<?xml version="1.0" encoding="utf-8"?>
<rss version="2.0">
    <channel>
        <title>Security | VentureBeat</title>
        <link>https://venturebeat.com/category/security/feed/</link>
        <description>Transformative tech coverage that matters</description>
        <lastBuildDate>Mon, 13 Jul 2026 23:36:11 GMT</lastBuildDate>
        <docs>https://validator.w3.org/feed/docs/rss2.html</docs>
        <generator>https://github.com/jpmonette/feed</generator>
        <language>en</language>
        <copyright>Copyright 2026, VentureBeat</copyright>
        <item>
            <title><![CDATA[Forget typosquatting; slopsquatting is the software supply chain threat created by AI coding tools]]></title>
            <link>https://venturebeat.com/security/forget-typosquatting-slopsquatting-is-the-software-supply-chain-threat-created-by-ai-coding-tools</link>
            <guid isPermaLink="false">MvwfFB8G0iVQ5c96Lcb1r</guid>
            <pubDate>Mon, 13 Jul 2026 13:33:54 GMT</pubDate>
            <description><![CDATA[<p>Slopsquatting represents an emerging supply chain threat made possible by AI hallucinations. As developers increasingly rely on AI coding assistants, they unknowingly grant <a href="https://venturebeat.com/security/prompt-injection-is-exploiting-enterprise-ais-biggest-design-flaws-by-targeting-agents-rag-pipelines-and-model-routers">cybercriminals</a> access to their software from day one. </p><h2><b>Understanding what slopsquatting is</b></h2><p>Slopsquatting is a new type of supply chain attack that uses large language model (LLM) <a href="https://www.captechu.edu/blog/ai-driven-threats-in-software-supply-chains"><u>hallucinations to inject malicious code</u></a> into development workflows. The term combines &quot;AI slop&quot; and &quot;typosquatting,&quot; a deceptive practice where attackers register misspelled or lookalike versions of popular domains to prey on users who enter URLs incorrectly.</p><p>This novel attack vector exploits LLMs&#x27; tendency to generate fictitious software package names, which threat actors can then register and populate with malicious code.</p><p>During AI-assisted coding, the model may generate fake open-source packages — bundled collections of files, programs and installation tools. This alone is not necessarily harmful. However, if an attacker registers that fake package name, they can inject malware that gets incorporated directly into a developer&#x27;s codebase.</p><h2><b>How AI creates a supply chain risk</b></h2><p>Traditionally, AI <a href="https://www.pivotpointsecurity.com/ai-security-and-ai-safety-how-do-they-relate/"><u>safety risks stem from hallucinations</u></a>, which can adversely affect users who treat misinformation as valid. However, those same hallucinations have evolved into exploitable security vulnerabilities.</p><p>Typosquatting is a deceptive practice where a cybercriminal registers a mispelled version of a popular package to trick developers. It has existed for decades, so registries have built protections against it. </p><p>However, AI has changed the <a href="https://venturebeat.com/security/claude-mythos-exposed-a-hard-truth-your-enterprise-patching-process-is-way-too-slow">threat model</a>. It recommends fictitious packages that sound plausible rather than making simple misspellings. Once attackers learn which hallucinated packages models tend to invent, they can register malware-filled packages under those names.</p><p>Since the hallucinated packages are not simply typoed versions of popular libraries, there are no protections against this practice at scale. For example, the registry protects against an attacker publishing &quot;crossenv,&quot; a squat of the popular &quot;cross-env&quot; package. However, it would not identify &quot;mpn install cross-env file&quot; or &quot;cross-env-extended&quot; as threats.</p><h3><b>Hallucinations are persistent and severe</b></h3><p>Even if many LLMs recommend the same hallucinated package, widespread compromise is still possible. Malicious packages could remain undetected in production for months or even years, allowing threat actors to passively inject malware across countless environments. </p><p>One research <a href="https://arxiv.org/abs/2506.12995"><u>team analyzed 31,267 vulnerabilities</u></a> belonging to 14,675 packages across 10 programming languages. They discovered that reported vulnerabilities are increasing at an annual rate of 98%, faster growth than the 25% annual increase in the number of open-source software packages. The team also observed an 85% increase in the average lifespan of vulnerabilities, indicating a decline in security.</p><h3><b>Real-world dangers of AI hallucinations</b></h3><p><a href="https://venturebeat.com/security/ai-tool-poisoning-exposes-a-major-flaw-in-enterprise-agent-security">Malicious actors</a> can create open-access packages under the same name as commonly hallucinated libraries. Instead of standard code, they are filled with malware. The models believe they are referring to existing packages, so they often repeat the same hallucinated names. Since the hallucinations are not random, attackers could theoretically register packages that trick tens of thousands of developers.</p><p>These packages appear legitimate. String similarity to real libraries makes them recognizable. One-character typos suggest simple mistakes rather than malicious intent. Even fully fabricated names remain believable when the AI presents them in proper context. Detection is challenging, as developers trust their coding assistants to recommend valid dependencies.</p><h2><b>Why are LLMs hallucinating packages?</b></h2><p>LLMs generate the statistically most likely answer rather than prioritizing accuracy. Hallucinations are relatively common as a result. One study found hallucination rates <a href="https://www.nature.com/articles/s43856-025-01021-3"><u>range from 50% to 82%</u></a>, depending on the model and prompting method. Even GPT-4o, the best-performing model, goes no lower than 23%, even with prompt-based mitigation.</p><p>Adversarial hallucination attacks could worsen this problem. Threat actors can leverage token-level manipulation or retrieval poisoning to force models to hallucinate in ways they want, increasing the likelihood that models recommend their malicious packages.</p><h2><b>Which LLMs are prone to slopsquatting?</b></h2><p>While all LLMs are prone to slopsquatting, some are more vulnerable than others. The likelihood of producing hallucinated packages during code generation depends on the model. Proprietary models are four times less likely to generate hallucinated packages than open-source models.</p><p>One research group proved this by conducting 30 tests across 30 different systems. Out of <a href="https://arxiv.org/html/2406.10279v3"><u>the 576,000 code samples</u></a> and 2.23 million packages it produced, 19.7% were hallucinations. GPT-4.0 Turbo had a hallucination rate of 3.59%, while DeepSeek 1B, the best-performing open-source model, reached 13.63%.</p><p>This research suggests that organizations relying on open-source AI tools for code generation are roughly four times more exposed to slopsquatting attacks. That doesn’t necessarily mean proprietary tools will always remain safer, though. Once attackers realize this disparity, they may manipulate proprietary LLMs to take advantage of perceived safety.</p><h2><b>Vibe coding contributes to the problem</b></h2><p>Software developers who use AI tools estimate that <a href="https://shiftmag.dev/state-of-code-2025-7978/"><u>over 40 percent of the code</u></a> they commit includes AI assistance. They expect that percentage will increase considerably within the next few years. Already, 72% of those who have tried AI use it daily.</p><p>The uptick in vibe coding and AI-assisted coding amplifies the threat surface. As more developers integrate AI tools into their workflows without implementing proper verification processes, the attack surface for slopsquatting continues to expand.</p><p>For those using AI to assist with coding, double-checking output is essential. Verifying that recommended packages actually exist in official repositories before incorporating them into projects reduces risk.</p><h2><b>Navigating AI-assisted development</b></h2><p>Implementing automated checks that validate package names against known registries can help catch hallucinated packages before they enter production code. Security teams should also monitor for unusual package installations and maintain up-to-date threat intelligence on known slopsquatting campaigns.</p><p><i>Zac Amos is the Features Editor at </i><a href="https://rehack.com/"><i><u>ReHack</u></i></a><i>.</i></p>]]></description>
            <category>Security</category>
            <category>DataDecisionMakers</category>
            <enclosure url="https://images.ctfassets.net/jdtwqhzvc2n1/dIQcSeSRhbDxj2aciSnha/82de3e1c0e427d81134cbf5ff3516b5c/u7277289442_A_modern_interpretation_of_cybersecurity._3D._--a_48e0894a-799a-4645-9c75-f18358f3b4bf_1.png?w=300&amp;q=30" length="0" type="image/png"/>
