On Tuesday at its annual Build developer conference, Microsoft offered what may become the definitive answer. The company introduced Microsoft Execution Containers, or MXC — a policy-driven execution layer, built into the Windows operating system itself, that lets developers and IT administrators declare exactly what an AI agent can and cannot access, with those boundaries enforced at runtime by the OS kernel.

The announcement, buried within a sweeping set of developer-focused updates, is arguably the most consequential platform move Microsoft made at Build this year, and it has the potential to reshape how every enterprise on Earth thinks about deploying autonomous AI software.

MXC is not a product you buy. It is an SDK and a policy model — a foundational primitive embedded in Windows and the Windows Subsystem for Linux — that provides what Microsoft calls a "composable sandbox spectrum." That spectrum ranges from lightweight process isolation, already adopted by GitHub Copilot's command-line interface, all the way up to micro-virtual machines, Linux containers, and full cloud instances running on Windows 365.

The system separates an agent's execution from the user's desktop, clipboard, user interface, and input devices. Critically, it binds every agent to a strong identity — either a local ID or a cloud-provisioned identity backed by Microsoft Entra — so that every action the agent takes can be attributed, audited, and governed.

The implications are enormous. Until now, the enterprise deployment of AI agents has been stuck in a paradox: the more autonomous and useful an agent becomes, the more dangerous it is to let it operate on a corporate network without guardrails. MXC is Microsoft's attempt to break that paradox — not by making agents less capable, but by making the environment they operate in fundamentally more controlled.

Why every autonomous AI agent is a security incident waiting to happen

To understand why MXC matters, consider what an AI agent actually does when it runs on your computer. Unlike a traditional application, which operates within well-understood boundaries — a word processor reads and writes documents, a browser fetches web pages — an AI agent is, by design, unpredictable. It receives a goal in natural language, reasons about how to achieve it, and then takes actions: opening files, executing code, calling APIs, browsing the web, interacting with other software. Each of those interactions creates what security professionals call "attack surface."

Microsoft's own blog post framed the challenge in stark terms. The company wrote that "as agents become more capable and autonomous, they're delivering material productivity gains. But they're also introducing new risk, and the issue isn't just the agent. It's the entire system the agent operates across." Every interaction between agents and humans, tools, applications, models, and other agents "exposes new attack surface and introduces different failure modes." Microsoft characterized this as "a multi-layer systems problem."

This is not a theoretical concern. In the months leading up to Build, security researchers demonstrated numerous ways that AI agents could be manipulated — through prompt injection, through malicious tool calls, through data exfiltration disguised as normal workflow. For enterprises that handle sensitive data, proprietary models, and regulated information, the absence of a trusted execution environment has been the single biggest barrier to moving agents from demo to deployment.

Microsoft's answer is a sandbox that scales from a single process to a full virtual machine

MXC operates on a deceptively simple principle: declare what the agent can do before it runs, and let the operating system enforce those declarations at runtime. A developer or an IT administrator writes a policy that specifies which files, directories, and network resources an agent is allowed to access. MXC then creates a contained execution environment — a sandbox — that enforces those boundaries regardless of what the agent attempts to do.

What makes MXC unusual, and potentially very powerful, is the breadth of its isolation options. Microsoft designed the system so that a single SDK and policy model can map to the appropriate isolation construct for any given workload. For a lightweight coding assistant that just needs to read the current project directory, fast process isolation may be sufficient. For an autonomous agent that executes arbitrary code downloaded from the internet, a full micro-VM may be required. The system is designed to be "dynamically composable based on intent and risk," meaning that the level of isolation can be adjusted based on what the agent is actually doing, not just what category it falls into.

Session isolation is a particularly important feature. MXC separates the agent's execution from the user's desktop, clipboard, UI, and input devices. This directly mitigates several classes of attacks that security researchers have identified as particularly dangerous for AI agents: UI spoofing, where an agent manipulates what the user sees to trick them into approving a malicious action; input injection, where an agent sends keystrokes or mouse clicks to other applications; and cross-session data leakage, where information from one user's session bleeds into another.

A live demo showed an AI agent trying to delete files — and failing, because the OS wouldn't let it

During a pre-briefing with VentureBeat the night before the announcement, a Microsoft developer offered a vivid demonstration of the technology in action. He had set up the open-source agent framework OpenClaw running inside MXC's sandbox on his personal development machine. He then instructed the agent to delete all the files on his desktop. The agent attempted to comply — but the sandbox prevented it. "If you look at my desktop here, you see how clean my desktop is," the developer said during the demo. "That's a lie." The files, he explained, were completely safe because "the container won't allow it."

The demonstration went further, showcasing the granularity of MXC's controls. Users can mark specific files as read-only for the agent, restrict access to the browser and screen capture, control whether the agent can see location data, and have all of those permissions managed centrally by an enterprise IT department through Intune policies. The agent operates inside what is effectively a one-way mirror: it can do the work it has been asked to do, but it cannot see or touch anything outside the boundaries that its policy defines.

Pavan Davuluri, Microsoft's Executive Vice President for Windows and Devices, underscored during the pre-briefing that the primitives MXC introduces — security, containment, isolation, and user control — are essential to making AI agents commercially viable.

He emphasized that these capabilities are "not unique to OpenClaw" and that "this pattern repeats itself over and over" for any agent running on a Windows device. The primitives that exist in the operating system now "for the file around security, containment, isolating them, having users in control," he said, are what will make agents safe enough for ordinary consumers and corporate deployments alike.

Defender, Entra, Intune, and Purview integration arriving in July turns MXC into an enterprise control plane

For corporate IT departments, the most significant element of the MXC announcement is not the SDK itself but its integration with Microsoft's existing enterprise security stack through what the company calls Agent 365. Arriving in preview in July, Agent 365 layers Microsoft's Entra identity service and Intune device management platform on top of MXC, so that IT administrators can govern agent containment centrally while developers choose the level of isolation their workload demands.

The integration goes further: Microsoft Defender will provide runtime threat protection, Entra will handle identity and access management, Intune will enforce device-level policies, and Microsoft Purview will extend its data governance and compliance capabilities to agent activity. This means that an enterprise could, in theory, allow employees to run AI agents on their corporate machines — even powerful, autonomous agents that execute code and manage files — while maintaining the same kind of centralized visibility and control that IT departments currently have over traditional applications.

Microsoft described the identity layer in its official blog: "Windows assigns agents a local ID or a cloud provisioned identity backed by Entra and attributes all activity from the container to that identity, so you can clearly differentiate human from agent." For regulated industries — financial services, healthcare, government — the ability to produce an audit trail that distinguishes between human actions and agent actions on the same machine could prove to be a regulatory requirement, not merely a nice-to-have feature. Every agent action attributable to a specific identity, every containment boundary enforceable through the same policy infrastructure that already governs hundreds of millions of Windows devices — this is the architecture that could finally move AI agents from pilot programs to production.

OpenAI, Nvidia, Manus, and Nous Research are already building on MXC — and that changes the calculus

Platform announcements at developer conferences are often aspirational. What distinguishes the MXC launch is the breadth and specificity of the partners already building on it. Microsoft named five: OpenAI, Nvidia, Manus, Nous Research (maker of the Hermes agent), and the OpenClaw open-source project. Each is integrating MXC in a distinct way that illuminates a different use case for the technology.

