August 2022, Capital One joined the <a href="https://openssf.org/">Open Source Security Foundation</a> as a premier member, earning a seat on the organization&#x27;s Governing Board. Chris Nims, then EVP of Cloud &amp; Productivity Engineering, framed the move as a natural extension of the company&#x27;s operating philosophy. &quot;As a highly-regulated company, we are seasoned in managing compliance and governance and advocate for standardization, automation and collaboration,&quot; Nims said in the <a href="https://openssf.org/press-release/2022/08/24/capital-one-joins-open-source-security-foundation/">OpenSSF announcement</a>.</p><p>Behind that public commitment lay a substantial operational apparatus. Capital One&#x27;s <a href="https://www.capitalone.com/tech/open-source/">Open Source Program Office</a>, now in its third iteration, manages open-source usage, contributions, and community building across the enterprise. The company has released more than 40 open-source projects and has made thousands of contributions to external open-source projects it depends on, according to the company. Those efforts address not just code dependencies but the entire software development lifecycle — DevSecOps tools, infrastructure, and the collaborative environments, both internal and external, that shape how software gets built and shipped.</p><p><a href="https://github.com/capitalone/vulnhunter">VulnHunter</a> is the most consequential product of that multi-year effort — and the clearest signal yet that Capital One views open-source collaboration not as charity but as a competitive security strategy. The company argues that modern software supply chains are so deeply interconnected that a single vulnerability in a widely used open-source component can cascade across thousands of enterprises simultaneously. Proprietary defenses, no matter how sophisticated, cannot address a problem that is fundamentally communal. By releasing VulnHunter under a permissive license, Capital One invites the global security research community to stress-test, extend, and improve the tool — effectively crowdsourcing its own defense infrastructure while strengthening the broader ecosystem.</p><h2><b>Inside VulnHunter&#x27;s three-stage AI engine for finding exploitable code</b></h2><p>For engineering leaders evaluating <a href="https://github.com/capitalone/vulnhunter">VulnHunter</a>, the technical architecture is where the tool&#x27;s ambitions become concrete. The workflow unfolds in three distinct stages.</p><p>In the first stage — attacker-first forward analysis — VulnHunter begins at the points where an external adversary would interact with a system: API endpoints, network message handlers, file upload interfaces. From each entry point, the tool reasons forward through application logic, tracing data flows, transformations, and internal security checkpoints to determine whether an attacker can actually reach a dangerous code path. This approach mirrors how a skilled penetration tester would probe a system, but automates the process at a scale no human team could match.</p><p>The second stage is where VulnHunter departs most sharply from conventional scanners. After identifying a potential vulnerability, the falsification engine runs a structured reasoning workflow designed to disprove its own conclusion. It searches for assumptions that do not hold, logical gaps in the exploit path, and environmental conditions that would prevent an attack from succeeding. Findings that fail this internal challenge are discarded before any developer sees them. Capital One&#x27;s explicit goal is to shift the developer&#x27;s burden away from triaging false alarms — a perennial pain point that erodes trust in security tooling and slows development velocity.</p><p>In the third stage, vulnerabilities that survive the falsification engine trigger an evidence-backed remediation workflow. VulnHunter gathers supporting evidence across the codebase, maps the complete surviving exploit path, explains the defect and the specific capabilities an attacker would gain, and generates targeted code changes for engineering review. The output is not a generic advisory but a concrete, context-aware patch proposal.</p><p>Capital One says it validated VulnHunter internally before release, running it across thousands of repositories spanning tens of business areas. The company reports that the tool identified and remediated vulnerabilities with speed and efficiency that far exceeded what its teams previously achieved through manual triage.</p><h2><b>Why AI-powered attacks are forcing banks to rethink traditional cyber defenses</b></h2><p><a href="https://github.com/capitalone/vulnhunter">VulnHunter</a> arrives at a moment when the cybersecurity landscape is shifting beneath the feet of every enterprise. Capital One&#x27;s announcement frames the urgency in stark terms: advanced AI models have &quot;dramatically lowered the barrier for bad actors to discover and exploit vulnerabilities in software,&quot; and the window before sophisticated AI attack capabilities become affordable and accessible to virtually every adversary is shrinking rapidly.</p><p>&quot;Safeguarding information is essential to our mission and our role as a financial institution,&quot; Nims told VentureBeat. &quot;We have invested heavily in cybersecurity and will continue to do so to stay ahead of today&#x27;s evolving threat landscape.&quot;</p><p>The company&#x27;s own AI security researchers have been tracking these trends closely. At <a href="https://www.capitalone.com/tech/software-engineering/secon-2024/">NeurIPS 2024</a> in Vancouver, Capital One&#x27;s team presented research and curated a list of nearly 100 papers spanning LLM safety, adversarial resilience, jailbreak attacks, and synthetic data generation. The papers they highlighted — including work on multi-agent defense frameworks, automated red-teaming, and guardrail classifiers — paint a picture of an arms race in which offensive and defensive AI capabilities are co-evolving at breakneck speed.</p><p>Several of those research themes map directly onto VulnHunter&#x27;s architecture. The falsification engine echoes the adversarial defense strategies explored in papers like &quot;<a href="https://pure.psu.edu/en/publications/backdooralign-mitigating-fine-tuning-based-jailbreak-attack-with-/fingerprints/?sortBy=alphabetically">BackdoorAlign</a>,&quot; which demonstrated that embedding a structured safety mechanism into a small number of training examples could recover a model&#x27;s safety alignment without degrading performance. The attacker-first forward analysis reflects the philosophy of &quot;<a href="https://arxiv.org/html/2406.18510v1">WildTeaming</a>,&quot; a framework that collects and analyzes real-world jailbreak attempts to build more resilient models. And VulnHunter&#x27;s emphasis on minimizing false positives parallels the goals of &quot;GuardFormer,&quot; a guardrail classifier that outperformed GPT-4 on safety benchmarks while running 14 times faster.</p><p>The thread connecting all of this work is a conviction that traditional, reactive security — monitoring networks, patching known vulnerabilities, responding to incidents after they occur — is no longer sufficient when adversaries can use AI to discover and exploit zero-day vulnerabilities at machine speed. The only durable defense, Capital One argues, is to find and fix the vulnerabilities in your own code before attackers find them first.</p><h2><b>What Capital One&#x27;s cloud security journey reveals about the entire banking industry</b></h2><p>Capital One&#x27;s cloud journey also illuminates a broader reckoning across financial services. When Capital One <a href="https://www.latimes.com/business/story/2019-07-30/capital-one-cloud-safety-hacker-breach">moved aggressively to Amazon Web Services</a> in the mid-2010s, it was a rarity among major banks. Most financial institutions simply did not trust third parties to store their most sensitive data. Capital One&#x27;s CIO at the time, Rob Alexander, <a href="https://www.forbes.com/sites/peterhigh/2016/12/12/how-capital-one-became-a-leading-digital-bank/">publicly championed the cloud</a> as more secure than the bank&#x27;s own data centers — a claim that the 2019 breach complicated considerably.</p><p>The <a href="https://cyberscoop.com/capital-one-hack-banking-security/">CyberScoop report</a> from that period captured the tension within the industry. W. Patrick Opet, managing director of cybersecurity at JP Morgan Chase, described a cultural shift in banking from prioritizing traders to prioritizing developers: &quot;Now, it&#x27;s &#x27;Focus on the developer, turn everything into code, and automate everything.&#x27;&quot; Mark Nicholson, Deloitte&#x27;s cyber leader for the financial industry, noted that the pressure to move quickly was exposing &quot;weaknesses in the development methodology.&quot; And the breach itself was a reminder that even as Chase spent $600 million annually on cybersecurity, relatively simple vulnerabilities — like the Apache Struts bug that enabled the Equifax breach — could undercut massive investments in data protection.</p><p>Seven years later, the industry has largely followed Capital One into the cloud, and the security challenges have only intensified. The question is no longer whether to use cloud infrastructure but how to secure the software that runs on it. VulnHunter represents Capital One&#x27;s answer: rather than relying solely on network-level controls and perimeter defenses, push security directly into the code itself, at the moment it is written. The open-source release also carries implicit competitive pressure. If VulnHunter gains traction among developers and security teams, it could set a new baseline for what enterprise security tooling is expected to do — and force rival banks, fintechs, and cloud providers to match or exceed its capabilities.</p><p>Whether <a href="https://github.com/capitalone/vulnhunter">VulnHunter</a> lives up to that ambition will depend on adoption, community engagement, and the tool&#x27;s real-world performance against the increasingly sophisticated AI-powered attacks it was designed to counter. But the release itself tells a story that extends well beyond any single tool or any single company. In 2019, a misconfigured firewall exposed 100 million records <!-- -->and made Capital One a byword for cloud misconfiguration risk. In 2026, the same institution is open-sourcing an AI-driven defense built for a new generation of threats — and betting that the best way to protect its own code is to help the entire industry protect theirs.</p>]]></description>
            <author>michael.nunez@venturebeat.com (Michael Nuñez)</author>
            <category>Technology</category>
            <category>Security</category>
            <category>Infrastructure</category>
            <enclosure url="https://images.ctfassets.net/jdtwqhzvc2n1/4WyYBE0eHzPTbv6jfjEWSx/7f036d0db42a8ad93985502ab8ece9f4/Nuneybits_Vector_art_of_a_Capital_One_credit_card_made_of_compu_fe529096-78bd-401e-b668-abeb2d5496e0.webp?w=300&amp;q=30" length="0" type="image/webp"/>
        </item>
        <item>
            <title><![CDATA[Intuit scrapped its own AI agent architecture twice in four months. At VB Transform 2026, its AI VP called that the fast path]]></title>
            <link>https://venturebeat.com/orchestration/intuit-scrapped-its-own-ai-agent-architecture-twice-in-four-months-at-vb-transform-2026-its-ai-vp-called-that-the-fast-path</link>
            <guid isPermaLink="false">4GfRYjPG1gboz5Q5SXKYqa</guid>