        </item>
        <item>
            <title><![CDATA[Shared API keys expose AI agents at 69% of enterprises, new VentureBeat research finds]]></title>
            <link>https://venturebeat.com/security/shared-api-keys-expose-ai-agent-fleets-venturebeat-research</link>
            <guid isPermaLink="false">2XqmuCTifcY555RSfKO4iC</guid>
            <pubDate>Thu, 09 Jul 2026 20:45:43 GMT</pubDate>
            <description><![CDATA[<p>Share one API key across five AI agents, and a single compromised agent inherits the reach of all five. The attacker immediately benefits from the accumulated permissions of every workflow that the key touches. The forensic trail goes cold at the credential level because five agents on one account leave no record of which agent did what.</p><p>Sixty-nine percent of enterprises run agents with credential sharing somewhere in their deployments, according to VentureBeat’s June 2026 <a href="https://venturebeat.com/category/resources">Pulse Research</a> wave of 107 enterprises. </p><p>That one number explains the buying spree reshaping enterprise security this year. Palo Alto Networks, CrowdStrike, and Cisco have collectively bet more than $22 billion on it in the past year, targeting exactly the layer most enterprises in this survey haven&#x27;t finished building. </p><p>Palo Alto Networks completed its acquisition of CyberArk on February 11 for <a href="link">$21.1 billion in total consideration</a> at close — a deal it <a href="link">announced last July at roughly $25 billion</a> and the largest in the company&#x27;s history.</p><p>CrowdStrike <a href="link">closed its $740 million acquisition</a> of runtime authorization platform SGNL and, by June 15, <a href="link">shipped the first product from the deal, Continuous Identity for AI Agents</a>. CrowdStrike integrated SGNL in less than a year, delivering a product that validates every agent action in real time based on who owns it, who is calling it, and the device&#x27;s risk posture.</p><p>Cisco <a href="link">announced its intent to acquire</a> non-human identity specialist Astrix Security on May 4 for a reported <a href="link">$400 million</a>.</p><p>For a security director, this survey reads as a board-level question, not a trend line. It also surfaces a finding no competitor’s data shows, one that exposes which companies are the most at risk.</p><p>The data below is the first look at VentureBeat’s Q2 Agentic Security report, drawn from 107 qualified respondents at organizations with more than 100 employees. The full report will be released to attendees at <a href="https://venturebeat.com/vbtransform2026?gad_source=1&amp;gad_campaignid=23980639323&amp;gbraid=0AAAAADnGhh6a1PPkuB60-_ayDUaXOZo3h&amp;gclid=Cj0KCQjwjb3SBhDgARIsAMKiWziNibd4i5buzaXuw91BVLngDsyqVdgLZBQxUTUBkbuWlmUGubj-fMYaAowKEALw_wcB">VB Transform</a>, the event in Menlo Park next week (July 14-15) focusing on enterprise autonomous agents. </p><p>Forty-five percent are final decision-makers for AI purchases. The sample skews mid-market, so read the numbers as the view from organizations adopting agent security right now rather than from the largest enterprises. </p><p>More than half of respondents, 54%, have already had an agent security incident or near-incident. Eighteen percent confirmed an incident, and thirty-six percent caught a near-miss before a breach. Security teams are stopping most of these events at the last control point in the chain, but the rest of the data shows how thin that margin is.</p><h2>Your agents are sharing credentials</h2><p>Only 32% of enterprises give every AI agent its own scoped, managed identity. Nearly half (48%) report that some agents have scoped identities, while many still share credentials. Another 32% say agents mostly run on shared API keys or borrowed human and service-account credentials. The survey question allowed more than one selection, and 24 of the 107 respondents chose multiple options — which is why the three categories sum to 112%. Deduplicated by respondent, 74 organizations, or 69%, flagged credential sharing in at least one answer.</p><p>One number explains why the acquisitions target this layer. A shared credential converts a single compromised agent into many, and <a href="https://www.cyberark.com/press/machine-identities-outnumber-humans-by-more-than-80-to-1-new-report-exposes-the-exponential-threats-of-fragmented-identity-security/">CyberArk&#x27;s research</a> puts machine identities at 82 for every human in organizations worldwide, with agents as the fastest-growing category of the ratio. Cisco made the same diagnosis when it bought Astrix, whose founders built the company around API keys, service accounts, and OAuth tokens. Cisco’s announcement calls those the credentials AI agents are now “using (and abusing)” to execute work at scale.</p><p>Adam Meyers, senior vice president of counter adversary operations at CrowdStrike, described the mechanism directly in an interview with VentureBeat. Some AI systems have their own identities, he said, and in other cases “people give their identity to the AI to take action on their behalf, and that also further kind of murkies the water and makes it very complex.” The murk is the point, because when the identity is shared, attribution dies with it.</p><h2>Exposure scales with size, and containment does not</h2><p>Forty-nine percent of enterprises enforce scoped permissions at runtime, and 47% monitor and log agent activity, which can help reduce security incidents. Only 30% sandbox their highest-risk agents, the one control that limits blast radius when the first two fail. Isolation is what keeps a single compromised agent from becoming a deployment-wide event. Enterprises have funded detection and resistance, but the containment layer barely exists.</p><p>The sharpest finding in the survey, and the one no vendor report captures, shows up when you split results by company size. The incident rate is 49% for companies with 101 to 1,000 employees, but it shoots up to 63% for companies with more than 1,000. Sandbox isolation moves the other way, falling from 35% to 20% at the larger companies.</p><p>The chart above shows the same finding at finer granularity: the 49%/63% split above is a binary cut at 1,000 employees, while the bars here break incident rate and isolation rate into four size bands. The red line measures incidents and near-misses, and the navy tracks the one control that contains damage after everything else fails. At organizations with 101 to 250 employees, the two sit 7 points apart, but above 5,000, the gap blows out to 60 points. That top band pools the survey&#x27;s two largest size groups and holds only 15 respondents, so treat the number as directional. Larger enterprises run more agents across more systems, which drives incidents up while sandboxing, the engineering project that would contain them, goes unfunded. The enterprises with the most agents have the least isolation around them.</p><p>The deals target exactly those accounts. Palo Alto Networks, Cisco, and CrowdStrike sell to large enterprises first, where incident rates are highest and containment is the thinnest.</p><h2>Guarded by whoever shipped the model</h2><p>The model providers are the security layer. OpenAI&#x27;s built-in guardrails lead at 51%. Google Cloud reaches 36%, Microsoft Azure&#x27;s Purview and Copilot Studio DLP 35%, and Anthropic&#x27;s managed-agent controls 29%. Eighty-two percent of respondents name a provider-native or hyperscaler control as their single primary agent security layer.</p><p>The purpose-built specialists are in single digits, with Palo Alto Networks&#x27; Prisma AIRS at 7%, CrowdStrike at 6%, and Okta for AI Agents at 4%. Zenity and the dedicated non-human identity platforms are at 3% each. Microsoft Entra Agent ID is the highest-penetration identity-specific control in the dataset at 13%, the only one from a hyperscaler, and it still falls outside the top four. Only 5% of enterprises run no dedicated agent tooling at all, and the rest have tooling that came pre-installed.</p><p>Bundled controls lead because they ship free and are enabled by default. Most filter prompts and outputs, but they do not give an agent its own identity or sandbox it. Hyperscalers sell identity-layer products, and Entra Agent ID is in the dataset at 13%, but adoption stays low. The two controls that reward incident data the most, scoped identity and isolation, are the two that the default stack does not include.</p><p>Prompt-and-output filters evaluate whether a call looks malicious. That is an intent problem, and intent cannot be solved at the language layer. CrowdStrike CTO Elia Zaitsev drew the line in an <a href="https://venturebeat.com/security/rsac-2026-agent-identity-frameworks-three-gaps">interview at RSAC 2026</a>. &quot;Observing actual kinetic actions is a structured, solvable problem,&quot; Zaitsev said. &quot;Intent is not.