OpenAI's involvement is particularly striking. David Wiesen, a member of OpenAI's technical staff, said that "working with Microsoft on the Microsoft Execution Containers (MXC) allows us to explore new patterns for AI agents to safely and efficiently generate and execute code." He added that by combining Codex's capabilities with MXC's execution environment, the goal is "to help developers move from intent to reliable execution faster, while maintaining the security and control enterprises need." The reference to Codex — OpenAI's code-generation agent — suggests that MXC could become the default execution environment for one of the most widely anticipated agent products in the industry.

Nvidia is bringing its OpenShell framework to Windows built on MXC, providing what Microsoft described as "an easy-to-deploy package for autonomous, always-on agents safely." Manus, the Chinese-born AI agent startup that gained viral attention earlier this year, is also integrating. Tao Zhang, Manus's Chief Product Officer, said that MXC "gives developers a policy-driven way to define what an agent can access and enforce those boundaries at runtime, so more autonomous agents can operate safely in enterprise environments." And Dillon Rolnick, the CEO of Nous Research, offered what may be the most concise articulation of why MXC matters: "Continuously-running local agents, like Hermes Agent, require intentional isolation. Developers need control over what an agent can access and trust that those controls will hold."

How an open-source agent framework became Microsoft's proving ground for AI safety on Windows

One of the more revealing stories behind the MXC announcement involves OpenClaw. During the press pre-briefing, a Microsoft developer described how the partnership came together organically — Peter Steinberger, OpenClaw's creator, sent him a direct message in January expressing interest in collaborating. What began as a casual conversation evolved into a full-fledged platform partnership, with Microsoft developers contributing to the OpenClaw Windows companion app, built as a native WinUI application rather than a wrapped web app.

The OpenClaw integration serves as what Scott called "the ultimate test app for all the stuff that [the Windows platform team] is making." If OpenClaw — which by its nature gives agents broad autonomy to execute tasks on a user's machine — can run securely within MXC's containment boundaries, then the containment system is robust enough for any agent. Scott explained the philosophy driving the work: "Think of OpenClaw Windows as the ultimate test app... If OpenClaw can succeed on Windows, that means that the Linux support is there, the container support is there, the containment is there."

The companion app demonstrates the full spectrum of MXC's enterprise controls — file permissions, network access, screen capture restrictions, location data — all manageable centrally through Intune policies. Microsoft donated the project to OpenClaw and plans to continue contributing to it as open source. As one member of the Windows leadership team put it during the briefing: "All agents, all comers, everyone is welcome on Windows... It's going to run great on Windows, because the primitives are there. The base of the pyramid is solid."

Building containment into the OS gives Microsoft a strategic edge over Apple's walled garden and Google's cloud-first model

MXC arrives at a moment when the technology industry is grappling with a fundamental tension. AI agents represent what may be the most significant new category of software since mobile applications, and every major technology company is racing to build them. But the security and governance infrastructure required to deploy these agents responsibly in enterprise environments barely exists. Microsoft's approach is distinctive because it locates the trust layer at the operating system level rather than in the agent framework, the model provider, or a third-party security product.

This is a deliberate architectural choice. By building containment into Windows itself, Microsoft ensures that the security guarantees hold regardless of which agent, which model, or which framework a developer chooses.

It also means that the hundreds of millions of Windows devices already managed through Intune and secured through Defender can, in principle, become agent-ready through a software update rather than a rip-and-replace deployment.

Apple's approach to AI agents leans heavily on its walled-garden ecosystem, offering security through restriction — limiting which agents can run and what they can do. Google's approach, centered on its cloud infrastructure, offers security through centralization. Microsoft's approach offers security through declaration and enforcement — allowing any agent to run, but containing its impact through OS-level policy.

For enterprises that operate in heterogeneous environments with diverse toolchains and multiple AI providers, the Microsoft model may prove the most practical. The competitive dynamics are already shifting: with OpenAI's Codex, Nvidia’s OpenShell, and independent agent frameworks like Manus and Hermes all building on MXC, Microsoft is positioning Windows not just as the platform where agents run, but as the platform where agents can be trusted to run.

The hardest part isn't building the sandbox — it's writing the policies that go inside it

MXC is available now in early preview, meaning developers can begin building against the SDK and testing containment policies. The Agent 365 integration with Defender, Entra, Intune, and Purview is scheduled for preview in July — a timeline aggressive enough to suggest that much of the engineering work is already done, but far enough out to allow for refinement based on developer feedback.

The real test, however, will come when enterprises begin deploying agents at scale on production networks. Containment is only as good as the policies that govern it, and writing effective agent policies for complex enterprise environments will be an entirely new discipline — one that IT departments have not yet developed and that no vendor has yet figured out how to teach. The technology is promising, but an empty sandbox is just an empty box. Filling it with the right rules, for the right agents, in the right contexts, will require a level of organizational sophistication that most companies are only beginning to contemplate.

Still, the significance of what Microsoft announced on Tuesday is difficult to overstate. For the first time, a major operating system vendor has proposed a comprehensive, kernel-level answer to the question of how autonomous AI software should be contained, identified, and governed on the devices where most of the world's work actually gets done. The industry spent two years teaching agents to act. Microsoft is now betting that the bigger business — and the harder engineering problem — is teaching the operating system to watch.

The announcements, unveiled at Zip's AI Summit in New York with speakers from Anthropic, OpenAI, Datadog, and Humana, arrive at a moment when the procurement technology sector has become one of the fiercest battlegrounds in enterprise AI. SAP unveiled its "Autonomous Enterprise" vision at Sapphire 2026 just weeks ago, introducing more than 50 domain-specific Joule Assistants across finance, supply chain, and procurement. Coupa launched its own Compose platform and Catalyst services bundle at Inspire 2026 in Las Vegas in May, an environment for building and orchestrating AI agents across procurement, along with a forward-deployed engineering services offering. And Gartner predicts 40% of enterprise applications will include task-specific AI agents by end of 2026, up from less than 5% today.

What makes Zip's approach distinct — and what makes it a potentially important test case for the broader enterprise AI market — is not the agents themselves, but where they run and what constrains them.

Why procurement teams are uploading sensitive financial data into personal AI accounts

The announcement centers on an enterprise anxiety that procurement chiefs increasingly describe in private but rarely say publicly: their employees are already using AI for sensitive financial work, they're just doing it in unmonitored, personal accounts. 

Across the enterprise, employees are uploading spend data into Claude to analyze it, redlining sensitive contracts inside ChatGPT, and generating internal financial analyses in personal Gemini or Copilot accounts. Every time they do, sensitive enterprise data leaves systems where every action is controlled and audited, entering environments with no oversight, no compliance controls, and no record of what was done.

The consequences for getting this wrong are not hypothetical. SOX violations carry fines of up to $25 million. Executives can face prison time. Public companies that fail compliance audits can be delisted from the stock exchange. When an auditor asks how a decision was made six months later, no one can produce a record.

"After working with hundreds of enterprises — including the world's leading AI companies — we've learned that this kind of work is already happening, with or without governance," said Lu Cheng, Co-Founder and CTO at Zip. "Even the companies building AI themselves want this work governed."

Zip's CEO Rujul Zaparde put a finer point on it in an interview with VentureBeat, describing the competitive dynamics that make procurement an unusually high-stakes domain for AI governance. "Most enterprises don't operate on a single procurement platform," Zaparde said. "They're running SAP as their ERP, Coupa for some sourcing, ServiceNow for IT requests, contract management tools for legal, risk and compliance platforms for vendor due diligence, and a long tail of point tools alongside them." 