            <pubDate>Fri, 17 Jul 2026 20:46:55 GMT</pubDate>
            <description><![CDATA[<p>Intuit was an<a href="https://venturebeat.com/ai/how-intuit-plans-to-use-agentic-ai-to-automate-complex-business-tasks"> early pioneer</a> in the usage of agentic AI, but its path to success has hardly been a straight line.</p><p>At<a href="https://venturebeat.com/vbtransform2026"> VB Transform 2026</a>, Intuit VP of AI Nhung Ho described how the company rebuilt its agent architecture twice in the span of about four months, first moving from a fleet of specialist agents to a central orchestration layer, then abandoning that layer for a skills and tools based system once the orchestrator itself started failing under its own complexity. The full second rebuild took 60 days, with a first working version in under 20.</p><p>The failure mode that forced the second rewrite was specific. Agents in the orchestrated system passed results to each other in natural language, and each handoff lost context the next agent needed to act correctly. </p><p>&quot;If you have 10 agents and they all are passing to each other, every time that pass happens, error compounds,&quot; Ho said.</p><h2>Why the orchestration layer broke down</h2><p>Ho said the original push toward specialist agents came from a straightforward customer complaint. A fleet of capable agents is still something a customer has to manage, deciding which agent to use for which task. Intuit&#x27;s answer was a system that could take a task and route it internally, without asking the customer to pick an agent themselves.</p><p>That orchestration layer held up for about three months, which Ho described only half joking as roughly a year in the compressed timeline of agent development in 2026.</p><p>It broke for a structural reason rather than a capacity one. Passing outcomes between agents in natural language meant each downstream agent had to infer how the upstream agent reached its conclusion, and that inference degraded with each additional hop. A ten agent chain did not fail occasionally, it compounded errors by design.</p><p>That diagnosis is what sent Intuit back to a skills and tools architecture.</p><h2>The 60-day rebuild, and what it took to get engineering buy-in</h2><p>Rebuilding a production agent system in 60 days required more than an architectural decision. Ho said the harder problem was internal, convincing both leadership and the engineers who had built the original agents that scrapping recent work was the right call.</p><p>The pitch to leadership relied on evidence rather than argument. Ho&#x27;s team built a demo of the new architecture using real customer queries pulled from production, then showed it performing better than the existing system on the same tasks. </p><p>&quot;The best proof, at least my belief, is what are customers trying to do? And whatever system you build needs to address those problems,&quot; Ho said.</p><p>Winning over engineering required a different case. Hundreds of engineers outside Ho&#x27;s core team had built the specialist agents being retired, and the ask was to take their agents apart into individual skills and tools instead. </p><p>Ho said the motivating argument was scale. A standalone agent solved one narrow problem, while a shared skill or tool built into the new architecture could serve every customer who touched that part of the product. That shift also changed what partner teams were responsible for day to day, moving their focus from building agents to running evals, since evals became the only way to measure whether the new architecture was actually working.</p><h2>Bringing a human into the loop, and feedback at a different scale</h2><p>The clearest customer facing result of the rebuild is a feature that lets a live agent conversation pull in a human — though it&#x27;s currently in early testing, live to about 1% of Intuit&#x27;s customer base. &quot;We&#x27;re going to be scaling it up in the next few weeks,&quot; she said.</p><p>Ho said a customer can bring in an Intuit product support person mid conversation, or their own accountant, or one of Intuit&#x27;s own bookkeepers, and that person joins with the full context of what the agent has already done.</p><p>Ho drew a direct contrast with how most AI chat products handle the same situation. A general purpose assistant answering a tax question typically ends with a disclaimer to consult a professional. Intuit&#x27;s system is built to connect the customer to that professional directly, inside the same conversation.</p><p>That human handoff sits alongside a permissions model built for financial data specifically. Every action an agent takes on a customer&#x27;s financial data requires explicit permission first, though Ho said that requirement can ease over time as customers build trust in the system. Intuit keeps an audit log of everything an agent does that can be reversed if needed.</p><h2>Feedback in the agentic AI era</h2><p>The rebuild also changed how Intuit gathers and uses feedback, a shift Ho said is qualitatively different from what came before. </p><p>&quot;Feedback in the past used to be very, very sparse, and it was also very bimodal,&quot; Ho said. &quot;Either they loved it or they hated it, and usually it tends towards the negative.&quot;</p><p>In a chat based system, every conversation functions as feedback, which Ho said moved the company from roughly 0.3% of customers ever giving explicit feedback to something close to 100%.</p><p>Ho said she has returned to writing code herself specifically to build models that analyze that feedback volume systematically, looking for where the system is falling short at a scale no manual review process could keep up with.</p><p>That volume comes with a tone most product teams aren&#x27;t used to hearing directly. Customers tell the agent exactly where it failed, in plain terms.</p><p>&quot;They straight up tell you, &#x27;You suck. I hate this. This is not right,&#x27;&quot; Ho said. &quot;But they&#x27;re also willing to give the systems grace and correct it as well, and so the onus is on all of us to harvest this new piece of feedback and type of feedback, and actually improve the system.&quot;</p>]]></description>
            <category>Orchestration</category>
            <category>VB Transform</category>
            <enclosure url="https://images.ctfassets.net/jdtwqhzvc2n1/63cACeT7QkOu6fJw8A8JaE/6c088bbd56ab55ea8de782eeac544c73/VBXC9745-X3-intuit.jpg?w=300&amp;q=30" length="0" type="image/jpg"/>
        </item>
        <item>
            <title><![CDATA[Agents think in milliseconds, legacy infrastructure doesn't. LinkedIn, Walmart and Zendesk shared how they closed the gap at VB Transform 2026]]></title>
            <link>https://venturebeat.com/data/agents-think-in-milliseconds-legacy-infrastructure-doesnt-linkedin-walmart-and-zendesk-shared-how-they-closed-the-gap-at-vb-transform-2026</link>
            <guid isPermaLink="false">2j9X1jrf7U2riUE3H553p3</guid>
            <pubDate>Fri, 17 Jul 2026 18:48:18 GMT</pubDate>
            <description><![CDATA[<p>Legacy infrastructure, not the models themselves, is what&#x27;s actually slowing AI agents down. That was the shared conclusion of three infrastructure leaders —<!-- --> from LinkedIn, Walmart, and Zendesk —<!-- --> at<a href="https://venturebeat.com/vbtransform2026"> VB Transform 2026</a>.</p><p>The panel brought together Animesh Singh, senior director of AI platform and infrastructure at LinkedIn, Desiree Gosby, SVP of corporate technology services and technology strategy at Walmart, and Sami Ghoche, VP of applied AI at Zendesk, each describing what actually broke when they moved agents from pilot to production. Each arrived at the same conclusion from a different starting point: None of the bottlenecks they hit were model problems.</p><p>What tied their answers together was a shared premise: most enterprise infrastructure was built for how humans work, not for how agents work. The gap between those two speeds is where the real engineering happened.</p><p>Gosby put it plainly when asked what she&#x27;d learned scaling agents inside Walmart&#x27;s own workforce. The goal, she said, is to make sure &quot;engineering doesn&#x27;t once again become the bottleneck for what it is we&#x27;re trying to do.&quot;</p><h2><b>Where the bottleneck actually was</b></h2><p>Each company hit a different version of the same wall: infrastructure designed for how people work doesn&#x27;t hold up once agents are doing the work instead.</p><p>At LinkedIn, the first bottleneck wasn&#x27;t a model, it was Kubernetes, which assumes containers spin up on demand, a process that takes seconds. Singh said that&#x27;s too slow for agents. The fix was moving from on-demand provisioning to pre-provisioned pools of containers that swap agentic workloads in and out in real time.</p><p>A second, harder problem surfaced once LinkedIn let agents control their own orchestration. A five-point evaluation system looked clean, but hallucination kept showing up anyway. Singh said the issue was structural, an LLM evaluating another LLM&#x27;s output shares the same failure mode as the thing it&#x27;s evaluating. </p><p>&quot;We built our own harness, our own control flow, and pushed the LLMs to the leaf instead of them orchestrating the loop,&quot; Singh said. Roughly 80% of the workflow is now scripted, deterministic code, with LLMs used only where reasoning is required, and each step&#x27;s evidence is committed to disk before the system moves on.</p><p>Walmart&#x27;s bottleneck came from success. An agent harness put directly into employees&#x27; hands went viral internally, and what Gosby called &quot;citizen developers&quot; began building their own agents to solve problems that once required a formal engineering roadmap. The upside was real innovation. The downside was duplication, dozens of overlapping agents with no coordination. The fix wasn&#x27;t reining in the harness, it was building governance to spot duplication, promote the best version of an agent, and get it into production without engineering becoming a chokepoint.</p><p>Zendesk hit its bottleneck from the data side. Ghoche, who joined through <a href="https://www.zendesk.com/newsroom/press-releases/zendesk-completes-acquisition-of-forethought/">Zendesk&#x27;s acquisition of Forethought</a>, which closed in March 2026, described sitting on what he called a public figure of 20 billion customer conversations in Zendesk&#x27;s repository. The instinct is to hand that history to a large language model with a big context window and let it generate the agents a business needs. Ghoche said that doesn&#x27;t work. &quot;You can&#x27;t really do that, so instead you have to really invest in the underlying data pipelines and all the data infrastructure that comes with that,&quot; he said.</p><h2>The role of open source</h2><p>On open source, all three leaders landed on a similar instinct: own what you can, and lean on frontier labs only where they still have a clear edge.</p><p>Ghoche said his own view is that most enterprises would prefer to own their models and infrastructure wherever that&#x27;s possible, and that reasoning is what drives Zendesk&#x27;s own approach. The exception is frontier reasoning work, where the labs still lead, though he said that slice of use cases is shrinking relative to everything else enterprises now do with AI.</p><p>LinkedIn&#x27;s answer was to build two subsystems specifically for independence. The first is what the company calls an AI gateway, a single interface that every outbound call to a model runs through regardless of provider. The second component is a memory subsystem built to hold context independent of any model provider.