&quot; CrowdStrike&#x27;s Falcon sensor walks the process tree on an endpoint and tracks what agents did, not what agents appeared to intend. A scoped identity and an isolation boundary give that sensor something to track, while a shared credential on a bundled guardrail does not.</p><p>Cloud security went through the same cycle a decade ago, and Palo Alto Networks, CrowdStrike, and Wiz built multi-billion-dollar businesses on the gaps native cloud controls left open. Agent security is tracking the same path faster. A misconfigured storage bucket sat open until a human noticed. A misconfigured agent exploits its own over-permissioning on every run, and no human is watching when it does. Merritt Baer, chief security officer at <a href="https://www.enkryptai.com/">Enkrypt AI</a> and a former deputy CISO at AWS, <a href="https://venturebeat.com/security/most-enterprises-cant-stop-stage-three-ai-agent-threats-venturebeat-survey-finds">told VentureBeat</a> that the default layer is thinner than enterprises assume. &quot;Enterprises believe they&#x27;ve &#x27;approved&#x27; AI vendors, but what they&#x27;ve actually approved is an interface, not the underlying system,&quot; Baer said. &quot;The real dependencies are one or two layers deeper, and those are the ones that fail under stress.&quot;</p><h2>Comfortable, unconvinced, and already shopping</h2><p>Here is the contradiction worth a keynote slide. Enterprises rate their agent security tooling 4.2 out of 5, with value for money at 4.1 and ease of implementation at 3.9. Those scores would make most SaaS vendors envious.</p><p>Only 35% believe their AI-enabled defenses are ahead of AI-enabled attackers, while thirty-two percent call it roughly even. Twenty-one percent say attackers lead, and another 21% say it is too early to tell, showing how enterprises trust their tooling more than they trust its outcomes.</p><p>Budgets confirm it. Forty-six percent allocate 6 to 10% of the security budget to agent security, and a full third spend 5% or less. Half the sample has already had an incident or near-miss, but the funding does not match the exposure.</p><p>Fifty-nine percent plan to adopt, add, or replace agent security tooling within 12 months, and twenty-nine percent plan to move this quarter. OpenAI leads forward interest at 34%, followed by Google at 30%, Anthropic at 29%, and Azure at 25%. The dedicated vendors draw more interest looking forward than their current single-digit footprint suggests. Satisfied customers do not reshuffle this fast unless they know the stack they&#x27;re currently using is provisional.</p><h2><b>Three moves for security directors </b></h2><p><b>1. Inventory every agent’s credentials this quarter.</b> Map which agents share credentials with other agents and which run on borrowed human or service-account identities. The goal is not one credential per agent. Agents that touch multiple systems need multiple scoped identities. The goal is zero shared credentials between agents and zero borrowed human identities. Thirteen percent of surveyed enterprises already run Microsoft Entra Agent ID. Okta for AI Agents and the non-human identity specialists sell equivalents. Shared and borrowed credentials are the first thing to eliminate.</p><p><b>2. Sandbox the riskiest agents first.</b> Isolation is the least-adopted control at 30% and the only one that contains blast radius after prevention fails. Rank agents by the sensitivity of what they touch and isolate the top of the list. Above 1,000 employees, where isolation falls to 20%, this is the single highest-return move in the dataset. Sandboxing does not require replacing the agent or the platform. It requires a policy decision and an isolation layer.</p><p><b>3. Match the budget to the incident rate. </b>A third of enterprises fund agent security at 5% or less of the security budget, even though more than half have already had an incident or near-miss. Nine percent allocate more than 25% today. The full report breaks out exposure and containment by company size, showing which bands carry the most risk and the least protection.</p><p>The board&#x27;s question is simpler. If one of our AI agents was compromised this afternoon, which systems did it touch, and whose credentials was it holding? For the 69% of enterprises running agents on shared credentials, the answer is a shrug. The trail goes cold at the key.</p><p>The full Q2 Agentic Security report, with the complete vendor matrix, industry cuts, and the full dataset behind these charts, debuts July 14 and 15 at <a href="https://venturebeat.com/vbtransform2026">VB Transform</a>, held at Hotel Nia in Menlo Park. The open question it leaves is whether enterprises close the agent security gap on their own terms, or whether a confirmed breach closes it for them.</p>]]></description>
            <author>louiswcolumbus@gmail.com (Louis Columbus)</author>
            <category>Security</category>
            <enclosure url="https://images.ctfassets.net/jdtwqhzvc2n1/66fVTkq6EXowtfjlEBMGjB/d642a9b78a4976d2a4767a552a229708/Shared_API_keys_expose_AI_agent_fleets_at_69-_of_enterprises__new_VentureBeat_research_finds.png?w=300&amp;q=30" length="0" type="image/png"/>
        </item>
        <item>
            <title><![CDATA[AI has collapsed the cyber response window — resilience now starts before the attack]]></title>
            <link>https://venturebeat.com/security/ai-has-collapsed-the-cyber-response-window-resilience-now-starts-before-the-attack</link>
            <guid isPermaLink="false">5kdZIeR7EQlDNFoWyvMel7</guid>
            <pubDate>Wed, 08 Jul 2026 07:00:00 GMT</pubDate>
            <description><![CDATA[<p><i>Presented by Rubrik</i></p><hr/><p>Enterprise cybersecurity is facing a fundamental speed problem. Frontier AI models are now enabling autonomous attacks that can move from initial access to full system breakout <a href="https://www.crowdstrike.com/en-us/press-releases/2026-crowdstrike-global-threat-report/">in as little as 27 seconds</a>. That’s faster than any human-operated security workflow can detect, escalate, and respond.</p><p>As a result, security operations can no longer assume there is time for humans to respond between breach and damage.</p><p>The security posture that enterprises need for the AI era centers on cyber resilience: continuously identifying clean recovery states, mapping critical data and identity dependencies, and automating restoration so that operations can recover in hours not days.</p><p>&quot;Everything that relied on process or human-in-the-loop intervention is no longer going to be able to execute at the speed of the attacks,&quot; says Dev Rishi, GM of AI at Rubrik. &quot;If the attacks are happening in 27 seconds, it means I need my recovery to happen just as quickly.&quot;</p><h2>Traditional detection and prevention are failing against AI-driven attacks</h2><p>The rules-based logic that has defined enterprise security for decades, such as static access controls, known signature detection and deterministic behavioral policies, was engineered for deterministic software. AI agents behave differently. They&#x27;re non-deterministic, capable of pursuing the same objective through many different paths, and increasingly capable of circumventing static guardrails by finding alternative routes when one is blocked.</p><p>The deeper problem is that conventional security logic checks identity, permissions, and access, and asks whether each individual access is permitted. But it can’t evaluate whether a sequence of permitted actions, taken across multiple applications, constitutes either a data leak, a destructive operation, or an attack. </p><p>&quot;You need a system that can understand context,&quot; Rishi says. &quot;You need to use AI to look at what an agent is doing and say, ‘it looks like what you&#x27;re doing might be a risk of leaking sensitive data externally.’&quot;</p><h2>How AI agents are blurring the line between internal and external cyber threats</h2><p>Enterprise security has historically maintained a meaningful distinction between external and internal threat vectors. External threats can be multidimensional, lightning fast, and come from a variety of vectors. On the other hand, internal threats were traditionally bounded by what a single human actor could accomplish before detection, constrained in speed, scope, and scale, but that distinction is falling apart as AI agents operate inside enterprise environments.</p><p>These agents have access to multiple systems simultaneously and move at speeds no human employee can match. When an agent makes a mistake, such as a hallucination, misread instruction, or an unintended data transfer, the resulting damage can look operationally identical to a malicious insider attack. And when an external attacker compromises an internal agent, they inherit its full access profile across every connected application.