He argued that this fragmentation gives Zip, as the orchestration layer connecting all of those systems, a unique advantage: "AI can only be as good as the data it has access to. Because Zip sits above all of these tools, with visibility into each, and orchestrates the entire procurement process from request to payment, its AI can take action across the full procurement workflow in ways point solutions cannot."

Inside the five Superagents Zip built to automate procurement's hardest bottlenecks

Zip is launching five Superagents, each targeting a specific pressure point in the procurement lifecycle. A Procurement Superagent unblocks stalled requests and manages tail-spend negotiation. A Legal Superagent reviews and redlines contracts against company-approved playbooks. An AP Superagent sorts, codes, matches, and routes invoices. A Config Superagent identifies workflow bottlenecks and drafts configuration changes for admin review. And an Intake Superagent guides employees through compliant request creation, routing purchases to the right buying channel and nudging toward preferred suppliers.

The five agents are not standalone services. Zip's engineering blog reveals the architectural philosophy underlying them: all agents at Zip — pre-built and custom — run on a shared execution engine built within the company's App Studio workflow automation platform. They differ only in configuration: the prompt that defines behavior, the tools they can access, and the format of their output. Zip's engineering team describes this as a "Lego block" model — the out-of-the-box agents are finished models; custom agents are whatever enterprises choose to build from the same components.

Under the hood, the agent architecture uses a four-node LangGraph state graph — preprocessing, orchestration, final synthesis, and post-processing — that separates information gathering from response generation. The orchestration node contains a ReAct (Reason + Act) agent that autonomously decides which tools to call: document retrieval via vector search, structured API data from purchase requests and contracts, or company-specific policy context from a reference library.

This separation is deliberate. As Zip's engineering team explains, conflating research and synthesis into a single LLM call would mean asking one model to be both a diligent researcher and an eloquent writer simultaneously. Separating them allows Zip to optimize each independently — including using different model tiers for each.

What differentiates Zip's agents from the slew of procurement AI announcements from SAP, Coupa, and others is the governance architecture. Every Superagent action is governed by the same roles, permissions, and controls that apply to human employees. High-impact steps like system updates and approvals use deterministic logic rather than LLM inference. And every action generates a complete audit trail.

What happens when an AI agent misclassifies a $150,000 contract

Zaparde shared a specific error case from beta testing to illustrate how Zip's human-in-the-loop design handles real-world failures. "Our Intake Superagent flagged a $150K marketing services contract as a standard SaaS subscription," he said. "But because every Superagent action hits a human-in-the-loop checkpoint before it executes, the procurement team caught the misclassification before it went anywhere. They corrected the category, the right approvers were routed in, and the GL coding flowed through accurately downstream."

The error-and-correction anecdote is revealing because it highlights the tension at the heart of every enterprise AI deployment: these systems will make mistakes, and the question is whether the surrounding infrastructure catches them before they cause damage.

Zaparde was direct when asked who bears liability if a Superagent triggers a compliance failure: "Customers remain accountable for their procurement decisions, the same way they would be with any vendor or business process. That's standard across enterprise software. Payroll vendors don't take on liability for misclassified employees, ERP vendors don't take on liability for misstated financials, and the same principle applies to AI-augmented work."

But he was equally emphatic that the design goal is to make the liability question moot. "Zip's Superagents are designed so this scenario shouldn't happen in the first place. They don't operate outside governance, they operate inside it. Every action is auditable, every high-impact step is gated by human review, and the audit trail makes it possible to demonstrate compliant decision-making to auditors and regulators."

The Superagents are currently in beta, with general availability expected this summer. Zip has been deploying AI agents in procurement since 2024, and today more than 50 are live across hundreds of enterprise customers. Northwestern Mutual alone saved 1,400 hours from a single AI agent. Superagents represent the next evolution — more reasoning, more cross-system action, more autonomy — all inside Zip's governance layer. 

When asked what percentage of agent actions require human escalation, Zaparde said there's no single number because every agent handles a different type of task, but added: "In finance and procurement specifically, we deliberately err on the side of escalation any time a transaction touches risk thresholds, policy compliance, legal requirements, budget guardrails, or governance rules. That's a deliberate design choice, not a limitation."

How Zip's procurement-native MCP could reshape where enterprise AI actually runs

The second announcement may prove more consequential for the broader enterprise AI market. Zip MCP is a vendor-hosted implementation of the Model Context Protocol — the open standard originally created by Anthropic in November 2024 and later donated to the Linux Foundation, with MCP SDK downloads reaching 97 million per month by March 2026, a 970x increase in 18 months.

A fundamental challenge has limited MCP's enterprise adoption: organizations deploying MCP are running into a predictable set of problems — audit trails, SSO-integrated auth, gateway behavior, and configuration portability. The MCP protocol itself doesn't yet natively solve for the governance requirements that regulated industries and compliance-sensitive functions like procurement demand.

Zip is attempting to solve this from the application layer. Its MCP server connects Zip's procurement platform directly to any MCP-compatible AI assistant. An employee researching vendors in Claude, for instance, can have Zip proactively surface a request submission from that conversation. Power users can pull aggregated reporting across suppliers, requests, invoices, and payments from within a single AI conversation. Every action respects user permissions through OAuth, runs inside Zip's compliance controls, and generates a complete audit trail. Zip claims this is the first time MCP has been implemented natively for enterprise procurement.

The claim matters because procurement is arguably the most governance-sensitive business function where MCP could deliver immediate value: it involves financial commitments, legal contracts, regulatory compliance, and supplier data that touch SOX, GDPR, and dozens of other regulatory frameworks.

When asked what happens to sensitive data once it reaches a third-party model's context window, Zaparde was direct: "MCP is tied to an authenticated user, and the same role-based permissions that apply inside Zip apply through MCP as well — meaning MCP can only retrieve information the user is already authorized to see." He added that Anthropic and OpenAI operate as Zip subprocessors, governed by data processing agreements with Zero Data Retention provisions, so "data flowing through MCP isn't used for model training, and it's protected by enterprise-grade controls at both ends of the connection."

The companies building AI chose Zip instead of building their own procurement tools

Zip's customer list for these announcements is impressive but still developing. Block, UCI Health, and Snowflake are the named launch customers for AI Spend Automation, the premium enterprise offering that bundles platform access, AI consumption credits, and Zip's forward-deployed engineers. 

UCI Health reported $20 million in cost avoidance from a single IT infrastructure project. Zaparde explained the methodology: "The $20 million came from a single IT infrastructure project at UCI Health where their procurement team used AI-powered benchmarking to enter vendor negotiations with real market data rather than internal assumptions alone." He was careful to frame it as a collaborative result: "UCI Health's procurement team did the negotiating and the AI gave them the benchmarks to do it well."

Zip claims its broader customer base has saved more than $10 billion through its AI suite. Zaparde said that figure "includes direct cost reductions through better vendor negotiations, time savings from automating manual procurement workflows, risk reduction through avoided fines and compliance penalties, and indirect spend savings from improved renewal management." A Forrester Total Economic Impact study modeled a 386% ROI for large enterprises using Zip, showing that on average, the platform pays for itself in under six months.

But the customer stories that matter most for Zip's strategic narrative are its relationships with the companies whose models power its own agents. OpenAI has deployed more than 10 AI agents on Zip's platform. Anthropic, whose Claude model Zip uses and whose engineers created MCP, more than doubled its procurement volume through Zip while keeping headcount flat. 

The fact that both companies chose to buy rather than build is arguably Zip's strongest competitive proof point: if the organizations with the most AI engineering talent on earth decided the procurement governance problem wasn't worth solving internally, it suggests the moat is real. Beyond AI, the customer list spans T-Mobile, Dollar Tree, Canva, and Prudential — large, regulated enterprises where compliance failures carry material consequences.