</p><p>&quot;Every single outbound call going to an LLM, whether it&#x27;s on a public cloud or on-prem in our own data centers, follows the same semantics, the same API calls. We can quickly switch between different providers,&quot; Singh said. </p><p>Walmart built its own internal gateway to stay vendor agnostic across three workload types: fully deterministic workflows, planner-and-reasoner workflows for open-ended tasks, and a hybrid of the two. Compliance-heavy work stays deterministic by design; governance, security and evaluation run through the gateway regardless of which model is on the other end. Gosby said the choice between a frontier model and an open-weight model comes down to whichever is most effective for the specific workload, not a fixed policy.</p><h2>Advice for the modernization journey</h2><p>Three pieces of advice came up directly, each tied to the wall a leader had already hit.</p><p><b>Invest in evals before anything else.</b> Ghoche called it the thing common to every use case, internal or customer facing. </p><p>&quot;The thing that&#x27;s common to all of these is evals. It&#x27;ll force you to break the problem down, and once you have a robust set of evals, you can move a lot faster,&quot; he said, </p><p><b>Own your agent harness from day one.</b> Gosby&#x27;s advice was to put the AI harness directly in employees&#x27; hands early, paired with the infrastructure to monitor what it produces. </p><p>&quot;It will unlock a huge amount of innovation,&quot; she said.</p><p><b>Build for model and context independence.</b> Ensuring flexibility is critical for success.</p><p>&quot;Build for independence, whether it&#x27;s a frontier model of today versus an open source model of tomorrow,&quot; Singh said. &quot;Keep that context within your enterprise so that you can reuse it when you ship the model or the harness tomorrow,&quot; Singh said.</p>]]></description>
            <category>Data</category>
            <category>VB Transform</category>
            <enclosure url="https://images.ctfassets.net/jdtwqhzvc2n1/AZTPn0gbUoe8tg8qhQDL0/2ae53d1ea5c1fb9c88771cc37c716867/VBXC8968-X2-day2-opening-panel.jpg?w=300&amp;q=30" length="0" type="image/jpg"/>
        </item>
        <item>
            <title><![CDATA[Brex built its AI agent policy by watching what agents actually do, not by writing rules first]]></title>
            <link>https://venturebeat.com/orchestration/brex-built-its-ai-agent-policy-by-watching-what-agents-actually-do-not-by-writing-rules-first</link>
            <guid isPermaLink="false">5bTMfInDiDCOZBjNMR007E</guid>
            <pubDate>Fri, 17 Jul 2026 17:49:19 GMT</pubDate>
            <description><![CDATA[<p><a href="https://venturebeat.com/security/openclaw-500000-instances-no-enterprise-kill-switch">OpenClaw</a> has become one of the most widely adopted agentic frameworks, but it has yet to prove itself at enterprise scale. Agents need real credentials — API keys, OAuth tokens, service accounts — to work effectively, and Brex found that traditional guardrails couldn&#x27;t contain what those agents were doing with them.</p><p>Brex set out to overcome these limitations by building an internal platform it calls CrabTrap. The <a href="https://www.brex.com/journal/building-crabtrap-open-source">open-source HTTP/HTTPS proxy</a> intercepts all network traffic, examines policy rules, and uses a LLM-as-a-judge to decide whether agent requests should be approved or denied. </p><p>“What we noticed was that the network layer was an untapped enforcement point,” Brex co-founder and CEO Pedro Franceschi told VentureBeat. “Every request an agent makes is an opportunity to intercept, reason about, and make a policy decision.”</p><p>The takeaway Franceschi wants IT leaders to draw: agent governance should shift from SDK-level permissions and model guardrails toward a centralized network control plane that enforces and learns from real in-the-wild agent behavior.</p><h2>How Brex targeted the transport layer</h2><p>The “obvious fix” (at least initially) to the agent security gap was guardrails, and much of the early work has centered on scoped tools, per-action permissions, and human-in-the-loop approvals. But as agents evolve, each new capability means there’s another API to tune or surface to audit, Franceschi noted. </p><p>“Any <a href="https://venturebeat.com/orchestration/trunk-tools-stack-cut-document-review-from-60-days-to-10-by-ditching-general-purpose-models">agentic system</a> with multiple tools and access to the open internet creates an immediate tension for builders: The more capable you make an agent, the more dangerous it becomes, and the safer you make it, the less useful it is,” he said. </p><p>Existing solutions to this tradeoff were “weak”: Fine-grained API tokens help at the margins but can still be misused and constrain functionality. Semantic guardrails (such as context, skills, or prompt steering) are easily bypassed by prompt injection, especially for agents connected to the internet.</p><p>Agents can be “defanged” when given read-only access or limited toolsets, but then they can&#x27;t do meaningful work, Franceschi said. On the other hand, granting broad write access and a large tool surface can result in hallucinations and real production consequences.</p><p>Model context protocol (MCP) gateways enforce policy at the protocol layer — but only for traffic using MCP. Meanwhile, guardrails from LLM providers are tied to a single model and can be “opaque” to customize with enterprise-specific policies. And powerful tools like Nvidia OpenShell offer more of a “per-sandbox egress control.”</p><p>“When we started, we hadn’t found a solution to deploying harnesses like OpenClaw safely,” Franceschi said. “Instead of waiting for the industry to catch up, we decided to own the problem and invent the necessary tools.”</p><p>Notably, they needed a platform that sat between every agent and every network request, and could make “nuanced decisions about what to allow,” he said. </p><p>This made the transport layer a core architectural component and natural starting point, he said. </p><p>By operating at this layer, CrabTrap is framework-agnostic, language-agnostic, and API-agnostic. It doesn&#x27;t require SDK wrappers or per-tool integration. Users set <i>HTTP_PROXY</i> and <i>HTTPS_PROXY</i> in the agent&#x27;s environment, and every outbound request routes through the proxy before it reaches a destination.</p><p>However, Franceschi emphasized, Brex didn&#x27;t start at the transport layer because it thought it was the only answer; rather, they believe in “security by layers.”</p><p>“The transport layer was simply an underinvested one, and we saw an opportunity to add meaningful enforcement there alongside everything else,” he said. </p><h2>The LLM-as-a-judge training loop</h2><p>CrabTrap combines deterministic static rules with an <a href="https://venturebeat.com/infrastructure/monitoring-llm-behavior-drift-retries-and-refusal-patterns">LLM-as-a-judge</a> for requests that fall outside known patterns, Franceschi explained. The judge only “fires on the long tail of unfamiliar endpoints or unusual request shapes,” which for a mature agent is typically fewer than 3% of requests.</p><p>The more pressing problem was how to know that a policy is the right one? With static rules, it&#x27;s “relatively straightforward” to reason about accuracy. But with an LLM judge, the system is nondeterministic, and users need confidence that the policy approves the right requests and blocks the rest.</p><p>“Our key insight was to bootstrap policy from observed behavior rather than write it from scratch,” Franceschi said. Beginning with real behavior and editing down based on real-world learnings turned out to be “dramatically more effective than starting from a blank page.”</p><p>Brex’s team built a policy builder (itself an agentic loop) that runs underlying agents in shadow mode, analyzes historic network traffic, samples representative calls, and drafts a natural-language policy that matches what the agent actually does. </p><p>From there, they built an eval system that tests policy changes before they go live. CrabTrap compares historical audit entries against a draft policy and reports the exact changes to be made. Users can slice results by method, URL, original decision, and agreement status. </p><p>All of this runs with concurrent judge calls, so replaying thousands of requests “takes minutes, not hours,” Franceschi said. Brex also developed a live feedback loop: Full audit trails are stored in PostgreSQL and queryable through the admin API and dashboard. In cases where a resource is continuously denied, the system can notify a human or an agent to propose a policy update for review. </p><p>“That closes the loop between observed denials and policy refinement,” Franceschi said. </p><h2>Core challenges and roadblocks </h2><p>Of course, the build wasn’t without its challenges. A big one was latency: “Putting an LLM between an agent and every outbound API request sounds like it would grind things to a halt,” he said. </p><p>However, it didn’t turn out to be as big a problem as expected. This was for two reasons: The LLM judge only activates on a small fraction of requests (the aforementioned 3%). Agents quickly settle into predictable traffic patterns; once observed, high-volume patterns become static rules. Second, by using small, fast models like Claude Haiku meant that, even when the judge did fire, added latency was “negligible.” This can be further reduced with local models and prompt caching, Franceschi said. </p><p>The harder and less obvious challenge was prompt injection, he said. The judge receives the full HTTP request and all content is user-controlled, so potentially, a crafted URL, header, or request body could manipulate the judge&#x27;s decision. </p><p>Brex addressed this by structuring the request as a JSON object before sending it to the model, so all user-controlled content is “escaped rather than interpolated as raw text,” Franceschi said. </p><h2>Results, and where CrabTrap might evolve</h2><p>Brex tracks a few factors to measure CrabTrap’s internal impact: Engagement with agents, network traffic patterns, and net promoter scores (NPS). The most meaningful result of CrabTrap has been “organizational confidence,” Franceschi said. </p><p>Previously, the team had “real hesitation” when it came to deploying autonomous agents broadly across business operations, because the existing guardrail options didn&#x27;t provide enough assurance. </p><p>“CrabTrap changed that calculus,” Franceschi said. They now have an enforcement layer they trust, increasing confidence around expanding agent deployment into more parts of the business and delegating more agent configuration and management to users. </p><p>Franceschi described the policies derived from traffic as “surprisingly strong.” The team expected the policy builder to produce a “rough starting point” requiring heavy manual editing. In practice, though, pointing the platform at a few days of real traffic produced policies that matched human judgment on the “vast majority of held-out requests.”</p><p>Additionally, CrabTrap revealed how much noise agents generate. “The audit trail made this visible for the first time,” Franceschi said. They used denial logs and traffic analysis not only to tune policies, but to tighten agents themselves, remove tools, and cut out entire categories of requests that were wasting both time and tokens.