</p><p>&quot;Whether or not the agent is an internal threat because of an inadvertent mistake or because it&#x27;s been maliciously compromised, you need runtime guardrails that enforce your organizations policies consistently across agents,&quot; Rishi says. &quot;The practical answer is an AI-native guardian layer that monitors agent behavior semantically, understands intent across actions, and can block or terminate a misbehaving agent at machine speed, then trigger recovery immediately.&quot; </p><h2>Preparing for a world of inevitable compromise</h2><p>Frontier AI models, including those capable of discovering and operationalizing zero-day vulnerabilities autonomously, are changing the economics of attacks. </p><p>As a result, interest in Mythos readiness is growing. Enterprises are increasingly operating under two assumptions: that attacks are inevitable, not exceptional, and that investment in resilience and rapid recovery must be treated as strategically as investment in prevention has been. The shift reframes recovery from a post-incident activity into a capability that is deliberately designed, tested, and continuously validated.</p><p>&quot;The idea that you can recover quickly from an attack is going to become one of the most important facets of security,&quot; Rishi says. &quot;It&#x27;s the insurance policy that organizations now have to treat as a first-class citizen.&quot;</p><h2>Why AI-powered cyber resilience depends on small models</h2><p>True cyber resilience is a two-sided coin: it demands both real-time intelligent enforcement to intercept threats in motion, and automated recovery to restore operations immediately. While having backups is a baseline, organizations need workflows that can continuously monitor systems at machine speed, and instantly determine the most recent clean state under attack conditions.</p><p>Applying AI to the first half of that equation—real-time enforcement—creates a fundamental technical and economic challenge. Relying on massive frontier models to monitor every agent action introduces crippling latency overhead and exorbitant computing costs. A guardian AI system that slows down operations or costs as much as the systems it monitors is simply not viable for widespread adoption.</p><p>“It has to be a fast, small, and cheap AI model,” Rishi says. “No one wants to sign up for a secure solution that doubles their cost or latency.”</p><p>This is why small language models (SLMs) are critical for real-time enforcement. Rubrik’s approach, anchored by its acquisition of Predibase, is to build this frontline defense layer on small models optimized specifically for speed and efficiency. Unlike heavy frontier models, SLMs can semantically evaluate agent behavior at machine speed and at a fraction of the cost, acting as a real-time checkpoint.</p><p>That hyper-efficient enforcement layer is what enables a tighter, seamless connection to recovery. When the system observes an agent taking a destructive action—such as deleting a database, corrupting a critical file, or exfiltrating sensitive data—the small model detects it immediately, halts the damage, identifies the most recent clean snapshot from before the incident, and initiates recovery in a single, automated workflow.</p><h2>The shift from incident response to architectural resilience</h2><p>The broader implication of Mythos and similar frontier AI systems is a shift in how organizations think about security. As AI compresses the gap between attack and impact, resilience and recovery become architectural requirements rather than operational considerations.</p><p>Rubrik’s view is that security systems can no longer stop at detection. As AI agents gain greater autonomy, observability, identity context, and recovery must operate as a coordinated resilience layer. The goal is not simply to identify when something has gone wrong, but to shorten the gap between detection and restoration.</p><p>&quot;The same thing that&#x27;s introducing the threats, the frontier capabilities of models like Mythos, can also be used to help us combat the threat,&quot; Rishi says. &quot;Positioning yourself for the AI era means closing the gap between detecting that something has gone wrong and restoring the systems that were affected, before the cost of that gap compounds.&quot;</p><hr/><p><i>Sponsored articles are content produced by a company that is either paying for the post or has a business relationship with VentureBeat, and they’re always clearly marked. For more information, contact </i><a href="mailto:sales@venturebeat.com"><i><u>sales@venturebeat.com</u></i></a><i>.</i></p>]]></description>
            <category>Security</category>
            <enclosure url="https://images.ctfassets.net/jdtwqhzvc2n1/4T2htIP8mhYat38Af7hJvJ/75a794552f257afbd5081672db92b0d0/AdobeStock_1880287912.jpeg?w=300&amp;q=30" length="0" type="image/jpeg"/>
        </item>
        <item>
            <title><![CDATA[The real cost, security, and culture problems behind enterprise AI agents]]></title>
            <link>https://venturebeat.com/security/the-real-cost-security-and-culture-problems-behind-enterprise-ai-agents</link>
            <guid isPermaLink="false">BAwq525ONz96mOsewfHp2</guid>
            <pubDate>Tue, 07 Jul 2026 20:24:31 GMT</pubDate>
            <description><![CDATA[<p><i>Presented by Red Hat </i></p><hr/><p>At VentureBeat&#x27;s recent AI Impact event, where the discussion centered on what separates enterprises that scale agentic AI from those that stall in pilot mode, Brian Gracely, senior director of portfolio strategy at Red Hat, detailed what companies actually run into once agents reach production. </p><p>He dove into cost discipline, the security blind spots unique to autonomous systems, and the organizational friction that determines whether agent adoption spreads beyond early champions.</p><h2>Enterprises are overestimating how far behind they are on AI agents</h2><p>Many enterprise leaders, especially those following industry keynotes and AI announcements, worry that they’re already falling dangerously behind competitors deploying agents at scale. But according to Gracely, much of that anxiety reflects a misconception about how quickly organizations learn once they begin building. Teams often move up the learning curve far faster than they expect.</p><p>That rapid progress creates a different challenge, however. As agent usage expands, AI costs rise just as quickly, turning cost management from an engineering concern into a recurring boardroom discussion.</p><p>Agentic AI usage is orders of magnitude higher than during the chatbot era, making AI costs a growing concern for enterprises. At the same time, organizations are becoming increasingly aware of their dependence on a small number of model providers. According to Gracely, that combination is driving many enterprises to explore alternatives that give them greater control over costs and infrastructure.</p><p>&quot;The two or three top providers are already telling the market that they&#x27;re losing money, and they&#x27;re trying to go public to make up those gaps,&quot; he explained. &quot;At some point, the dependency on that means you&#x27;re either going to buy at a very high-cost level, or you&#x27;re going to figure out alternatives to control what you&#x27;re doing.&quot;</p><h2>Right-sizing AI models is the fastest lever for cutting agent costs</h2><p>The biggest cost issue is that enterprises overspend by defaulting to the most capable model available regardless of task complexity.</p><p>&quot;If I&#x27;m simply trying to resolve an insurance claim, I don&#x27;t need to know about the history of Western civilization in my model, I don&#x27;t need to know World Cup soccer scores,&quot; Gracely said.</p><p>Semantic routing is the mechanism many companies use to make that judgment automatically, classifying requests and sending each to a model sized for the task without requiring users to choose, while infrastructure techniques like caching repetitive queries cut how often a request needs to reach GPU compute at all. Together, he said, these tools remove the assumption that efficiency and innovation pull in opposite directions.</p><p>&quot;There&#x27;s a lot you can do at a GPU infrastructure level, and quite a bit you can do in terms of flexibility of models,&quot; he explained. &quot;Those give excellent choices in terms of the levers you&#x27;re trying to pull, whether you need efficiency or you need innovation. That shouldn&#x27;t be a binary choice.&quot;</p><p>The financial discipline needed for token spend is similar to the FinOps practices that took years to mature in order to take control of cloud compute spending. Those underlying frameworks will transfer even as the vocabulary changes, Gracely said, especially as organizations push for internal education on model selection so teams stop defaulting to the most prominent option for tasks that don&#x27;t need it.</p><p>&quot;The same way we first had to teach the financial people what an EC2 instance is and what an S3 bucket is, you&#x27;re going to have to start explaining tokens to them,&quot; he said. &quot;We don&#x27;t always need a Rolls-Royce. We don&#x27;t always need caviar, because we&#x27;re trying to do basic types of things.