"When the companies building AI choose Zip rather than build it themselves, that tells you something about the moat," Zaparde said.

SAP, Coupa, and the intensifying AI arms race in enterprise procurement

Zip's announcements don't happen in a vacuum. The enterprise procurement AI market is experiencing a rapid convergence as every major platform races to embed agentic capabilities.

SAP has deployed more than 50 domain-specific Joule Assistants at Sapphire 2026, orchestrating a subset of over 200 specialized agents to execute precise tasks. SAP has even launched a Joule Agent in the SAP Ariba Intake Management solution that captures and routes procurement requests and connects to existing procurement systems — a move that reaches directly into Zip's core territory. Coupa CEO Leagh Turner has argued her platform's foundation sets it apart, saying that while others are "bolting AI onto aging systems," Coupa has one platform that scales with governance. Coupa says it has deployed more than 20 specialized agents, and its $10 trillion dataset of historical transactions gives it a training data advantage that Zip cannot match.

Zaparde's counter-argument rests squarely on Zip's position as an orchestration layer rather than a point solution. "No matter how powerful those individual tools are, their AI is necessarily limited to the data inside each of their own systems," he said. "Our moat is the orchestration layer and the AI agents built on top of it: agents that are uniquely able to reason and act across multiple systems and reconcile their data as a whole where needed." He pointed to Zip's recognition as a Leader in the first-ever IDC MarketScape for Spend Orchestration as evidence that the category itself has been validated.

The argument carries a strategic vulnerability, however, that Zaparde was asked about directly: Zip's leading AI-company customers are also its model providers and potential competitors. What happens if Anthropic or OpenAI builds procurement tooling? 

"The mistake is assuming procurement is fundamentally a model problem," Zaparde responded. "Even if an LLM could perfectly understand a contract or negotiate with a vendor, it still needs to operate within company policies, approval chains, supplier relationships, ERP systems, and audit requirements. That context layer is what Zip has spent the past six years building. We see the model providers as accelerating what's possible, while we focus on making that intelligence operational within the enterprise."

Why Zip is trading SaaS margins for forward-deployed engineers and AI credits

The AI Spend Automation offering raises questions about Zip's evolving business model. Bundling platform access, AI consumption credits, and forward-deployed engineers who build and deploy custom agents inside customer environments is a strikingly different margin profile than traditional SaaS — and it's a model that Coupa, with its own new Catalyst services offering, is also now pursuing.

Zaparde was transparent about the tradeoff: "Yes, it is a different margin profile than pure SaaS, and we're okay with that. Right now, our priority is adoption and proving value for customers. We believe that if we get the outcomes right, the economics follow. Companies that rush to protect margins before they've demonstrated real value end up with neither. We're playing the long game."

Zip is valued at $2.2 billion as of its October 2024 Series D round, the largest investment in procurement technology in over two decades. The company has raised approximately $371 million since its founding in 2020 and counts among its investors Y Combinator, BOND, DST Global, Tiger Global, and CRV.

The deepest technical signal in Monday's announcement may be what it reveals about the infrastructure moat Zip is building beneath its agents. The company's engineering team recently published detailed architecture for its internationalization system — a pipeline that uses LLM-based translation with glossary enforcement, Kafka change data capture, and a dedicated Redis caching cluster to translate user-generated content across multinational enterprise customers in real time.

The system uses a technique called "lazy persistence," where translations are initially stored with a one-week TTL and only promoted to permanent storage when a user actually reads them. This kind of deeply procurement-specific infrastructure — designed to support AI agents that operate across languages, jurisdictions, and regulatory regimes — takes years to build, not quarters, and no general-purpose AI tool can replicate it with a better model alone.

The real product Zip is selling is the audit trail

The central question for Zip — and for every enterprise software company racing to embed agentic AI into regulated workflows — is whether governance-first AI agents will actually earn the trust of procurement teams that have spent decades building manual controls for very good reasons. The regulatory stakes are real: SOX fines, criminal liability for executives, stock exchange delisting for companies that fail compliance audits. When an auditor shows up and asks how a purchasing decision was made, someone has to produce a paper trail.

That is ultimately the bet Zip is making with Superagents and MCP. Not that AI can do procurement work — at this point, that's table stakes — but that AI can do procurement work and leave a record that will satisfy an auditor two years from now. In a market flooded with companies promising autonomous agents, Zip is wagering that the most valuable thing an AI can produce isn't a decision. It's proof that the decision was made correctly.

Zip MCP and Zip Superagents are available in beta today, included with all core Zip products, with general availability expected this summer. Zip AI Spend Automation is available now for enterprise customers.

Four frontier labs each shipped a prompt injection disclosure, and no two match. Anthropic put 244 pages and four agentic surfaces on the table on May 28. OpenAI reported one surface, connectors. Google moved the subject out of the model card and into a separate safety framework. Meta shipped no closed-model card at all. The Cross-Vendor Prompt Injection Disclosure Grid below maps what each lab tested, what each one measured, and the four places a side-by-side comparison falls apart.

A prompt injection hides a malicious instruction in something an agent reads, a web page, a document, or a tool result. One planted line can exfiltrate records or fire off actions nobody approved, and these cards are a buyer's only first-party evidence.

There is no industry standard for measuring any of this, and that is the root of the problem. Carter Rees, VP of AI at Reputation, told VentureBeat that prompt injection breaks the assumption that every legacy tool was built on. "A phrase as innocuous as, 'ignore previous instructions' can carry a payload as devastating as a buffer overflow, yet it shares no commonality with known malware signatures." With no shared signature to scan for, each lab built its own yardstick, and the results do not line up.

Adam Meyers, Senior Vice President of Counter Adversary Operations at CrowdStrike, said that the exposure is now the buyer's to manage. "As you implement AI, it increases your attack surface, so now you have to be able to protect those AI models against adversary misuse or data poisoning or prompt injection." CrowdStrike's own frontline data shows the threat side is not standing still. In its 2026 Financial Services Threat Landscape Report, released in May, the company reported adversaries using AI to compress the time from initial access to impact faster than legacy defenses can respond.

Anthropic measured four surfaces. The numbers swing by an order of magnitude depending on which one you read.

The Opus 4.8 card does what others do not: It breaks prompt injection out by surface, and the spread is the story.

Put the model in a coding environment, and an adaptive attacker from Gray Swan's Shade tool got through on 7.03% of single attempts with thinking on. Safeguards pulled that to 2.09%.

Move the same class of attack into a browser, the surface behind Claude in Chrome and Claude Cowork, and the floor gives way. Anthropic put professional red-teamers on 129 web environments held out from training and printed every result in Table 5.2.2.4.A on page 81 of the system card. Per-attempt is the share of all injection attempts that got through across 129 environments at 10 tries each. Per-scenario is the harder cut, the share of environments where at least one try landed.

Read down the per-attempt column without safeguards, thinking on, and the raw rate drops with each generation, from Sonnet 4.6 at 50.7% to Opus 4.8 at 31.5%. The lowest in the table, 5.9%, belongs to Mythos Preview, which nobody can buy yet. Turn safeguards on, and Opus 4.8 drops to 0.5%. Turn thinking off and it drops to zero across all 129 environments.

OpenAI measured one surface, with attacks it already knew.