</p><p>“The proxy became a discovery tool, not just an enforcement one,” he said. </p><h2>Areas for growth (and input from the open-source community)</h2><p>Brex anticipates CrabTrap to continue to evolve, particularly as they have released it as open-source. “We hope the community helps shape it,” Franceschi said. </p><p>Areas of improvement include deeper authentication functionality such as single-sign on (SSO), fine-grained role-based access control (RBAC); escalation workflows that allow agents to request additional permissions; and policy recommendations based on denial patterns.</p><p>Programmatic configuration, or developing API endpoints for “creating, forking, and applying” policies to agents, could allow the whole policy lifecycle to be automated rather than managed manually, Franceschi said. </p><p>As for escalation, if an agent is continuously denied a given resource or endpoint, it should be able to route requests to humans or other AI agents for review and back that up with a rationale for why it needs access. </p><p>“That turns CrabTrap from a hard enforcement boundary into something more like a managed permission system,” Franceschi said. </p><p>Additionally, the policy was built to bootstrap from network traffic, but there is opportunity to incorporate additional signals around agent traces and resource-calling, as well as broader context on what agents are ultimately trying to accomplish. This can help produce more accurate and nuanced policies. </p><p>Finally, there&#x27;s an “open philosophical question” about the right posture for CrabTrap: Should it be a fully transparent layer that the agent itself is unaware of, or should it operate more like a “well-intentioned manager”? (that is, the agent knows about the layer and can interact with it). </p><p>The open-source community can help shape these developments, and CrabTrap will only get better with more users, Franceschi said. Brex’s agents speak to a specific set of APIs; teams using CrabTrap with different agents, services, and policy requirements will surface “edge cases and patterns we can&#x27;t hit alone.”</p><p>“We have ambitious plans for where it could go, and we’d rather build in the open,” Franceschi said. </p><h2>What other builders can learn from CrabTrap</h2><p>The response has been stronger than expected. <a href="https://github.com/brexhq/CrabTrap">CrabTrap has more than 700 stars on GitHub</a>. Franceschi said Brex has also heard from OpenAI, Y Combinator CEO Garry Tan, and programmer Pete Steinberger, all expressing interest in deploying similar internal infrastructure.</p><p>The broader lesson: “Don&#x27;t let infrastructure gaps become excuses to wait,&quot; Franceschi advised. There are “real blockers” for every enterprise looking to seriously deploy AI agents, including security concerns, lack of tooling, or unclear guardrails. </p><p>“It&#x27;s tempting to sit on your hands until the industry catches up,” he said. “The lesson from CrabTrap is that you can own those problems directly.”</p>]]></description>
            <author>taryn.plumb@venturebeat.com (Taryn Plumb)</author>
            <category>Orchestration</category>
            <enclosure url="https://images.ctfassets.net/jdtwqhzvc2n1/2E6Z58IGkCWdoYTTSfOnXg/9f28eb7c0fa9d80bdd54b95242a2f091/VBXC2192.jpg?w=300&amp;q=30" length="0" type="image/jpg"/>
        </item>
        <item>
            <title><![CDATA[China’s Moonshot AI releases Kimi K3, the largest open-source model ever, rivaling top U.S. systems]]></title>
            <link>https://venturebeat.com/technology/chinas-moonshot-ai-releases-kimi-k3-the-largest-open-source-model-ever-rivaling-top-u-s-systems</link>
            <guid isPermaLink="false">50JruwNn4xF5uotHR8hnK0</guid>
            <pubDate>Thu, 16 Jul 2026 19:42:09 GMT</pubDate>
            <description><![CDATA[<p><a href="https://www.moonshot.ai/">Moonshot AI,</a> the Beijing-based artificial intelligence startup backed by Alibaba, on Thursday released <a href="https://platform.kimi.ai/docs/guide/kimi-k3-quickstart">Kimi K3</a> — a 2.8-trillion-parameter model that the company says is now the largest open-source AI model in the world, and one that benchmarks show performs neck-and-neck with the most powerful proprietary systems from <a href="https://www.anthropic.com/">Anthropic</a> and <a href="https://openai.com/">OpenAI</a>.</p><p>The release, timed to land just ahead of the <a href="https://aiii.global/waic-2026/">2026 World Artificial Intelligence Conference</a> in Shanghai, is a dramatic escalation in the global AI arms race and a watershed moment for the open-source AI movement. It also marks a remarkable comeback for a company whose market position had eroded significantly over the past 18 months following DeepSeek&#x27;s meteoric rise.</p><p>Full model weights are scheduled to be released on July 27, according to details shared by researchers who reviewed the company&#x27;s technical documentation. If you want to take <a href="https://platform.kimi.ai/docs/guide/kimi-k3-quickstart">Kimi K3</a> for a spin right now, you can — just head to<a href="https://www.kimi.com/"> kimi.com</a>, sign up with a Google account or phone number (no credit card required), and start chatting with what may be the most powerful open-source model ever built.</p><div></div><h2><b>Inside the architecture that powers the world&#x27;s largest open-source AI model</b></h2><p><a href="https://platform.kimi.ai/docs/guide/kimi-k3-quickstart">Kimi K3</a> is a frontier-class large language model with 2.8 trillion total parameters — roughly 75 percent larger than <a href="https://huggingface.co/deepseek-ai/DeepSeek-V4-Pro">DeepSeek&#x27;s V4 Pro</a>, which the company&#x27;s own timeline chart shows at approximately 1.6 trillion parameters. The model features a 1-million-token context window, native visual understanding capabilities, and an always-on reasoning mode that the company calls &quot;thinking mode.&quot;</p><p>The model is built on two key architectural innovations developed internally at Moonshot AI: <a href="https://arxiv.org/abs/2510.26692">Kimi Delta Attention</a>, a hybrid linear attention mechanism, and <a href="https://arxiv.org/abs/2603.15031">Attention Residuals</a>, which the company describes as a drop-in replacement for residual connections that delivers consistent scaling gains. Both techniques were previously published as open research by the Moonshot team on <a href="https://github.com/moonshotai">GitHub</a>.</p><p>On the <a href="https://platform.kimi.ai/docs/guide/kimi-k3-quickstart">API side</a>, Kimi K3 is compatible with the <a href="https://developers.openai.com/api/docs/guides/agents">OpenAI SDK</a>, lowering the integration barrier for developers already building on OpenAI or Anthropic toolchains. The model is priced at $3 per million input tokens and $15 per million output tokens, with cached input tokens dropping to just $0.30 per million — pricing that positions it roughly in line with mid-tier offerings from Western labs, but at a performance level the company claims approaches the top of the market. A promotional top-up rebate running through August 12 offers up to 30 percent back in vouchers for API credits of $1,000 or more.</p><p>As <a href="https://finance.sina.com.cn/stock/t/2026-07-17/doc-inihzrtu1375218.shtml?cref=cj">Xinhua reported</a>, a Moonshot AI executive explained the significance of the parameter count in simple terms: parameters are like neural connections in the human brain, and nearly 3 trillion of them means the model can &quot;store more knowledge and patterns in its brain, understand more, think deeper, and answer more accurately.&quot;</p><div></div><h2><b>Benchmark results show Kimi K3 trading blows with Claude and GPT at the top of the leaderboard</b></h2><p>The benchmark results, drawn from public leaderboard data and a private evaluation by analytics firm Artificial Analysis, tell a striking story.</p><p>On <a href="https://artificialanalysis.ai/evaluations/gdpval-aa">GDPval-AA v2</a>, a benchmark measuring real-world tasks across 44 occupations and 9 major industries, Kimi K3 scored 1,687 — placing it third overall, behind only Claude Fable 5 Max (1,815) and GPT-5.6 Sol Max (1,747.8), and ahead of Claude Opus 4.8 (1,600).</p><p>On <a href="https://artificialanalysis.ai/evaluations/aa-briefcase">AA-Briefcase</a>, a private agentic benchmark from Artificial Analysis designed to test long-horizon knowledge work, K3 climbed to second place with a score of 1,527 — beating GPT-5.6 Sol Max (1,495) and trailing only Fable 5 Max (1,587).</p><p>Perhaps most impressively, K3 achieved a state-of-the-art score of 91.2 out of 100 on <a href="https://openai.com/index/browsecomp/">BrowseComp</a>, a benchmark for long-horizon, high-difficulty information seeking. </p><p>The company says it accomplished this in a single-agent setup using its 1-million-token context window, without any context compression or additional context management techniques — a feat that suggests raw context length, when paired with strong retrieval capabilities, may be more powerful than elaborate multi-agent workarounds.</p><p>As <a href="https://x.com/kimmonismus/status/2077818040578695175">one widely followed AI commentator</a> put it on social media: &quot;Open source is no longer lagging six months behind Western closed-source models. Read that again, and think about what it all means.&quot;</p><p>That observation captures the significance of the moment. For much of the past three years, open-source models have typically trailed their proprietary counterparts by a meaningful margin. Kimi K3 appears to have closed that gap almost entirely.</p><h2><b>How a 48-hour autonomous chip design demo reveals Moonshot&#x27;s real ambitions</b></h2><p>Beyond raw benchmarks, <a href="https://www.moonshot.ai/">Moonshot AI</a> showcased a proof-of-concept that may be even more revealing of K3&#x27;s capabilities and the company&#x27;s strategic direction.</p><p>In a demonstration documented in the company&#x27;s technical materials, <a href="https://platform.kimi.ai/docs/guide/kimi-k3-quickstart">Kimi K3</a> was tasked with designing a physical chip to run a nano-scale version of itself. Over 48 hours of continuous autonomous agent operation, K3 independently completed the chip&#x27;s full construction pipeline — from architectural design through optimization and verification — using open-source electronic design automation tools. The result was a tiny but functional chip design, just 4 square millimeters, that achieved timing convergence at 100 MHz and could decode more than 8,700 tokens per second in simulation.</p><p>This is not a production chip. It is a demonstration of what <a href="https://www.moonshot.ai/">Moonshot AI</a> clearly views as the next competitive frontier: long-range autonomous agent capabilities. The ability to sustain coherent, multi-step technical work over a 48-hour window — reading documentation, making design decisions, running verification loops, and iterating on failures — represents a qualitative leap beyond the kind of single-turn question-answering that defined the first generation of large language models.</p><p>The company also highlighted a case in computational astrophysics, where K3 reportedly reproduced the universal <a href="https://inspirehep.net/literature/1220233">I-Love-Q relation</a> — a complex calculation that typically takes a senior researcher one to two weeks — in approximately two hours, reading and cross-validating more than 20 papers and implementing a complete numerical pipeline along the way.