&quot;</p><h2>Patch speed is now critical as AI tools find vulnerabilities faster</h2><p>AI-powered vulnerability discovery is forcing enterprises to rethink how quickly they can identify, validate and deploy patches. Long-established patch management cycles may no longer be fast enough in an environment where AI can uncover — and attackers can exploit — new vulnerabilities much more quickly.</p><p>&quot;Most companies are probably going to have a window of somewhere between seven and 14 days to stay ahead,&quot; he said. &quot;There are groups, Red Hat included, that are going to build patches for these, but the embargo window is going to be short.&quot;</p><p>AI is also changing what defenders need to look for. Rather than simply uncovering isolated critical flaws, AI security tools can identify combinations of seemingly minor vulnerabilities that become dangerous only when chained together. As both software complexity and vulnerability discovery accelerate, Gracely argued that the ability to rapidly manage and update software is becoming a strategic capability rather than simply an operational one.</p><h2>Subject matter experts and compliance teams decide whether agents scale</h2><p>In the end, organizational adoption comes down to the need for deep, sustained involvement from the subject matter experts whose knowledge the agent is meant to encode, which makes earning their buy-in a prerequisite rather than an afterthought.</p><p>&quot;You have to think about the incentives, what you do for people who participate in this work so they don&#x27;t feel threatened that it&#x27;s going to take away their job, and how you incentivize people in the long run to cooperate with that innovation,&quot; he said.</p><hr/><p><i>Sponsored articles are content produced by a company that is either paying for the post or has a business relationship with VentureBeat, and they’re always clearly marked. For more information, contact </i><a href="mailto:sales@venturebeat.com"><i><u>sales@venturebeat.com</u></i></a><i>.</i></p>]]></description>
            <category>Security</category>
            <enclosure url="https://images.ctfassets.net/jdtwqhzvc2n1/4uZ9yfcgAUzj96p0I8gmUo/b6171e100300bc13cedb1325cc8040f2/IMG_4290.jpg?w=300&amp;q=30" length="0" type="image/jpg"/>
        </item>
        <item>
            <title><![CDATA[Digital resilience compounds when AI and human expertise scale together]]></title>
            <link>https://venturebeat.com/security/digital-resilience-compounds-when-ai-and-human-expertise-scale-together</link>
            <guid isPermaLink="false">3YXJ2bKyLX1F5wfzZ4ZPCS</guid>
            <pubDate>Wed, 01 Jul 2026 12:00:00 GMT</pubDate>
            <description><![CDATA[<p><i>Presented by Splunk </i></p><hr/><p>Agentic AI is making IT and security teams dramatically more efficient. But it’s also removing the apprenticeship that has long produced experienced operators. </p><p>As organizations automate more of the work once performed by junior analysts and engineers, they’re confronting a challenge that’s as much about workforce design as architecture design: how to build the next generation of experts when AI handles the work that once trained them.</p><h2>What the junior workforce has been doing</h2><p>For two decades, the path to becoming a world-class SecOps analyst, SRE, or NetOps engineer ran through repetition.</p><p>Triaging false positives. Hunting through dashboards for context. Reading logs at 2 a.m. that turned out to be benign. The industry treated this work as drudgery, and in many ways it was.</p><p>But it also served as the apprenticeship.</p><p>The thousands of hours an analyst spent staring at traffic patterns built the intuition that made them invaluable when a real attack arrived. That intuition was not taught in a single course or captured in a runbook. It was accumulated through exposure, pattern recognition, failure, and escalation. Over time, this is how people earn deep analytical experience.</p><p>However, agentic AI is now beginning to automate the very tasks that once served as the training ground for that expertise. That is not a reason to slow down. The drudgery was costly. The burnout was real. Organizations should use agents to reduce toil wherever they can.</p><p>At the same time, as we remove that apprenticeship loop, we need to provide operators something better in its place. How organizations approach this issue today will determine the winners for the future.</p><p>Organizations that approach this deliberately will produce the operators skilled to succeed in the next decade. Organizations that punt on this may find themselves with faster systems today, but with fewer people who understand them deeply enough to govern them tomorrow.</p><h2>When automation hollows out accountability</h2><p>There is also a second dimension to this conversation that gets less attention than it should.</p><p>In regulated environments, the drudgery of apprenticeship is part of the accountability layer. Frameworks from SOX to PCI DSS to HIPAA to NIS2 assume there is a chain of human judgments behind a control decision.</p><p>Auditors do not interview models. They interview people who can explain why a system did what it did, why the decision was sound, and whether the right controls were in place.</p><p>When the population of professionals who can explain that chain begins to thin, the risk may not appear immediately. The control may still pass. The workflow may still be executed. The dashboard may still look green.</p><p>But the underlying organizational memory begins to hollow out.</p><p>This is not simply a tooling problem. It is also a workforce skill and design problem. And for organizations moving quickly on agentic adoption, the risk is closer than many think.</p><h2>Building human expertise to govern AI</h2><p>When we lose part of the accountability layer to agents, humans will step into a different type of governance role. Governing an agentic system means implementing automated guardrails that adapt to non-deterministic agent behavior and ensure<s>s</s> agents behave appropriately under conditions no one fully anticipated. It means designing escalation criteria that catch the right anomalies without overwhelming humans with the wrong ones. It means implementing dynamic tools, alerts, and processes to review machine decisions to detect drift, bias, and reasoning failures that no individual case would reveal.</p><p>The ability to evaluate and respond to these exceptions requires judgment built over years of experience, learning pattern recognition that the old apprenticeship model used to produce.</p><p>That is why the workforce question and the architecture question are now the same question. If we expect humans to govern increasingly autonomous systems, we need intentional pathways that help people manage the scale and speed of AI systems while building the intuition and judgment in human operators required to do that work.</p><p>In the AI era, the most valuable platforms will not simply automate the most tasks. They will help people become more capable, more credible, and more essential as the systems around them become faster and more intelligent.</p><p>That means organizations need to invest in the full ecosystem of expertise for operators: communities that spread shared practices, certifications or other proofs that make expertise visible, and human-oriented explanations and verifications in the AI along with learning paths that build capability. Empowerment is an architecture design choice</p><p>Human empowerment is a critical part of the conversation around the practical use of AI. However, without an intentional strategy to back this up, it risks becoming the kind of phrase that means nothing because it can mean anything.</p><p>Empowerment for agentic systems cannot just be a conceptual requirement. It has to be a set of design choices baked into how systems behave. An agentic system that empowers its human operators and grows their professional skillset does four things:</p><h5>1. Exposes reasoning, with the data lineage behind it</h5><p>Every recommendation an agent makes should be traceable to the data it considered, the logic it applied, and the provenance of the inputs it used. Operators who can see reasoning develop judgment about when to trust it. Operators handed only conclusions do not.</p><h5>2. Tiers authority by confidence and impact</h5><p>Familiar, low-risk patterns can be handled autonomously. Novel situations or actions with meaningful blast radius should escalate by default. The boundary should be explicit and configurable by the teams that own the consequences.</p><h5>3. Treats disagreements as a correction signal</h5><p>When an experienced engineer overrides an agent, they are doing more than disagreeing. They are correcting the system with judgment the model did not have: a fragile dependency, a quirk in the environment, a constraint the data never saw. A system that registers the override but ignores the reasoning behind it learns nothing from the one moment a human knew better.