The GPT-5.5 card, published April 23 and updated April 24, handles prompt injection in one place, a single section on robustness to known attacks against connectors. OpenAI reports it as a robustness score where higher is better, the inverse of an attack success rate. GPT-5.5 came in at 0.963, down from 0.998 for GPT-5.4-thinking. That one figure is the whole disclosure.

Anthropic tested four surfaces against an adaptive attacker that rewrites its approach based on what the model does, then ran a one-week bug bounty where red-teamers tried to break the model live. When the coding results came back worse than Opus 4.7, the card said so.

Lay the 0.963 next to the 31.5%, and they look like they belong on a scoreboard. They do not. One is a robustness score against known attacks on one surface. The other is a per-attempt attack success rate across 129 browser environments against an attacker that adapted in real time.

Google and Meta never put the number in the card at all

Google's Gemini 3 files prompt injection under mitigations, and the launch materials describe stronger resistance with no number attached. The Frontier Safety Framework report does run red teaming, but across its capability domains, and prompt injection is not one of them. No model card, no framework page, no per-surface number a buyer can lift into a risk review.

Meta ships open weights with no closed-model card. Prompt injection defense sits in a separate stack, Purple Llama's LlamaFirewall. A PromptGuard 2 classifier and an AlignmentCheck auditor, run against the public AgentDojo benchmark and its 97 tasks, cut attack success from 17.6% with no defense to 1.75% combined. Real numbers. They grade the guardrails on a public benchmark, not the model on a deployment surface a security team would recognize.

The Cross-Vendor Prompt Injection Disclosure Grid

The grid below works on any frontier model security teams are weighing. Each row marks a place where the four labs are split. Each split is where a quick comparison breaks. The Anthropic figures come from the Opus 4.8 system card. Everything for the other three comes from each vendor's published safety documentation.

Five factors security teams need to consider now

Anthropic tested four surfaces and printed every number. OpenAI tested one. Google printed no per-surface rate. Meta graded its guardrails, not the model. The four disclosures do not add up to a comparison. These five steps build one.

Pull every agent you have deployed or scoped and tag each by the surface it touches, browser, code, connectors, or desktop. Anthropic's rate for Opus 4.8 runs 2.09% on coding and 0.5% on browser. A blended number covers neither. Pull the vendor's published rate for your specific surface. If the vendor never published one, treat it as untested.

Send the Cross-Vendor grid to every vendor under evaluation. A 0.963 connectors score and a 31.5% browser rate were never on one scale. Demand a per-surface attack success rate, raw and safeguarded, with the attacker methodology named. The blank cells are the surfaces with no first-party evidence.

Confirm in writing which number your integration gets. Anthropic's 0.5% comes from Claude in Chrome and Cowork with the full safeguard stack. On the API, the model ships without them. Do not accept a product number for an API deployment.

Add two clauses to the RFP. The vendor tested with an adaptive attacker that rewrites payloads against the model, and someone outside the company tried to break it. Anthropic ran Gray Swan's adaptive Shade tool and a one-week paid bounty. OpenAI tested known attacks on one surface. Adversaries do not submit known payloads.

Run your own injection test before any agent ships. Vendor numbers come from vendor environments with vendor system prompts. Your stack has its own prompts, permissions, and data access. Set a pass threshold. Anything above it does not go live.

The bottom line. No standard exists for this yet. A vendor's number tells you what it chose to measure. Your own red team tells you what you are exposed to.

Too often, the history of enterprise security has been a history of making things harder to use. A new threat emerges, a new control gets bolted on, and somewhere in the process, people start working around the very systems designed to protect them.

Over the course of my career, I’ve seen firsthand that security adoption rarely fails because people don’t care about security. It fails because the secure path feels harder than the insecure one.

In the age of AI, that lesson matters more than ever.

AI expands the attack surface and raises the ceiling on what attackers can do, which makes simplifying security even more critical. Security controls that require effort or inconvenience eventually get ignored. People find workarounds. The answer is to make the secure path the easiest path.

Security works best when it gets out of the way

When security is easier to use than to avoid, people adopt it. Years ago, when the industry was rolling out two-factor authentication at scale, the biggest challenge wasn’t building the security itself, but the friction that came with using it. People had to stop what they were doing, grab a phone, launch a VPN, enter codes, and interrupt their workflow just to log in.

What ultimately drove adoption wasn’t policy, compliance requirements, or security training. It was simplicity. Now that it’s as easy as a fingerprint or a face scan, people use it without hesitation.

The same principle drove browser makers to make security more visible and intuitive for everyday users. Rather than expecting people to manually inspect URLs, modern browsers prominently flag non-HTTPS sites as insecure, helping guide users toward safer behavior by default. Security became stronger in part because the secure path also became the easier and more obvious one.

Where complexity shows up in AI

Agent permissions are a good example of where this plays out in AI systems. Employees accumulate numerous permissions over time through a project here, a system access there, a role that never got cleaned up after a team change. Humans know which access is relevant to a task even if the system doesn't actively enforce it.

Agents lack that judgment. An agent assigned to a problem will probe every available path. If it can access 12 systems but the task requires only two, it might still explore the other 10. It’s just being thorough, but the result is a potential attack surface far larger than the task required.

The temptation is to put a human in the loop by flagging significant actions and asking for approval before proceeding. But in practice, an agent may prompt a human to approve a deeply technical action without enough context to judge whether it’s appropriate. In most cases, they’ll approve it simply to keep the workflow moving. This only adds friction and a false sense of oversight.

What's really needed is a permissioning model built around intent. The agent should have only the credentials it needs for a specific task, and they should expire when it’s done. The industry is already beginning to move toward better models. Standards like OAuth are evolving to support agentic AI, allowing agents to carry the identities scoped to a specific task, rather than a user's full permission set.

Making AI security easy to use

Ease of use starts with visibility, so the first priority is knowing what's actually happening. Where are your agents connecting? What data are they touching? What permissions are they exercising?

Many enterprises are surprised by the answer when they first look. Most organizations operate with roughly 80% visibility and control. The problem is the remaining 20%, because that’s where the real risk tends to live. AI is going to find those gaps far faster than humans can. Start with monitoring, even if you’re not ready to enforce anything yet. Use AI to sift through what you find and prioritize the highest-risk behaviors. Then close those down systematically.

On the identity side, move toward workload identity wherever you can. The old model of creating service accounts, downloading keys, and distributing them across your infrastructure is fragile and hard to audit. Modern cloud environments offer a better approach: a workload's identity is established at deployment and credentials are never distributed as static keys. The management burden drops and the attack surface shrinks with it.

For agents specifically, resist the temptation to give them broad permissions on the assumption that human approvals will catch problems before they happen. Scope agent access to the task at hand and ensure those permissions expire once the work is complete. For teams managing multiple agent-to-tool connections, MCP gateways are emerging as a practical way to encode governance rules centrally rather than tool by tool. Keep a human in the loop for consequential actions, not every action, particularly those where the blast radius of a mistake is meaningful.

The pace of risk is accelerating

In the AI era, the gap between exposure and exploitation is rapidly disappearing, collapsing from days to hours and, in some cases, minutes. CrowdStrike's 2026 Global Threat Report documents that the average attacker breakout time has accelerated by 65% year over year. As AI becomes more capable of autonomously identifying weaknesses, security teams relying on manual response processes will fall behind.

The answer, though, hasn't changed. Security that creates friction will eventually get bypassed. Security embedded directly into the architecture, enforced by default and invisible in practice, is the kind that actually holds. AI raises the stakes, but the principle remains the same: security only works when the secure path is also the easiest one.