</p><h2><b>Moonshot AI&#x27;s fall and rise tells the story of China&#x27;s brutal AI market</b></h2><p>To understand why <a href="https://platform.kimi.ai/docs/guide/kimi-k3-quickstart">Kimi K3</a> matters, you need to understand where Moonshot AI was 18 months ago — and how far it fell.</p><p>Founded in 2023 by <a href="https://kimiyoung.github.io/">Yang Zhilin</a>, a Tsinghua University graduate who previously conducted research at Google and Meta, Moonshot AI quickly became one of China&#x27;s most prominent AI startups. The company gained early traction in 2024 when users flocked to its <a href="http://kimi.ai">Kimi platform</a> for its long-text analysis capabilities and AI search functions. By early 2026, it had raised roughly <a href="https://www.forbes.com/sites/the-prompt/2026/07/15/ai-startup-reflection-compute-deal-to-challenge-chinas-open-source-dominance/">$1.5 billion</a> across multiple rounds, with its valuation climbing from $2.5 billion to $4.3 billion and the company reportedly <a href="https://tech.yahoo.com/ai/gemini/articles/china-moonshot-releases-open-source-141110760.html">seeking a new round at $5 billion</a>.</p><p>Then DeepSeek happened. The release of DeepSeek&#x27;s low-cost R1 model in January 2025 disrupted the entire Chinese AI landscape, and Moonshot AI was among the hardest hit. Kimi, which had ranked third in monthly active users in China, slid to seventh. The company&#x27;s strategic pivot to open-source models — beginning with Kimi K2 in July 2025 and accelerating with K2.5 in January 2026 — was in large part an effort to reclaim relevance.</p><p><a href="https://platform.kimi.ai/docs/guide/kimi-k3-quickstart">Kimi K3</a> is the culmination of that effort — and the sheer scale of the model suggests that Moonshot AI has been planning this move for some time. Training a 2.8-trillion-parameter model requires enormous computational resources and months of preparation, which means the architectural and infrastructure decisions behind K3 were likely locked in well before the model reached the public.</p><h2><b>Why open-sourcing the world&#x27;s biggest model is a geopolitical chess move</b></h2><p>The decision to release K3&#x27;s full weights on July 27 is strategically significant and worth parsing carefully.</p><p>The company&#x27;s own timeline chart of open-source frontier model scale positions K3 as a dramatic outlier, towering above competitors like <a href="https://github.com/deepseek-ai">DeepSeek</a> (1.6T), <a href="https://github.com/xiaomi">Xiaomi</a> (1.02T), and <a href="https://github.com/ALIBABA">Alibaba</a> (397B). By releasing the world&#x27;s largest open-source model, Moonshot AI is making a bid to become the center of gravity for the global open-source AI developer community.</p><p>This follows a broader trend among Chinese AI companies. As <a href="https://www.reuters.com/technology/artificial-intelligence/china-weighs-silicon-curtain-around-sought-after-ai-models-2026-07-08/">Reuters noted</a>, open-sourcing allows companies to &quot;showcase their technological capabilities and expand developer communities as well as their global influence, a strategy likely to help China counter U.S. efforts to limit Beijing&#x27;s tech progress.&quot; DeepSeek, Alibaba, Tencent, and Baidu have all released open-source models. But none have released anything at this parameter count.</p><p>For enterprise technology leaders, the implications are concrete. A 2.8-trillion-parameter open-source model that performs at near-frontier levels creates new options for companies that want to fine-tune, self-host, or build proprietary systems on top of a capable base model — without being locked into API contracts with OpenAI or Anthropic. The trade-off, of course, is that running a model of this size requires substantial GPU infrastructure. Inference at 2.8 trillion parameters is not something that runs on a single server rack.</p><p>That said, <a href="https://www.moonshot.ai/">Moonshot AI</a> has signaled awareness of this challenge. Its Mooncake project, which won the Best Paper award at FAST 2025, pioneered KV-cache-centric disaggregated serving for large language models — an architecture designed specifically to make inference at extreme scale more practical and cost-efficient.</p><h2><b>Kimi Code and a three-tier model lineup form the foundation of Moonshot&#x27;s enterprise play</b></h2><p>Alongside K3, Moonshot AI continues to invest heavily in its coding agent ecosystem. <a href="https://github.com/MoonshotAI/kimi-code/releases">Kimi Code</a>, the company&#x27;s open-source coding tool that competes with Anthropic&#x27;s Claude Code and Google&#x27;s Gemini CLI, received two major updates on the same day as K3&#x27;s launch — versions 0.25.0 and 0.26.0 — adding features like expanded subagent tooling, background task management, and security fixes.</p><p>The <a href="https://github.com/MoonshotAI/kimi-cli">Kimi Code CLI</a> has accumulated over 3,100 stars on GitHub and features integration with VSCode, Cursor, and Zed. The latest release expanded the &quot;coder subagent&quot; tool set to include background tasks, todo lists, plan mode, skill invocation, and nested agents — effectively turning the coding agent into a multi-layered autonomous system capable of managing complex software engineering projects with minimal human intervention.</p><p>This is not incidental. Coding tools have become a critical revenue driver for AI labs. As Anthropic disclosed in January, <a href="https://www.anthropic.com/news/anthropic-acquires-bun-as-claude-code-reaches-usd1b-milestone">Claude Code reached $1 billion in annualized recurring revenue</a>. By building Kimi Code as an open-source alternative that defaults to Kimi&#x27;s own models — but supports other providers — Moonshot AI is positioning itself to capture developer workflows and, eventually, enterprise contracts.</p><p>The company&#x27;s model lineup now includes three tiers: <a href="https://platform.kimi.ai/docs/guide/kimi-k3-quickstart">K3</a> as the flagship ($3/$15 per million tokens for input/output), <a href="https://platform.kimi.ai/docs/guide/kimi-k2-7-code-quickstart">K2.7 Code</a> as a specialized coding model ($0.95/$4), and <a href="https://platform.kimi.ai/docs/guide/kimi-k2-6-quickstart">K2.6</a> as a general-purpose option ($0.95/$4). All three support context windows of 256,000 tokens or above, with K3 offering the full 1-million-token window. Context caching is automatic — no cache ID, TTL, or extra parameter is required — a small but meaningful developer-experience advantage over competitors that require explicit cache management.</p><h2><b>What Kimi K3 means for the future of enterprise AI and the global model landscape</b></h2><p>Kimi K3&#x27;s release forces a recalibration of several assumptions that have guided enterprise AI strategy.</p><p>The performance gap between open-source and proprietary models has functionally closed at the frontier. If K3&#x27;s benchmark numbers hold up under independent evaluation — and particularly once the open weights are available for community testing on July 27 — it will be difficult for closed-source providers to justify premium pricing purely on the basis of capability.</p><p>The locus of AI innovation, meanwhile, continues to shift. China&#x27;s AI ecosystem, which many Western observers questioned after early struggles with chip export restrictions, has now produced a model that competes with the best systems from companies with direct access to Nvidia&#x27;s most advanced hardware. The architectural innovations behind K3 — particularly the hybrid linear attention mechanism — suggest that algorithmic efficiency may matter as much as raw compute.</p><p>And the agentic capabilities demonstrated by K3 — chip design, multi-week research compression, long-horizon information seeking — point toward a future where AI models are not just answering questions but autonomously executing complex, multi-day projects. For enterprises evaluating AI investments, this shifts the value proposition from &quot;productivity copilot&quot; to &quot;autonomous technical workforce.&quot;</p><p><a href="https://finance.sina.com.cn/stock/t/2026-07-17/doc-inihzrtu1375218.shtml?cref=cj">Xinhua</a>, China&#x27;s state news agency, framed the release as a national milestone, reporting that K3 &quot;marks a new step forward in the development of China&#x27;s artificial intelligence models.&quot; Liu Tieyan, dean of the Zhongguancun Academy in Beijing, was quoted as saying that a wave of Chinese open-source models has moved from isolated breakthroughs to collective advancement, providing &quot;new solutions and new paths&quot; for global AI development.</p><p>Just two years ago, <a href="https://www.moonshot.ai/">Moonshot AI</a> was a scrappy startup named for the audacious problems it hoped to solve. Eighteen months ago, it was a cautionary tale about how quickly a market darling can lose its footing. Today, it is the maker of the world&#x27;s largest open-source AI model — one that can, given 48 hours and an internet connection, design a chip to run itself. The frontier, it turns out, is not a place. It is a race. And the field just got a lot more crowded.</p><p>
</p>]]></description>
            <author>michael.nunez@venturebeat.com (Michael Nuñez)</author>
            <category>Technology</category>
            <category>Business</category>
            <category>Infrastructure</category>
            <enclosure url="https://images.ctfassets.net/jdtwqhzvc2n1/lrqUsUJocTIEaPB4SrQse/e8773a218e398efc6759ca6044672f81/Nuneybits_Vector_art_of_red_code_tsunami_over_servers_fear_of_C_1894f89b-b074-4e21-a0de-2f9a46cfdd32.webp?w=300&amp;q=30" length="0" type="image/webp"/>
        </item>
        <item>
            <title><![CDATA[The AI compute gap: Enterprises are buying infrastructure faster than they can measure what it costs]]></title>
            <link>https://venturebeat.com/ai/the-ai-compute-gap-enterprises-are-buying-infrastructure-faster-than-they-can-measure-what-it-costs</link>
            <guid isPermaLink="false">3RCeHS5ENXpygHO6HPhX6f</guid>
            <pubDate>Thu, 16 Jul 2026 19:16:48 GMT</pubDate>