</p><h5>4. Captures resolutions as cross-domain knowledge</h5><p>How an incident gets resolved is a lesson that rarely stays in one lane. A SecOps incident may expose an ITOps weakness. A network issue may trace back to business impact. When that connection lives only inside a closed ticket, the next team to hit it starts from zero. Resolutions should travel across domains, not die where they were filed.</p><p>These are not aspirational qualities. They are testable product capabilities. Leaders evaluating agentic systems should be able to identify where these capabilities live, what happens when they fail, and whether operator skill improves after deployment.</p><h2>The next advantage is when human and AI scale together</h2><p>For AI systems to be practical, trusted, and work at scale, the critical design point is for the AI to work deeply alongside and empower human operators. </p><p>As such, the agentic era is not a story about replacing humans. It is a story about redesigning the systems humans operate so that these operations can happen at machine speed and scale, while human expertise grows at the same time. Together, rather than at each other&#x27;s expense.</p><p>That outcome is not a given. It will happen only where leaders treat operator development as a priority, not an afterthought. To achieve this, agentic systems have to be intentionally designed to expose reasoning, capture learning, and route work back to humans in ways that build skill and career rather than erode both.</p><p>The agents will keep getting smarter and faster. The ability of operators who work alongside them to learn and grow in lockstep, will determine whether the next decade of digital resilience is something organizations truly own, or something they rent from a shrinking pool of expertise. </p><p><b><i>Learn more about how </i></b><a href="https://www.splunk.com/ciscodatafabric"><b><i>Cisco Data Fabric powered by the Splunk Platform</i></b></a><b><i> is helping teams accelerate agentic operations.</i></b></p><p><i>Kamal Hathi is SVP and GM of Splunk, a Cisco Company.</i></p><hr/><p><i>Sponsored articles are content produced by a company that is either paying for the post or has a business relationship with VentureBeat, and they’re always clearly marked. For more information, contact </i><a href="mailto:sales@venturebeat.com"><i><u>sales@venturebeat.com</u></i></a><i>.</i></p>]]></description>
            <category>Security</category>
            <enclosure url="https://images.ctfassets.net/jdtwqhzvc2n1/5AXAMt7BDGYRlrMibkLrl0/4582002d39ac476ec2523200d43ea681/Splunk.jpeg?w=300&amp;q=30" length="0" type="image/jpeg"/>
        </item>
        <item>
            <title><![CDATA[The attack that hijacked Claude Code came through Sentry. Datadog, PagerDuty, and Jira have the same exposure.]]></title>
            <link>https://venturebeat.com/security/the-attack-that-hijacked-claude-code-came-through-sentry-datadog-pagerduty-and-jira-have-the-same-exposure</link>
            <guid isPermaLink="false">jf4CXHE5Ir8sqbDpnN4yJ</guid>
            <pubDate>Mon, 29 Jun 2026 16:53:14 GMT</pubDate>
            <description><![CDATA[<p>A single fake error report hijacked Claude Code in controlled testing — the agent ran the attacker&#x27;s code with the developer&#x27;s full privileges, and not one alert fired. EDR, WAF, IAM, and the firewall all missed it completely.</p><p>Tenet Security&#x27;s <a href="https://tenetsecurity.ai/blog/agentjacking-coding-agents-with-fake-sentry-errors/">June agentjacking disclosure</a> describes a single crafted Sentry error event — sent through a public credential that requires no breach and no authentication — that injected attacker instructions into error data that Claude Code, Cursor, and Codex then executed as trusted diagnostic output. Tenet tested 100-plus targets in controlled conditions and achieved an 85% success rate. Sentry called the flaw &quot;technically not defensible.&quot;</p><p>he Cloud Security Alliance classified agentjacking as a <a href="https://labs.cloudsecurityalliance.org/research/csa-research-note-agentjacking-mcp-sentry-injection-20260612/">systemic MCP vulnerability class</a> within days of the disclosure. No credentials were stolen, no policy was violated, no perimeter was breached: every step in the chain was authorized. That is the problem.</p><p>Tenet identified <a href="https://thehackernews.com/2026/06/agentjacking-attack-tricks-ai-coding.html">2,388 organizations with publicly exposed Sentry credentials</a> that could be used to inject malicious events at scale. The research is proof-of-concept, not confirmed exploitation across all 2,388. But one captured Claude Code environment held a live AWS secret access key and private repository URLs.</p><p>Here is the scope test: If your AI coding agents are connected to Sentry, Datadog, PagerDuty, Jira, or any MCP-connected data source your developers trust — and those agents can execute shell commands — then your stack has the same blind spot.</p><p>Organizations running Sentry should audit all publicly exposed DSNs immediately. Sentry&#x27;s architecture intentionally makes DSN credentials public for frontend error reporting, so the mitigation isn&#x27;t revoking the DSN — it&#x27;s restricting what agents can do with the data those DSNs return.</p><h2>Why your stack can&#x27;t see it</h2><p>Agentjacking works because every step is authorized: The attacker sends a valid Sentry API call using a public DSN, the MCP server returns the injected event as authentic output, and the agent executes the instruction using the developer&#x27;s privileges. No signature fired. The victim saw only benign diagnostics while the agent silently <a href="https://www.infosecurity-magazine.com/news/agentjacking-attacks-hijack-ai/">exposed cloud credentials and source-control tokens</a>.</p><p>SOC teams have never needed to distinguish between a developer running an npm install and an agent running that command in response to a malicious error event. That distinction <a href="https://thenewstack.io/agentjacking-sentry-mcp-attack/">did not exist until AI coding agents became production tools</a>. The stack that cannot make it is the stack agentjacking bypasses.</p><h2>Five surveys, one pattern</h2><p>Five independent surveys from the first half of 2026 found that enterprises trust their AI agents far more than their enforcement justifies.</p><p>Only <a href="https://www.okta.com/newsroom/articles/ai-agents-at-work-2026-agentic-enterprise-security/">34% of organizations apply the same security controls</a> to AI agents as to humans, according to an Okta/Apprize360 survey of 292 executives and 492 knowledge workers. Fifty-two percent of employees use unapproved AI tools, and 58% of executives reported an AI-related incident or close call in the prior year.</p><p>HiddenLayer’s 2026 AI Threat Landscape Report surveyed 250 IT and security leaders: 33% reported <a href="https://www.hiddenlayer.com/report-and-guide/threatreport2026">agents had already exceeded intended scope</a>, and 31% could not confirm whether they had experienced an AI breach. One in eight AI breaches was linked to agentic systems.</p><p><a href="https://www.gravitee.io/blog/state-of-ai-agent-security-2026-report-when-adoption-outpaces-control">Gravitee’s survey of over 900 executives and practitioners</a> found only 14.4% of agents <a href="https://www.gravitee.io/blog/state-of-ai-agent-security-2026-report-when-adoption-outpaces-control">went live with full security approval</a>, and 88% reported confirmed or suspected incidents. A follow-up of 750 leaders in April found agent estates had doubled while monitoring barely moved.</p><h2>The runtime gap nobody closed</h2><p>“Securing agents looks very similar to securing highly privileged users,” said Elia Zaitsev, CTO of CrowdStrike, in an <a href="https://venturebeat.com/security/rsac-2026-agent-identity-frameworks-three-gaps">interview with VentureBeat</a>. “They have identities, access to underlying systems, they reason, they take action.”</p><p>Zaitsev pointed to the gap the industry left open. “No one has been talking about securing agents at runtime. We are doing that now. What is your safety net? If all these controls fail, how do you prevent them from failing silently?”</p><p>CrowdStrike&#x27;s fleet data quantifies the exposure: more than 1,800 agentic applications on enterprise endpoints, approximately 160 million instances under monitoring. On June 15, <a href="https://www.crowdstrike.com/en-us/press-releases/crowdstrike-unveils-continuous-identity-for-ai-agents/">CrowdStrike shipped Continuous Identity for AI Agents at Identiverse</a>, replacing static policies with continuous enforcement that authorizes every agent action in real time. The control class that announcement reflects — continuous action-level authorization with verifiable agent identity — is now a baseline procurement criterion regardless of vendor.