Mayank Upadhyay is Chief Security & Trust Officer at Snowflake.

Sponsored articles are content produced by a company that is either paying for the post or has a business relationship with VentureBeat, and they’re always clearly marked. For more information, contact sales@venturebeat.com.

However, on April 7, Anthropic announced that Claude Mythos Preview had closed that margin, with the model autonomously discovering thousands of zero-day vulnerabilities across major operating systems and browsers. Separately, Mythos scored 83.1% on the CyberGym vulnerability reproduction benchmark. In one campaign targeting OpenBSD across 1,000 scaffold runs, the total compute cost was less than $20,000.

Exploitation timelines are collapsing. Langflow’s CVE-2026-33017 (CVSS 9.8) was exploited 20 hours after disclosure with no public proof-of-concept. Marimo’s CVE-2026-39987 (CVSS 9.3) was hit in 9 hours and 41 minutes.

The defensive infrastructure most organizations rely on wasn’t designed for this. Rapid7’s 2026 threat landscape report states that the median time from CVE publication to CISA's known exploited vulnerabilities (KEV) listing is five days. Google’s M-Trends 2026 report found that exploitation is happening before a patch is even released. When the Langflow advisory was published, the first exploit arrived in 20 hours. When the Marimo advisory was published, it took under 10 hours.

The assumption that your patch window is safe because exploitation takes time is no longer true. Here are your building blocks.

Replace CVSS-only prioritization with a three-layer filter

Most vulnerability management programs still prioritize by CVSS score alone. CVSS quantifies a vulnerability’s “theoretical” severity without considering whether a vulnerability is being exploited in the wild or how quickly someone could weaponize it. A CVSS 8.8 vulnerability with a history of active exploitation (like Docker’s CVE-2026-34040) gets lower priority than a CVSS 9.8 vulnerability that may never be exploited in the wild.

A recent study validated against 28,377 real-world vulnerabilities offers a concrete replacement: A three-layer decision tree incorporating CISA KEV status, Exploit Prediction Scoring System (EPSS) scores, and CVSS, thus forming a singular prioritization filter.

Three-Layer Vulnerability Prioritization Filter

Validated result: 18x efficiency gain, 85.6% coverage of exploited vulnerabilities, ~95% reduction in urgent remediation workload. All three data sources are open and free.

The described integration is entirely automatable. It’s possible to build a script to query the CISA KEV API, the EPSS API from FIRST.org, and the NVD, and have that script run against your asset inventory for every published CVE. The human in this process should remain in the loop as an approver, but not as the trigger.

Close the agent authorization gap

Creating exploits quickly not only changes how patches are prioritized, but how controls are configured for all the agent-driven systems that now possess privileged credentials. Your authorization policies have not been assessed against the behavior of AI agents, and that is now a measurable risk. CVE-2026-34040 showed that Docker’s authorization plugin architecture silently bypasses every plugin when the request body exceeds 1MB. Common AuthZ plugins (OPA, Casbin, Prisma Cloud) are unaware of this type of bypass, which occurs in Docker’s middleware before the request reaches the plugin.

When Cyera demonstrated this vulnerability, they showed that an AI agent debugging infrastructure could infer the bypass path while completing a legitimate task, without any instruction to exploit anything.

The Internet Engineering Task Force (IETF) is working on authorization models for agents. The document draft-klrc-aiagent-auth-01, published in March by participants from AWS, Zscaler, Ping Identity, and OpenAI, proposes the use of the current Secure Production Identity Framework for Everyone (SPIFFE) and OAuth 2.0 for AI agents to obtain dynamically provisioned and short-lived credentials.

Separately, the IETF Agent Identity Protocol draft (draft-prakash-aip-00) reports that out of about 2,000 surveyed model context protocol (MCP) servers, none had authentication.

But these standards are months to years away from implementation. For now, security teams must proactively incorporate agent-level test scenarios for all authorization boundaries, such as oversized requests, burst frequency, and multi-step escalation of privileged requests.

Map your credential blast radius

In a survey conducted by CSA/Zenity and published on April 16, 53% of organizations said they had already seen cases where AI agents exceeded their intended permissions, and 47% experienced a security incident involving an agent.

When AI builder tools such as Flowise (CVE-2025-59528, CVSS 10.0), Langflow, or n8n become compromised, the blast radius extends far beyond the host. These tools contain API keys to frontier models, database credentials, vector store tokens, and OAuth tokens to business systems. A compromised AI builder host is not just a single-system breach. It is a credential harvest that unlocks authenticated access to every connected service.

Without credential dependency maps for each AI tool host, incident response for agent compromise is guesswork. For every instance, document each credential, the extent of its access, and the relevant credential rotation process. Also begin migrating static API keys to short-lived tokens where downstream services allow.

Five actions for this quarter

1. Deploy the three-layer KEV-EPSS-CVSS filter

Substitute CVSS-only prioritization according to the table above. Automate the collection of data from all three APIs as part of a scheduled script against your asset inventory. Desired outcome: 18 times more efficient, 85.6% coverage of exploited vulnerabilities, 95% reduction in urgent remediation workload.

2. Implement event-driven patching for Tier 0 services.

Determine which services fall under the critical exposure tier: Services exposed directly to internet users, AI builder hosts, and container orchestration control plane. Trigger event-driven patching on a CVE publication instead of waiting for the next maintenance window for this tier.

Goal: deploy patch to canary within four hours of a CVE being declared critical. Use the CISA KEV and EPSS feeds to trigger event-driven patching. In situations where it is impossible to meet the goal of four-hour patching because of legacy dependencies, change-freeze windows, or rollback risk, immediately apply compensating controls such as removing internet exposure to the vulnerable service, rotating credentials for the vulnerable service, disabling affected functionality of the service (if applicable), and identifying an exception owner for the exposure until a patch can be deployed.

It is not acceptable to allow unbounded exposures for extended periods while awaiting a maintenance window.

3. Test authorization boundaries at agent scale.

Create test cases for every API that AI agents may communicate with via AuthZ policies. Specifically, include test cases for requests exceeding 1MB, 5MB, and 10MB body sizes. This includes test cases for burst rate > 100 requests per second and test cases for unusual parameter combinations (privileged flags, host mounts, capability additions). Additionally, patch to Docker Engine 29.3.1 to fix CVE-2026-34040.

4. Credential blast radius mapping for all AI builder hosts.

Document each credential for each Langflow, Flowise, n8n, and custom AI pipeline instance. Classify each credential by its lifespan (static key vs. short-lived token). Identify what each credential can access. Set up alerts for anomalous IP or identity for any credential access.

5. Shadow AI discovery scan for this week.

According to CSA data, there is a greater than 50% chance that your agents have exceeded their expected boundaries. Check your Security Information and Event Management (SIEM) and network monitoring tools for communications to the default ports of the AI builder: Langflow 7860, Flowise 3000, and n8n 5678. Any unauthorized instances are an unmonitored attack surface.

The takeaway

AI agents are emerging, and the standards bodies are responding. The IETF has multiple drafts related to agent authentication and authorization. The Coalition for Secure AI has published its MCP Security taxonomy and Secure-by-Design principles.

But these standards move at standards-body speed, and the exploit window is now measured in hours. Organizations that implement the three-layer filter and event-driven patching this quarter will have a measurable reduction in exposure. Those who wait will be running calendar-based patch cycles against an adversary that operates in less than 20 hours. 