            <description><![CDATA[<p>Across 107 enterprises, AI infrastructure spending is accelerating well ahead of the ability to see or steer its economics. Most organizations run their AI on a familiar base of hyperscalers and model-provider APIs, yet the next dollar is aimed at specialized compute almost none of them use today; a majority intend to switch or add providers within the year, many within a quarter. Buying decisions turn on integration and total cost of ownership rather than headline token price — which is fortunate, because most enterprises cannot yet see their unit economics clearly: GPUs sit at half utilization or less, and fewer than half rigorously track what their compute actually costs. The result is a compute gap — heavy, fast-moving investment running ahead of the visibility needed to control it.</p><p>This wave of VentureBeat Pulse Research examines enterprise AI infrastructure and compute: where organizations are in their deployment journey, what they run AI on today, how satisfied they are, what would make them switch, where they plan to evaluate their investments, and — most revealingly — how well they can measure and control the economics of the compute underneath it all.</p><p>The central finding is a compute gap — the distance between how aggressively enterprises are investing in AI infrastructure and how little of its economics they can see. Only about one in five (21%) run AI in production at scale, yet spending intentions are outrunning that maturity: the single largest planned area enterprises plan to evaluate over the next year is AI-specialized clouds (45%), a layer almost none of these enterprises use today. Meanwhile the compute already in place runs cold — 83% report GPU utilization of 50% or less — and fewer than half (44%) can rigorously track what their AI compute costs. Enterprises are buying more infrastructure faster than they can account for what they already own.</p><p>Enterprises are not settled on their infrastructure vendors, either: A clear majority (64%) plan to switch or add an infrastructure provider within twelve months, and 38% within the next quarter — unusually high churn intent for a category this foundational. When they choose, they choose on integration with the existing stack (41%) and total cost of ownership (35%), not on headline price: cost per million tokens is the deciding factor for just 8%. And the frontier constraint that will shape the next round of decisions — the shift from GPU compute to memory bandwidth as inference scales — is barely on the radar, with roughly one in five enterprises either unaware of it or yet to address it.</p><h2>Methodology</h2><p>VentureBeat fielded this survey as part of its ongoing Pulse Research series, this survey focused on enterprise AI infrastructure, compute, and inference economics. Responses are filtered to organizations with more than 100 employees (n=107; the survey’s smallest size band, 1–100 employees, is excluded), drawn from a single Q2 2026 (June) wave. Because this is one wave rather than a pooled multi-month sample, the report reads cross-sectionally and does not infer month-over-month trends. Several questions were multiple-select, so those shares can sum to more than 100%.</p><p>By organization size the sample concentrates in the mid-market: 101–250 employees (36%) and 251–1,000 (27%) lead, with 1,001–5,000 (22%), 5,001–10,000 (8%), and 10,001+ (7%) above them. By role it spans managers (38%), individual contributors (28%), VPs and directors (19%), and the C-suite (13%); on purchasing authority it is buyer-credible, with 45% final decision-makers and another 30% recommenders or influencers for AI solutions. Technology/Software is the largest industry at 26%, followed by Healthcare/Life Sciences (15%), Financial Services (13%), and Retail/E-commerce (12%).</p><p>At 107 respondents the sample is large enough to read directionally but should be treated as a directional signal rather than a precise measurement; it is self-selected and is not a probability sample. It also skews toward the mid-market and toward earlier-stage adopters, so it is best read as the view from organizations actively building out AI infrastructure rather than from the largest hyperscale operators.</p><h2>Finding 1: Ambition outpaces production</h2><p><b>Only one in five run AI in production at scale</b></p><p>We asked where organizations sit in their AI deployment journey. Most are still building toward production rather than operating at scale.</p><div></div><p>The maturity curve is front-loaded. Three-quarters of enterprises (76%) are either experimenting or running only some workloads in production, and just 21% describe AI in production at scale. This matters for everything that follows: the infrastructure decisions in this report are being made largely by organizations still early in deployment, whose compute footprint — and whose costs — are about to grow. The evaluation and switching intentions in Findings 3 and 4 are the leading edge of that build-out, not the settled preferences of operators who have already found what works.</p><h2>Finding 2: Enterprises run on hyperscalers and model APIs</h2><p><b>The specialized GPU clouds barely register — today</b></p><p>We asked which providers and platforms enterprises currently use to run their AI. The answer is a familiar one: the incumbents.</p><div></div><p>The current stack is hyperscaler-and-API. Google Cloud leads at 48%, and the general-purpose clouds (Google, Microsoft, AWS, Oracle) together with the major model APIs (Gemini, OpenAI, Anthropic) account for essentially all current deployment. The specialized “neocloud” GPU providers that dominate AI-infrastructure headlines — CoreWeave, Lambda, Crusoe, Nebius and peers — register at or near zero among these enterprises today. Only 6% run their own on-prem GPU clusters and 4% a custom open-source stack. Enterprises are, for now, running AI on the providers they already buy from — which makes the evaluation intentions in Finding 3 all the more striking.</p><p><i>(A note on reading these shares. As described in the methodology section, this sample is self-selected and skews mid-market, and this question counted every provider a respondent uses — an average of 2.1 selections each — so the figures measure presence in the stack rather than spending or primary status. A sample built this way will show a different provider mix than a spend-weighted census of the broader market; Google&#x27;s strength here, for example, is consistent with its long-standing position among smaller enterprises building on AI. Read these shares as a portrait of what this AI-active cohort runs today, and treat gaps between these figures and industry-wide market share estimates as a property of the sample rather than a contradiction of either.)</i></p><h2>Finding 3: The next dollar goes to infrastructure they don’t yet run</h2><p><b>AI-specialized clouds top the evaluations list</b></p><p>We asked where enterprises planned to evaluate AI infrastructure over the next 12 months. Their answers point away from the stack they run today.</p><div></div><p>Here is the report’s sharpest tension. The single most-cited planned evaluation area — AI-specialized clouds, at 45% — is the very category almost none of these enterprises use today (Finding 2). Nearly a third (32%) intend to evaluate non-Nvidia accelerators, and 28% in next-generation Nvidia silicon; even decentralized compute networks (16%) and sovereign compute (11%) draw meaningful interest. Read against current usage, this is not incremental — it is the leading edge of a re-platforming. The direction-of-travel question tells the same story: every infrastructure approach is net-expanding, but specialized AI clouds carry the highest net momentum (+24), edging out even the hyperscalers (+22). Enterprises are preparing to move a meaningful share of AI compute off the general-purpose cloud.</p><p>This continues a trend we saw in our April-May survey wave. Back then, usage of the AI-specialized clouds was equally marginal — CoreWeave at 3%, Lambda at 4%, Crusoe at 2% of enterprises. When we asked enterprises what change they planned in their AI infrastructure strategy over the next twelve months, the most-cited answer was moving workloads to specialized AI clouds, at 33%. Asked in April-May which emerging compute option they were most likely to evaluate AI-specialized clouds again drew the most responses. Two waves, two differently worded questions, one consistent picture: the type of cloud enterprises are most eager to assess is the type they have barely begun to use.</p><h2>Finding 4: A switching wave is building</h2><p><b>Six in 10 plan to change providers within a year — many within a quarter</b></p><p>We asked whether and when enterprises plan to switch or add an infrastructure provider. Very few intend to stand still.</p><div></div><p>For a category as foundational as compute, this is a remarkable amount of intended movement. Only 36% have no plans to change, meaning a clear majority (64%) intend to switch or add a provider within twelve months — and 38% within the next quarter alone. Where that interest points is telling: the providers drawing the most switching consideration are again the incumbents — Microsoft Azure and Google Cloud (33% each), OpenAI (30%), and Gemini (22%) — which suggests much of the near-term movement is reshuffling among the majors and consolidating spend rather than defecting to new entrants. The neocloud interest in Finding 3 is a 12-month evaluation thesis; the switching in the next quarter is mostly incumbents trading share.</p><p>(<i>Method note: Respondents who selected both &quot;no plans to change&quot; and a specific switching window are counted as switchers, on the logic that naming a timeframe is the more specific answer; three respondents were reclassified under this rule.</i>)</p><h2>Finding 5: Nobody buys on token price</h2><p><b>Integration and total cost of ownership decide — not sticker price</b></p><p>We asked what matters most when enterprises select an AI infrastructure provider. Headline price finished last.</p><div></div><p>Enterprises do not buy AI infrastructure on pricing, which is the place vendors compete on hardest. Integration with the existing stack (41%) and total cost of ownership (35%) dominate, while the headline metric — cost per million tokens — is the deciding factor for just 8%, dead last. The pattern is coherent: buyers are optimizing for how a provider fits and what it truly costs to operate, not for the advertised unit rate. It also foreshadows Finding 7 — enterprises say TCO matters most, yet most cannot yet measure it rigorously. The stated priority and the measured capability are out of step.</p><h2>Finding 6: Expensive GPUs, idle most of the time</h2><p><b>83% report GPU utilization of 50% or less</b></p><p>We asked what share of their GPU capacity enterprises actually utilize. The answer is a well-known but rarely quantified inefficiency.</p><div></div><p><i>Disclosure: Band percentages count every selection against all 107 qualified respondents; 14 respondents selected more than one band, so bands overlap. At the respondent level, 83 of the 100 GPU-operating enterprises reported utilization at or below 50%</i></p><p>The compute already in place runs cold. Adding the bands at or below half capacity, 83% of enterprises that operate GPUs report utilization of 50% or less, and nearly half (49%) run at 25% or below. Only 12% clear the 50% mark, and a further 8% do not measure utilization at all. Idle accelerators are expensive accelerators, and this is the clearest single measure of the compute gap: enterprises are planning to buy more GPUs and specialized compute (Finding 3) while the capacity they already own sits substantially unused. The efficiency headroom in the current fleet is large — and largely unmeasured.</p><h2>Finding 7: Spending fast, measuring slowly</h2><p><b>Fewer than half rigorously track what their compute costs</b></p><p>We asked whether enterprises can quantify the cost and return of their AI infrastructure spend, and how satisfied they are with what they run. Confidence in the ledger lags the spending.</p><div></div><p>Measurement trails money. Fewer than half of enterprises (44%) rigorously track the cost and return of their AI compute; the majority track only partially (39%), cannot quantify it yet (20%), or have not prioritized it (6%). That gap is consequential given Finding 5, where total cost of ownership was the second-ranked buying criterion — enterprises are choosing providers on an economic basis they mostly cannot yet measure. Satisfaction with current infrastructure is moderately positive but not enthusiastic: on a five-point scale, overall satisfaction averages 4.0, with ease of implementation (3.8) and value for money (3.9) trailing slightly — the softness landing, tellingly, on cost. Enterprises are spending quickly and accounting slowly.