</p><p>“People have kind of forgotten about runtime security,” Zaitsev said. “We did this with endpoint, virtualization, and cloud. People focused on patching vulnerabilities, locking down permissions. Somehow, they always seem to miss something. The safety net is runtime.”</p><p>Zaitsev was equally direct about sandbox approaches. “If you start with an agent in a sandbox that has no ability to touch anything, it is worthless. Very quickly, you are in this race of giving it more capabilities. And then what is the point of your sandbox?” Agents derive their value from access. Every access grant is an attack surface.</p><div></div><h2>The governance gap is a budget problem</h2><p>Kayne McGladrey, an IEEE Senior Member, described the structural challenge in an exclusive interview with VentureBeat. “The CISO doesn’t have the budget. The CISO doesn’t have the staff. We can observe risks, we can advise on business risks, but we don’t own the business systems affected by those risks,” McGladrey said. When agent governance spans six departmental budgets, no single executive can confirm whether agents get the same access reviews as humans.</p><p>The Okta survey quantifies the disconnect. Only <a href="https://www.okta.com/newsroom/press-releases/showcase-2026/">43% of workers say agent policies are clear</a>, compared to 65% of executives, and nearly two-thirds apply weaker controls to agents than to humans. The people deploying agents daily do not recognize the governance posture their leadership claims to have built.</p><p>Assaf Keren, chief security officer at Qualtrics and former CISO at PayPal, put it plainly. “The real risk starts not by the implementation of AI systems. It is the fact that baseline architecture is not well established. When we put an AI system on top of something not architected well, we are accelerating the fractures.” Keren called runtime behavior analytics “an unsolved problem right now.”</p><h2>The 5-question gap test</h2><p>The five-question gap test draws on five surveys from the first half of 2026. Each question maps to a gap that agentjacking exploits. Run this before any Q3 vendor evaluation.</p><table><tbody><tr><td><p><b>Gap to test</b></p></td><td><p><b>The proof</b></p></td><td><p><b>What breaks</b></p></td><td><p><b>Monday action</b></p></td><td><p><b>Source / sample</b></p></td></tr><tr><td><p>1. Agent inventory. What percentage of agents, MCP connections, and LLM automations completed security review before deployment?</p></td><td><p>14.4% get full security/IT approval before going live. 52% of employees use unapproved AI tools. Average enterprise now manages 37+ deployed agents, roughly doubled from Q4 2025.</p></td><td><p>Unapproved agents are invisible to your identity platform and unaccountable in a breach disclosure. Agentjacking targets exactly these unmanaged MCP connections. No census means no audit trail for regulatory response.</p></td><td><p>Commission a full agent, MCP server, and LLM automation census. Make census completion a procurement gate for all Q3 vendor evaluations. Flag any agent discovered post-census as a shadow AI incident.</p></td><td><p>Gravitee State of AI Agent Security 2026, 900+ respondents (Feb 2026); Gravitee April 2026 update, 750 senior tech leaders; Okta/Apprize360, 292 execs + 492 workers (June 2026)</p></td></tr><tr><td><p>2. Controls parity. Do agents receive the same access reviews, privilege scoping, and revocation timelines as human employees?</p></td><td><p>34% always apply the same controls to agents as humans. 61% of privileged access fulfilled without proper review. Only 22% treat agents as independent identity-bearing entities.</p></td><td><p>An agent with a static OAuth token and no review cycle is a permanent privileged account with no termination date. Agentjacking inherits whatever privileges the developer holds. 45.6% of orgs rely on shared API keys for agent-to-agent auth.</p></td><td><p>Add every production agent to the next access review cycle. Mandate human-in-the-loop for any agent action touching PII, financial data, or production infrastructure. Replace shared API keys with scoped, short-lived tokens.</p></td><td><p>Okta/Apprize360 (784 respondents, June 2026); Palo Alto Networks (2,930 respondents); Gravitee (900+, shared API keys data)</p></td></tr><tr><td><p>3. Scope drift. Have any agents accessed data or systems beyond their defined scope in the last 12 months?</p></td><td><p>33% report agents already exceeded scope. 53% say agents exceed permissions occasionally or sometimes. Meta Sev 1, March 2026: agent posted sensitive data to unauthorized channel. Only 8% say agents never exceed intended permissions.</p></td><td><p>Scope drift triggers reportable events under GDPR, CCPA, HIPAA, and SEC cybersecurity rules. If detection cannot distinguish agent-initiated from human-initiated access, disclosure timelines are unachievable. Agent-spawned sub-agents (25.5% of deployed agents can create other agents) make audit trails algebraically intractable.</p></td><td><p>Run a 90-day scope-drift audit on every production agent. Compare actual resources touched against approved scope documentation. Block agent-to-agent delegation without explicit human approval for any action exceeding the parent agent’s scope.</p></td><td><p>HiddenLayer AI Threat Landscape 2026 (250 IT/security leaders); CSA AI Agent Security Survey (scope violations data); Gravitee (agent spawning data)</p></td></tr><tr><td><p>4. Governance perception gap. Would 50 knowledge workers say your AI agent policies are clear?</p></td><td><p>22-point gap: 65% of executives say policies are clear, 43% of workers agree. 77% of security teams see shadow AI risk but lack visibility to act. 76% cite shadow AI as a definite or probable problem.</p></td><td><p>You are evaluating vendors against a governance posture your workforce does not recognize. Every shadow agent undermines the vendor comparison. Knowledge workers sharing internal messages (54%), HR data (45%), and confidential docs (39%) with unapproved AI tools.</p></td><td><p>One-question survey before your next vendor demo. Gap exceeds 15 points, pause procurement. Publish an internal AI agent acceptable-use policy with specific examples of approved and prohibited agent behaviors.</p></td><td><p>Okta/Apprize360 (784 respondents, June 2026); Ivanti 2026 AI Maturity Report (1,200 respondents); HiddenLayer (shadow AI data)</p></td></tr><tr><td><p>5. Breach detection certainty. Can your security team confirm whether you experienced an AI-related breach in the last 12 months?</p></td><td><p>31% cannot answer. 88% reported confirmed or suspected AI agent security incidents. One in eight reported AI breaches now linked to agentic systems. Agentjacking proved EDR, WAF, IAM, and firewall pass an agent-mediated attack without a single alert.</p></td><td><p>No basis for disclosure timelines. No evidence chain for incident response. No defensible position in a regulatory investigation. EU AI Act high-risk compliance obligations take effect August 2, 2026.</p></td><td><p>Require agent-specific runtime detection as a procurement prerequisite. Confirm your org can distinguish agent-initiated actions from human-initiated actions in production telemetry. Test your SOC’s ability to attribute a specific action to a specific agent within 60 minutes.</p></td><td><p>HiddenLayer (250 IT/security leaders); Gravitee (900+, incident rate); Tenet Security (2,388 orgs exposed); CSA (systemic MCP vulnerability classification)</p></td></tr></tbody></table><h2>Security director action plan</h2><p>EU AI Act high-risk compliance obligations take effect August 2, 2026. Worth factoring into Q3 planning timelines.</p><ol><li><p>Run the five-question gap test above before any Q3 vendor evaluation — it costs nothing to administer, and the procurement clarity it creates is worth far more than the 30 minutes it takes.</p></li><li><p>Consider mandating agent-specific runtime detection. If your stack cannot tell what an agent did from what a developer did, agentjacking will bypass it the same way it bypassed every layer in Tenet’s testing. That distinction is the one that matters now.</p></li><li><p>Treat every agent as a privileged insider. According to the Okta/Apprize360 survey, only 34% of organizations apply the same controls to agents as to humans; closing that gap is the single most impactful thing most security teams can do this quarter.</p></li><li><p>Test the perception gap before investing in new tooling. One question to 50 knowledge workers. Do you know your company’s AI agent policies? If the gap between their answer and leadership’s answer exceeds 15 points, that is the problem to solve first. No vendor product fixes a governance posture your own workforce does not recognize.</p></li><li><p>Make agent census completion a procurement gate — every agent, every MCP connection. The security teams getting this right are the ones that started with a complete inventory and worked forward from there.</p></li></ol><p>Agentjacking stripped away an assumption that has survived every security architecture since the first firewall went live. Authorized does not mean safe. When every step in the chain is legitimate, the only defense that matters is the one watching what agents do. Not what policies say. What agents do.</p>]]></description>