Nik Kale is a principal engineer specializing in enterprise AI platforms and security

The San Francisco-based privacy platform analyzed 2,400 popular business software providers and found that 63.6% of vendors that prominently advertise AI capabilities do not disclose a third-party AI subprocessor in their legal documentation. The implication: the majority of companies purchasing AI-enabled software may be unknowingly exposing their customers' data to AI models and pipelines they never reviewed, never approved, and may not even know exist.

"All software vendors are trying to move to become AI vendors, which makes sense, but the technologies are moving faster than AI governance can actually keep up," DataGrail co-founder and CEO Daniel Barber told VentureBeat in an exclusive interview ahead of the report's release. "The DPA should be the reliable document that teams use to evaluate AI risk, but based on that number, that's not enough in 2026."

The finding drops into an enterprise landscape where organizations with high levels of shadow AI already experience average breach costs of $4.63 million — $670,000 more than those with low or no shadow AI, according to IBM's 2025 Cost of Data Breach Report. And it arrives in a year when U.S. states gave out $3.425 billion in privacy-related fines — more than the last five years combined — a trend Gartner expects to accelerate through 2028.

How researchers uncovered the growing gap between AI vendor contracts and reality

DataGrail's methodology for arriving at the 63.6% figure goes well beyond reading contracts. The company's research team cross-referenced DPA disclosures against product documentation, GitHub environments, API connections, and marketing materials for each of the 2,400 vendors in its tracking universe.

Barber walked VentureBeat through the process: "We looked at the DPA as the baseline, but then what we also looked at is the GitHub environment, the API connections that a particular vendor has, the product documentation, the marketing documentation, and triangulate that information to discern — okay, so the DPA document says use OpenAI, but actually you've got these three AI subprocessors over here in your product documentation outlining features and functionality, but that is not reflected in your DPA."

When asked directly about how confident he was that these gaps represent actual shadow AI risk rather than vendors using proprietary technology, Barber was unequivocal. "Very confident, because we looked at the sample of the 2,400 systems, and we spent a substantial amount of time actually looking at product documentation, GitHub environments, looking at actual API connections, because we integrate with these systems as well, so we know how they process personal information. It is from primary research."

The disclosure gap matters because it undermines the entire chain of trust that privacy programs rely on. Consider a scenario Barber described: A company invests in an AI recruiting tool. The tool's DPA lists Claude as its foundational model. The company dutifully performs a security review of Anthropic's AI. But the recruiting tool also quietly uses OpenAI and Gemini behind the scenes — models the company never evaluated. 

Those undisclosed models then process thousands of resumes and execute automated hiring decisions. The company, without knowing it, has exposed sensitive personal information — home addresses, financial data, possibly Social Security numbers — to AI systems it never vetted, potentially violating FTC regulations on automated decision-making in employment. "How those vendors are evaluating and performing that automated decision making could be really disastrous for a business," Barber said.

One-third of AI systems also process sensitive data, and the true number is likely higher

The disclosure gap alone would be concerning enough. But DataGrail's report layers on another finding that makes the problem materially worse: 32.8% of AI systems that disclose AI capabilities also disclose at least one other high-risk activity, such as processing sensitive personal information or powering automated decision-making. Among AI systems with self-reported risk factors, 47.1% process personal data, 20.7% have the potential to power automated decision-making, 16.5% process sensitive data categories like health or financial information, and 7.5% process biometric data.

The report argues these figures almost certainly undercount actual exposure, since they reflect only what vendors have formally disclosed. Vendors could underreport access to personal data, and the inherent flexibility of AI means even good-faith vendors might not predict riskier user applications of their tools.

This has immediate regulatory implications. The CCPA's new risk assessment requirement, effective January 1, 2026, requires businesses to conduct and document risk assessments for processing activities that present significant privacy risks — and will require submission to CalPrivacy by April 2028, with executive attestation under penalty of perjury. 

Processing sensitive personal information with AI, or using AI for automated decision-making, are precisely the activities that trigger this obligation. The report finds that 42% of companies abandoned AI initiatives in 2025 with data privacy concerns cited as a primary obstacle — a statistic sourced to S&P Global research. Privacy teams that engage early with AI projects, Barber argues, can prevent that waste by ensuring safeguards are in place before launch, with AI risk assessments serving as the right starting point.

Why consent management became 2025's most punished privacy failure

While shadow AI is still a newer category of threat, the report makes clear that traditional privacy challenges have not eased — they have intensified. Consent management was the busiest enforcement topic of 2025. California alone publicly reported $4.3 million in CCPA consent settlements, and 2025 saw over 1,400 class action wiretapping suits driven by private firms investigating tracking pixels and session replay software.

Despite this enforcement wave, 63% of the 5,000 websites DataGrail audited still fail to comply with universal opt-out mechanisms such as the Global Privacy Control signal. While that figure represents an improvement from 75% non-compliance in 2023, the pace of improvement is slow relative to the acceleration in enforcement.

Barber pointed to the case of Todd Snyder, the menswear retailer that the California Privacy Protection Agency fined $345,178 in May 2025, as evidence that enforcement is no longer reserved for big tech. "This is a business that has two or three stores across the U.S. They have 300 employees," he said. "They run tight margins because they're a consumer menswear clothing store."

The California Attorney General also reached a $2.75 million settlement with Disney over failures to honor opt-out signals, while the California Privacy Protection Agency has brought enforcement actions against PlayOn Sports and Ford — a pattern that demonstrates both the breadth and depth of regulatory activity. Among the trackers that fire even after a user sends a GPC signal, the report found that 27.1% come from Google Analytics and 43.8% are for targeted advertising via platforms like Meta and Microsoft.

For users who do engage with consent banners, 48.3% click "Accept all," while only 12.4% select "Essential only" and 2.3% customize their preferences. A full 37% simply exit the banner without making a selection. The practical takeaway: less than 15% of users make a conscious choice to opt out of tracking, which means consent banners present relatively low business risk when properly configured — but enormous regulatory risk when they are not.

Data deletion requests surge 567% as the cost of manual processing hits $1.5 million a year

Data subject request volume hit an all-time high for the fifth consecutive year. Deletion requests have surged 567% since 2021 and now represent 87% of all data subject requests. Access requests, by contrast, have gradually declined as consumers skip visibility and reach straight for the delete button.

The cost is staggering. For a mid-sized organization receiving 5 million annual web visitors, the report estimates manual DSR management now runs approximately $1.5 million per year, based on Gartner's estimated cost of $1,524 per manual DSR. The average cost has climbed from $238,000 in 2021 to $1.51 million in 2025 — a trajectory that makes manual processing not just inefficient but, as the report argues, "irresponsible."

Barber emphasized that these numbers reflect verified human requests with bot and spam traffic excluded, and that data broker scenarios — which will see their own massive influx of requests under California's Delete Act — are reported separately. "That is a natural increase," Barber told VentureBeat. "If you've now got 20-plus U.S. states with privacy regulation, it's unlikely that we see a federal bill passed, even though we've seen one proposed. And while we don't see federal awareness and regulation, we do see at the state level over 20 states, and that may actually increase awareness for the consumer even more."

He added a telling detail about how businesses are responding in practice: "99% of DataGrail customers do process that deletion" even for residents of states without privacy laws, "simply because it's too hard at this point. Discerning and even communicating to the person, 'Hey, you live in Montana, sorry, you're just in an unfortunate state without regulation' — you just can't do that." Data brokers felt the impact most acutely, with a 398% increase in deletion requests compared to 2024 and an average of over 2,000 deletion requests handled per month.