</p><h2>Finding 8: The next bottleneck few are watching</h2><p><b>As inference shifts from compute to memory, the field scatters</b></p><p>Finally, we asked how enterprises would address the emerging constraint in large-scale inference — the shift from GPU compute to memory, specifically KV-cache capacity. The responses reveal a frontier that is not yet a priority.</p><div></div><p>The memory frontier is real but barely governed. Asked which approach they would rely on as the binding constraint in inference shifts from compute to memory bandwidth, enterprises scatter: Dell leads at 31%, Nvidia follows at 16%, and the rest fragments across storage vendors, open-source tooling, and model-level efficiency techniques. Most telling is that roughly one in five (18%) either do not recognize the constraint or have not begun to address it. For a shift that will reshape inference cost and architecture, this is an early and unsettled market — and, consistent with the measurement gap in Finding 7, one where many enterprises simply do not yet have a view. It is the next chapter of the compute gap, arriving before most have closed the current one.</p><h2>The bottom line: A compute gap that faster spending will widen, not close</h2><p>Organizations with more than 100 employees are investing in AI infrastructure faster than they can measure it. Most are still early in deployment, yet their spending intentions point past their current stack — toward specialized clouds and alternative accelerators almost none of them run today — and a clear majority intend to change providers within the year. They buy on integration and total cost of ownership rather than headline price, which is rational; the difficulty is that most cannot yet see those economics clearly.</p><p>The visibility gap is concrete. The GPUs enterprises already own run at half utilization or less for the overwhelming majority, and fewer than half can rigorously track what their compute costs or returns. Satisfaction is decent but unenthusiastic, softest on value for money — the dimension hardest to judge without measurement. And the next constraint, the shift from compute to memory in large-scale inference, is arriving while most enterprises are still unaware of it. At 107 respondents in a single Q2 wave this is a directional read, skewed toward the mid-market and earlier-stage adopters — but the direction is consistent: the appetite to spend is running well ahead of the instrumentation to spend well. The compute gap is not a capacity problem that more hardware will solve on its own; it is, first, a problem of seeing what the hardware already costs. The open question for later waves is whether enterprises build that visibility before the re-platforming arrives — or buy the next layer of infrastructure as blind to its economics as the last.</p><hr/><p><i>Based on survey responses from 107 qualified enterprise respondents (100+ employees), drawn from a single Q2 2026 (June) wave. Because this is one wave rather than a pooled multi-month sample, the results read cross-sectionally rather than as a month-over-month trend, and at 107 respondents this is a directional signal rather than a precise measurement — the sample is self-selected, skews mid-market, and leans toward earlier-stage adopters rather than the largest hyperscale operators. Respondents include managers, individual contributors, VPs/directors, and the C-suite, with buyer-credible purchasing authority, across Technology/Software, Healthcare/Life Sciences, Financial Services, Retail/E-commerce, and other industries.</i></p>]]></description>
            <category>AI</category>
            <enclosure url="https://images.ctfassets.net/jdtwqhzvc2n1/65A33lcUi9p0nBSloUI1Wo/5e5d26295bc879f0ea8845cecac65504/VentureBeat-Research.png?w=300&amp;q=30" length="0" type="image/png"/>
        </item>
        <item>
            <title><![CDATA[The agent security gap: 54% of enterprises have already had an AI agent incident, and most still let agents share credentials]]></title>
            <link>https://venturebeat.com/ai/the-agent-security-gap-54-of-enterprises-have-already-had-an-ai-agent-incident-and-most-still-let-agents-share-credentials</link>
            <guid isPermaLink="false">guLr7ih5ILpsMnOOTAHLN</guid>
            <pubDate>Thu, 16 Jul 2026 19:02:38 GMT</pubDate>
            <description><![CDATA[<p>Across 107 enterprises, AI agents are being given real access to systems and data while the controls meant to contain them lag behind. More than half have already had a confirmed agent security incident or a near-miss; only about a third give every agent its own scoped identity, and most agents still share credentials; and only three in ten isolate their highest-risk agents. The security stack is overwhelmingly borrowed from the model providers and hyperscalers rather than purpose-built for agents, spending remains a thin slice of the security budget, and enterprises are evenly split on whether their defenses are keeping pace with AI-enabled attackers. The result is an agent security gap — autonomous agents proliferating faster than the identity, isolation, and enforcement controls needed to hold them.</p><p>This wave of VentureBeat Pulse Research examines how enterprises secure their AI agents: what tooling they run, how they manage agent identity and isolation, what has already gone wrong, how much they spend, and whether they believe their defenses are keeping pace with AI-enabled attackers.</p><p>The central finding is an agent security gap — the distance between the autonomy enterprises are granting their agents and the controls in place to contain them. More than half of organizations (54%) have already experienced a confirmed agent security incident (18%) or a near-miss caught before harm (36%). The structural weakness beneath those numbers is identity: only about a third (32%) give every agent its own scoped, managed identity, while the rest report that some agents share credentials or that agents mostly run on shared API keys and human or service-account credentials. When agents share credentials, a single compromised or over-permissioned agent carries a wide blast radius — and only three in ten enterprises (30%) isolate their highest-risk agents in sandboxes to bound that radius.</p><p>What makes the gap notable is how comfortable enterprises are inside it. The security stack is overwhelmingly provider-native — OpenAI’s guardrails (51%), Google’s and Microsoft’s cloud controls, and Anthropic’s managed-agent controls dominate, while the dedicated agent-security specialists barely register — and satisfaction with that borrowed stack is high, averaging 4.2 out of 5. Yet spending remains a thin slice of the security budget, only a third of enterprises believe their AI defenses are ahead of AI-enabled attackers, and a clear majority plan to change tooling within the year. Enterprises are satisfied with controls they are simultaneously preparing to replace.</p><h2>Methodology</h2><p>VentureBeat fielded this survey as part of its ongoing Pulse Research series, this instrument focused on enterprise agent security — the tooling, identity, isolation, and enforcement controls organizations use to secure autonomous AI agents. Responses are filtered to organizations with more than 100 employees (n=107; the survey’s smallest size band, 1–100 employees, is excluded), drawn from a single June 2026 wave. Because this is one wave rather than a pooled multi-month sample, the report reads cross-sectionally and does not infer month-over-month trends. Several questions were multiple-select, so those shares can sum to more than 100%.</p><p>By role the sample is senior and buyer-credible: 45% are final decision-makers for AI purchases and another 30% recommenders or influencers. Managers (43%), individual contributors (24%), VPs and directors (15%), and the C-suite (11%) make up the seniority mix. By organization size the sample is mid-market-weighted: 251–1,000 (42%) and 101–250 (25%) employees lead, with 1,001–5,000 (19%), 5,001–10,000 (8%), and 10,001+ (7%) above them. Technology/Software is the largest industry at 23%, followed by Manufacturing (15%), Retail/E-commerce (14%), and Healthcare/Life Sciences (13%).</p><p>At 107 respondents the sample is large enough to read directionally but should be treated as a directional signal rather than a precise measurement; it is self-selected and is not a probability sample. It skews toward the mid-market, so it is best read as the view from organizations actively standing up agent security rather than from the largest operators.</p><p>Satisfaction ratings are computed on the respondents who answered each rating question; the overall satisfaction score reflects 82 of the 107 qualified respondents.</p><h2>Finding 1: The incidents are already here</h2><p><b>More than half have had an agent security incident or near-miss</b></p><p>We asked whether organizations had experienced an agent security incident — a confirmed breach, or a near-miss caught before harm. Most that run agents in production had.</p><div></div><p>This is the report’s defining number. More than half of organizations (54%) have already had an agent security event — 18% a confirmed incident and 36% a near-miss caught before it caused harm. Only 42% report nothing, and a small remainder either run no agents in production or don’t track such events. That so many report near-misses rather than only confirmed incidents is telling: enterprises are catching problems, but they are catching them close to the edge. The controls examined in the rest of this report — identity, isolation, enforcement — are what determine whether the next near-miss stays a near-miss.</p><p>Exposure scales with company size, but containment does not. The incident-or-near-miss rate rises from 49% in the mid-market (companies with 101-1,000 employees) to 63% at larger enterprises (above 1,000 employees), while sandbox isolation of high-risk agents falls from 35% to 20%, and satisfaction with security tooling drops from 4.36 to 3.97. The organizations running the most agents across the most systems carry the most incidents and the least of the one control that bounds an incident&#x27;s blast radius.</p><h2>Finding 2: The identity gap</h2><p><b>Only a third give every agent its own scoped identity</b></p><p>We asked how enterprises manage the identity of their AI agents — whether each agent has its own credentials, or agents share them. Full per-agent identity is the exception.</p><div></div><p>Rolled together, the overlapping answers show 69% of enterprises (74 of 107) with credential sharing somewhere in the agent fleet. Identity is the structural weakness beneath the incidents. Only about a third of enterprises (32%) give every agent its own scoped, managed identity — the precondition for least-privilege access and clean attribution. Nearly half (48%) say some agents have scoped identities but many still share credentials, and another 32% say agents mostly run on shared API keys or borrowed human and service-account credentials. (Respondents could describe more than one pattern across their agent fleet, so these overlap.) </p><p>The consequence is direct: when agents share credentials, an over-permissioned or compromised agent can act with far more reach than intended, and forensics after an incident cannot cleanly tell which agent did what. The non-human identity problem — giving every agent its own governed identity — is the single largest unfinished piece of enterprise agent security.