            <author>louiswcolumbus@gmail.com (Louis Columbus)</author>
            <category>Security</category>
            <enclosure url="https://images.ctfassets.net/jdtwqhzvc2n1/6di1wa5fhWEfFyVhOuFc0/d26a92a3d31716e3c020864f400459f0/hero.png?w=300&amp;q=30" length="0" type="image/png"/>
        </item>
        <item>
            <title><![CDATA[Prompt injection is exploiting enterprise AI's biggest design flaws by targeting agents, RAG pipelines and model routers]]></title>
            <link>https://venturebeat.com/security/prompt-injection-is-exploiting-enterprise-ais-biggest-design-flaws-by-targeting-agents-rag-pipelines-and-model-routers</link>
            <guid isPermaLink="false">6YBx1nl4SEkwdcsRLIrvNG</guid>
            <pubDate>Sun, 28 Jun 2026 18:00:16 GMT</pubDate>
            <description><![CDATA[<p>In the past two years, businesses have been trying to fit large language models (LLMs) into support, analytics, development, and internal automation like never before. </p><p>Along with the increasing adoption of <a href="https://venturebeat.com/technology/agentic-ai-solved-coding-and-exposed-every-other-problem-in-software-engineering">AI technology</a>, another trend is gaining momentum — cybercriminals are taking advantage of the disconnect between assumptions about LLMs and their actual characteristics.</p><p>In 2025 and 2026, several independent sources have highlighted the same trend: Prompt injection remains one of the most impactful and widely demonstrated attack vectors against LLM systems. The <a href="https://genai.owasp.org/llm-top-10/">OWASP LLM Top 10</a> (2025) lists prompt injection as LLM01, identifying it as the most critical category of LLM‑specific vulnerabilities, for the <a href="https://owasp.org/www-project-top-10-for-large-language-model-applications/assets/PDF/OWASP-Top-10-for-LLMs-v2025.pdf">second consecutive edition</a>. OWASP&#x27;s ranking reflects the fact that LLMs still struggle to reliably separate instructions from data, making them susceptible to manipulation through crafted inputs.</p><p>CrowdStrike&#x27;s 2026 <a href="https://www.crowdstrike.com/en-us/press-releases/2026-crowdstrike-global-threat-report/">Global Threat Report</a> — built on frontline intelligence across more than 280 tracked adversaries — documented that threat actors injected malicious prompts into legitimate generative AI tools at more than 90 organizations in 2025. They then used those injections to generate commands that stole credentials and cryptocurrency. The report stated it plainly: <i>&quot;Prompts are the new malware.&quot;</i> AI-enabled adversaries increased their overall attack volume by 89% year-over-year, with prompt injection working as both an entry point and a force multiplier.</p><p>Real‑world incidents illustrate the operational impact. In August 2024, <a href="https://promptarmor.substack.com/p/data-exfiltration-from-slack-ai-via">researchers at PromptArmor</a> disclosed a prompt injection vulnerability in Slack AI that allowed an attacker to exfiltrate data from private Slack channels they had no access to — including API keys shared in private developer channels — by placing a malicious instruction in a public channel or embedding it in an uploaded document. </p><p>In June 2025, <a href="https://www.aim.security/lp/aim-labs-echoleak-blogpost">researchers at Aim Security</a> disclosed EchoLeak (CVE-2025-32711, CVSS 9.3), the first documented zero-click prompt injection exploit against a production AI system, targeting Microsoft 365 Copilot. By sending a single crafted email, no user interaction required, an attacker could cause Copilot to access internal files and transmit their contents to an attacker-controlled server. </p><p>Both vulnerabilities <a href="https://arxiv.org/abs/2509.10540">were patched</a>. These incidents underscore the fact that prompt injection is not a theoretical weakness but a practical, repeatable threat organizations must address as they deploy AI systems at scale.</p><p>Prompt injection techniques have undergone major evolutions over recent years, now targeting multi-agent architecture, retrieval-augmented generation (RAG) pipelines, model routers, and long-term memory capabilities.</p><div></div><h2>The e<b>nterprise challenge: Too much trust </b></h2><p>Businesses <a href="https://venturebeat.com/orchestration/mcp-solved-tool-calling-a2a-solved-coordination-what-solves-transport">deploy LLMs</a> to process instructions, summarize information, and trigger automated workflows, but it is difficult for LLMs to tell:</p><ul><li><p>Instructions from data</p></li><li><p>Information from context</p></li><li><p>Context from metadata</p></li><li><p>User intent from metadata</p></li></ul><p>This creates an opportunity for attackers to manipulate and influence the model&#x27;s behavior, either directly or indirectly.</p><h2><b>Modern prompt injection</b></h2><p><b>Cross-model prompt injection</b></p><p>LLM use is a common practice among enterprises. Attackers corrupt the output of a particular model, knowing well that other models would be processing the content. Hence, the corruption propagates through all AI systems.</p><p><b>RAG supply chain poisoning</b></p><p>Attackers create malicious information — documentation, blog articles, GitHub READMEs. Then they wait until this malicious information is ingested in enterprises&#x27; RAG pipelines, then use it as an attack vector.</p><p><b>Agent hijacking</b></p><p><a href="https://venturebeat.com/security/claude-mythos-exposed-a-hard-truth-your-enterprise-patching-process-is-way-too-slow">AI agents</a> have evolved to the point where they can send emails, modify cloud infrastructure, execute code snippets, and interact with internal corporate systems. It takes just a single instruction to make agents act differently in a harmful manner.</p><p><b>Context overflow attacks</b></p><p>With the help of million-token context windows, attackers place malicious code within the document and hope that an LLM will stumble upon it and execute it, thus overriding all previous instructions.</p><p><b>Memory poisoning</b></p><p>Due to the implementation of long-term memory in LLMs, attackers can inject instructions that permanently reconfigure their state.</p><p><b>Model‑router manipulation</b></p><p>Enterprises increasingly use model routers to select between multiple LLMs. Attackers craft prompts that force routing to the weakest or least‑guarded model.</p><h2><b>Why this matters for business leaders</b></h2><p>Prompt injection is not a theoretical problem. It directly affects:</p><ul><li><p>Customer‑facing systems (chatbots, support agents)</p></li><li><p>Internal copilots (developer tools, security assistants)</p></li><li><p>Automation workflows (ticketing, cloud operations, HR processes)</p></li><li><p>Data governance (RAG pipelines, knowledge bases)</p></li></ul><p>The risk is no longer limited to &quot;the model said something it shouldn&#x27;t.&quot;</p><p>In 2026, prompt injection can:</p><ul><li><p>Trigger unauthorized actions</p></li><li><p>Leak sensitive data</p></li><li><p>Corrupt internal workflows</p></li><li><p>Manipulate analytics</p></li><li><p>Alter business logic</p></li><li><p>Compromise multi‑agent systems</p></li></ul><p>The attack surface has expanded dramatically.</p><h2><b>What enterprises should do now</b></h2><p><b>1. Constrain model permissions</b></p><p>Limit what the model can do, not just what it should do.</p><p><b>2. Segment untrusted content</b></p><p>Treat all external data — including RAG sources — as potentially hostile.</p><p><b>3. Monitor tool invocation</b></p><p>Require human approval for high‑impact actions.</p><p><b>4. Validate content provenance</b></p><p>Ensure RAG pipelines don&#x27;t ingest poisoned external content.</p><p><b>5. Harden model routers</b></p><p>Prevent attackers from forcing routing to weaker models.</p><p><b>6. Treat LLMs as untrusted components</b></p><p>This mindset shift is the foundation of modern AI security.</p><h2><b>The bottom line</b></h2><p>Prompt injection remains the most effective way to compromise enterprise AI systems because it exploits the fundamental way LLMs interpret text. Until organizations treat LLMs as untrusted interpreters — not autonomous decision‑makers — prompt injection will continue to dominate the AI threat landscape.</p><p><i>Julie Brunias is an AI Security Architect.</i></p>]]></description>
            <category>Security</category>
            <category>DataDecisionMakers</category>
            <enclosure url="https://images.ctfassets.net/jdtwqhzvc2n1/761C8qLyC2XS0ZV0CCiPFE/d92b04f5a5c0cec56a5612a13d3f7e35/u7277289442_A_modern_interpretation_of_cybersecurity._3D_--ar_f806db26-b93b-427c-b0c9-42caa83dfe92_0.png?w=300&amp;q=30" length="0" type="image/png"/>
        </item>
    </channel>
</rss>