</p><p>Moreover, a company’s agent credential posture is correlated with incidents. Organizations with credential sharing anywhere in the fleet were hit — with an incident or a near-miss in the past twelve months — at 63.5% (47 of 74). Organizations where every agent carries its own scoped identity were hit at 40.9% (9 of 22). The fully-scoped group is small, so for now the relationship is an association rather than proven causation, and the gap is concentrated in the mid-market — but within a single survey, a twenty-three point difference in incident rate suggests significance.</p><h2>Finding 3: Observe and enforce, but rarely isolate</h2><p><b>Only three in 10 sandbox their highest-risk agents</b></p><p>We asked what an organization’s agent security posture looks like in practice — whether they observe, enforce, isolate, or some combination. The control that bounds damage is the least common.</p><div></div><p>Monitoring and enforcement are reasonably common; containment is not. Roughly half of enterprises observe agent activity (47%) or enforce scoped permissions at runtime (49%), but only 30% isolate their highest-risk agents in sandboxes that bound the blast radius when the other controls fail. That ordering is backwards from a defense-in-depth standpoint: observation tells you what happened, enforcement tries to prevent it, but isolation is what limits the damage when prevention fails — and it is the control enterprises have adopted least. Combined with the identity gap in Finding 2, the picture is of agents that are watched and permissioned but rarely boxed in, which is precisely the configuration in which a single failure propagates.</p><h2>Finding 4: Security runs on borrowed, provider-native controls</h2><p><b>Guardrails from OpenAI, Google and Microsoft dominate; specialists barely register</b></p><p>We asked which agent security tooling enterprises use, and which is their primary layer. The answer favors the model providers and hyperscalers over the dedicated security vendors.</p><div></div><p>Enterprises are securing agents with tools that came bundled with their models and clouds. OpenAI’s guardrails lead at 51%, followed by Google’s and Microsoft’s cloud-native controls and Anthropic’s managed-agent controls — and when asked to name their single primary security layer, 82% name one of these provider-native offerings. The purpose-built agent-security category — Palo Alto’s Prisma AIRS, CrowdStrike, Cisco AI Defense, Zenity, HiddenLayer, Check Point’s Lakera, Okta for AI Agents, non-human identity platforms — barely registers, each in the low single digits, and only 5% run no dedicated tooling at all. As with retrieval and evaluation elsewhere in this series, the provider bundle is winning the default: enterprises reach first for the guardrails their platform ships, and the independent security layer that would address the identity and isolation gaps has not yet been adopted at scale.</p><p>The provider-default pattern is consistent across both Q2 survey waves. In April–May (n=110), usage was led by the same names — OpenAI&#x27;s controls at 26%, Azure at 15%, AWS at 14%, Google at 12% — with every dedicated agent-security specialist at 3% or below and one in ten using no dedicated tooling at all. The common finding from the two surveys: Enterprises are defaulting to the solutions provided by the platform they’re using, and the specialist category vendors have yet to become big players here.</p><p>(<i>A note on reading these shares. As described in the methodology section, the respondent sample is self-selected and skews mid-market, and the usage question counted every vendor or approach a respondent has in place — so the figures measure presence in the security stack rather than spending or exclusivity. Individual vendor percentages therefore carry all the usual sample caveats. The structural pattern, however, held across both Q2 waves on two differently worded questions: provider-native and hyperscaler controls lead, and dedicated agent-security specialists remain in low single digits. Read the individual shares loosely and the pattern with confidence.)</i></p><h2>Finding 5: And enterprises are comfortable with it</h2><p><b>Satisfaction is high, even as incidents mount and identity lags</b></p><p>We asked how satisfied enterprises are with their current agent security tooling. The comfort is notably out of step with the exposure documented above.</p><div></div><p>Satisfaction with agent security tooling is high — 4.2 out of 5 overall, and 4.1 for value for money — among the most positive readings in this series. That is the striking part: enterprises are highly satisfied with a stack that is mostly borrowed provider guardrails, even though more than half have already had an incident or near-miss and only a third give their agents scoped identities. The comfort appears to rest on the convenience and low friction of provider-native controls rather than on demonstrated containment. It is a false comfort in the making — the same enterprises expressing satisfaction are, as Finding 8 shows, a clear majority planning to change tooling within the year, which suggests the confidence is thinner than the score implies.</p><h2>Finding 6: Budgets haven’t caught up</h2><p><b>Most spend under a tenth of the security budget on agents</b></p><p>We asked what share of the security budget enterprises allocate to securing AI agents. For a fast-emerging risk, the allocation is modest.</p><div></div><p>Spending on agent security is still a thin slice. The most common allocation is 6–10% of the security budget (46%), and a third of enterprises (34%) spend 5% or less; only a quarter (24%) devote more than a tenth. Given the incident rate in Finding 1 and the identity and isolation gaps in Findings 2 and 3, the budget looks like a lagging indicator — the risk has arrived faster than the funding to address it. The enterprises spending more than a tenth of their security budget on agents are a distinct minority, and they are likely the ones building the scoped-identity and isolation controls the rest have not.</p><h1>Finding 7: The arms race is even, at best</h1><p><b>Only a third think their AI defenses are ahead of AI-enabled attackers</b></p><p>We asked how enterprises assess the balance between their AI-enabled defenses and AI-enabled attackers. Confidence is far from settled.</p><div></div><p>Enterprises are split on whether they are winning. Only about a third (35%) believe their AI-enabled defenses are ahead of AI-enabled attackers; the rest are less sure — 32% call it roughly even, 21% think attackers are ahead, and another 21% say it is too early to tell. Taken together, a clear majority (53%) rate the balance as even or tilted toward the attacker. That uncertainty sits uneasily beside the high satisfaction of Finding 5: enterprises are content with their tooling yet unconvinced it is winning the contest it exists to win. In a domain where the offense is also compounding with AI, an even race is not a comfortable place to be.</p><h2>Finding 8: A security reshuffle is coming</h2><p><b>Nearly six in 10 plan to adopt or switch tooling within a year</b></p><p>We asked whether enterprises plan to adopt a new, additional, or replacement agent security solution, and which they are considering. Few intend to stand pat.</p><div></div><p>The security stack is not settled. While 41% have no plans to change, a clear majority (59%) intend to adopt a new, additional, or replacement agent security solution within twelve months, and 29% within the next quarter — a strong signal that, high satisfaction notwithstanding, enterprises know the current stack is provisional. Incidents are what start the buying cycle. </p><p>Among organizations that have been hit, 42.1% plan to adopt, add, or replace agent security tooling within the next ninety days, against 14.0% of organizations with no incident — and after a confirmed incident it becomes majority behavior, at 52.6%. Getting hit also changes the threat assessment: 33.3% of hit organizations say AI-armed attackers are ahead of their defenses, against 8.0% of the unhit. Experience, in this data, is the strongest predictor of both urgency and pessimism.</p><p>The consideration set still leans provider-native (OpenAI 34%, Google 30%, Anthropic 29%, Azure 25%), but the dedicated security vendors — Cloudflare, Cisco, Palo Alto, Okta, Check Point’s Lakera — draw early interest in the mid-to-high single digits, more than their current footprint. </p><p>What the shopping does not yet include is the identity layer specifically. Twelve percent of the respondents include an agent-identity product — Okta for AI Agents, Microsoft Entra Agent ID, or a non-human identity platform — anywhere in their consideration set, and among the credential-sharing organizations that have already had an incident, identity consideration is essentially unchanged, at roughly one in ten. The control most directly implicated by the incident data is the one largely missing from the purchase plans. Whether this wave hardens the provider-native default or finally opens the door to purpose-built agent security — the identity and isolation controls the incidents call for — is the question this series will keep tracking.</p><h2>The bottom line: A security gap that autonomy will test first</h2><p>Organizations with more than 100 employees are giving AI agents real reach into systems and data while securing them with controls built for something else. More than half have already had an incident or near-miss; only a third give every agent its own scoped identity, and most still share credentials; only three in ten isolate their highest-risk agents; and the stack doing this work is overwhelmingly borrowed from the model providers and hyperscalers rather than purpose-built for agents.</p><p>The uncomfortable pairing is confidence with exposure: satisfaction with the current tooling is among the highest in this series, yet spending is a thin slice of the security budget, only a third believe their defenses are ahead of AI-enabled attackers, and a clear majority are already planning to replace what they have. At 107 respondents in a single wave this is a directional read, skewed toward the mid-market — but the direction is clear: agent adoption is running ahead of agent security, and the controls that matter most when something fails — scoped identity and isolation — are the ones enterprises have built least. The agent security gap is not a coverage problem that a provider guardrail will close on its own; it is a problem of identity, isolation, and enforcement built for autonomous software. The open question for later waves is whether enterprises close it deliberately — or whether a confirmed incident closes it for them.</p><hr/><p><i>Based on survey responses from 107 qualified enterprise respondents (100+ employees), drawn from a single June 2026 wave. This is a directional read, not a precise measurement — the sample is self-selected and skews mid-market, so it&#x27;s best read as the view from organizations actively standing up agent security rather than from the largest operators. Respondents are senior and buyer-credible (45% final decision-makers, 30% recommenders/influencers), spanning managers through the C-suite, and drawn primarily from Technology/Software, Manufacturing, Retail/E-commerce, and Healthcare/Life Sciences.</i></p>]]></description>
            <category>AI</category>
            <enclosure url="https://images.ctfassets.net/jdtwqhzvc2n1/3YcL8Sbx04RQsgnRvbYfs5/0567154029abc3d37ccfad9b6cc5f370/VentureBeat-Research-1.png?w=300&amp;q=30" length="0" type="image/png"/>
        </item>
    </channel>
</rss>