State regulators issued $3.4 billion in privacy fines last year, and both parties want more

The regulatory landscape underpinning all of these trends has fundamentally shifted from education to punishment. Nearly half of U.S. states now have a comprehensive privacy law in effect, plus over 160 AI-specific laws. State legislatures enacted 145 AI-related laws in 2025 alone, with another thousand introduced or reworked. According to Gartner, over 50% of the U.S. population is now covered by a comprehensive state privacy law, with 24 additional states expected to pass laws within five years. States have also begun pooling their resources, with ten forming the Consortium of Privacy Regulators last year and pledging to coordinate investigations across state lines.

Barber argued that privacy enforcement is fundamentally bipartisan, which insulates it from the shifting political winds of the current administration. "Privacy overall is a pretty bipartisan issue," he said. "It's easy to pass privacy regulation because constituents somewhat expect privacy in their day-to-day living. If you were flying on an airline and they said, 'Okay, this seat, if you want your privacy, you're going to have to pay $6 more,' you're like, 'I'm going to go to another airline.' It's an expected part of a transaction at this stage."

He predicted that other states will replicate California's enforcement model. "California has their enforcement division, CalPrivacy. That group has one task: to ensure enforcement of privacy throughout businesses. Is it likely that we see other states get funding and support to fund these types of groups? Highly likely. The enforcement fines — the actual payments — go back to us as constituents. That type of model, you could imagine, being very popular across the country."

Privacy teams are losing a third of their staff just as AI governance demands explode

Perhaps the most paradoxical finding in the report is that privacy teams lost as much as 33% of their headcount last year, even as their workloads expanded across every metric the report tracks. Cisco data cited in the report shows that 90% of privacy programs expanded in 2025 due to AI, while only 12% of AI governance programs are considered mature. Meanwhile, 74% of privacy teams planned to apply AI to privacy-related tasks in 2026, according to ISACA's State of Privacy 2026 survey.

Barber sees this as part of a broader macroeconomic pattern rather than a sign that organizations do not value privacy. "It's actually a fascinating macro trend, and probably one you've seen across all functions," he said. "Businesses are driving more efficiency in all parts of the business. Privacy teams, five years ago, we would have said, 'Well, there's more regulation, the volume of deletions have increased 500%, we need more humans.' It's become clear that AI provides capabilities that can do the work for privacy individuals." He drew an analogy: "They might have had a design team of 20 people five years ago, now they have a design team of five, courtesy of Claude Design or Gamma or whatever the tool may be. I think that's what we're seeing here as well."

DataGrail has positioned its own AI agent, Vera — launched in March 2026 — as part of the answer. Vera is embedded within DataGrail's existing platform and aims to automate privacy workflows across multiple jurisdictions. The company was also named the first production-ready Model Context Protocol server for privacy, using the standard created by Anthropic to enable customers to launch DataGrail tools from whatever application they are already working in, whether Slack, email, or Claude.

Can a vendor-produced report be trusted to diagnose the problems that vendor sells solutions for?

DataGrail is, of course, a company that directly benefits from the problems its report identifies. The company has raised a total of $84.2 million over five rounds, with its largest being a $45 million Series C in October 2022 led by Third Point Ventures. Its platform addresses precisely the data mapping, DSR automation, consent management, and risk assessment challenges the report spotlights.

Barber acknowledged the tension directly. "It's a fair statement," he said when asked about potential skepticism. "DataGrail doesn't provide a service to keep DPAs up to date — that's on a business to evaluate how they work with a vendor. What DataGrail does help to do is assessments, and automate those assessments using our AI agent, Vera, to assess that increased risk."

He argued that the more neutral reading of the data is structural: "This is evidence to show that the DPA unfortunately is not keeping up with technology and the speed at which technology is innovating. That's both exciting but also we need to accept that's where we are." The methodology does lend some credibility to this claim. 

The report draws on anonymized privacy operations data from hundreds of enterprise customers, the 2,400-system AI tracking database, and the 5,000-website consent audit — sources that are at least partially independent of DataGrail's commercial interests. And the broader findings on enforcement spending, DSR volume trends, and regulatory expansion align closely with independently published data from Gartner, Cisco, and state enforcement agencies.

The next frontier: agentic AI could spread unvetted data across entire organizations autonomously

When asked about the most important trend that did not make it into the report, Barber pointed to a next-generation risk that extends the shadow AI problem into far more dangerous territory: agentic AI workflows. Gartner predicts 40% of enterprise applications will feature task-specific AI agents by end of 2026, up from under 5% in 2025 — a pace of adoption that could rapidly outstrip the governance mechanisms companies are only now beginning to build.

"Where we go next with this research is agent processing," Barber said. "How are agents then leveraging that information? Because the downstream ramifications would be far more concerning for a business. One particular system is using shadow AI, the business has no idea that that's happening, and then an agent is propagating that information across a whole bunch of other places. The guardrails of you and I checking the system will be lower than maybe what we've seen in the past with agentic workflows."

He framed the distinction in human terms: "The identity of an agent is different than a human. There is thought that goes into what am I about to use here, where did this information come from, how was it collected — that may not be considered in the same way for an agentic workflow. We need to solve the root of the problem, which is how are these businesses leveraging AI subprocessors. But this quickly becomes an agentic problem that could be far more concerning."

For the enterprise privacy and security leaders absorbing this report today, the uncomfortable truth is that the foundational documents and processes they have relied on to manage vendor risk for years are decomposing in real time. The DPA is breaking down as a reliable instrument. State enforcement is accelerating on a bipartisan basis. Privacy teams are shrinking even as their mandates expand. And the next wave of agentic AI systems threatens to distribute unvetted data processing across networks of autonomous agents that operate with even less human oversight than today's tools.

Five years ago, when DataGrail published its first trends report, deletion requests were a fraction of what they are today, only a handful of states had privacy laws on the books, and the phrase "shadow AI" did not exist. Every year since, the report has warned that the problem was getting worse. Every year, the data has proved it right. The companies that survive the next chapter will not be the ones with the biggest compliance teams or the thickest policy binders. They will be the ones that accept a disorienting new reality: in 2026, the contracts you signed may not describe the AI that is already processing your customers' data — and by 2027, autonomous agents may be deciding what to do with it.

CrowdStrike’s 2026 Financial Services Threat Landscape Report, released this month and covering activity from April 2025 through March 2026, identified Mutant Spider as the single most active threat to the financial services sector. The group’s primary technique was voice phishing over Microsoft Teams. Operators impersonated internal IT support, convinced employees to reset their credentials and multifactor authentication, then registered their own devices on corporate networks. The security control worked exactly as designed — and that was the problem.

Within days, the FBI published a public service announcement warning about Kali365, a phishing-as-a-service platform sold on Telegram for as little as $250 a month. Kali365 captures Microsoft 365 OAuth tokens through the legitimate device code authentication flow. MFA fires on the victim’s device, not the attacker’s. The token grants persistent access to Outlook, Teams, and OneDrive without triggering another MFA prompt.

The Verizon 2026 Data Breach Investigations Report, also released in May, confirmed that credential theft dropped to 13% of breach initial access vectors. Vulnerability exploitation took the top position at 31%, displacing what Verizon called the longtime leading initial-access category. That's three independent sources, same structural finding. MFA protects password-based authentication, but the attacks dominating financial services increasingly bypass password theft through resets, token grants, and exploitation. The MFA Bypass Exposure Audit Grid at the end of this article maps all five confirmed attack surfaces from the CrowdStrike, FBI, and Verizon reports, what MFA misses on each one, and the specific fix for Monday morning.

The CrowdStrike numbers paint a sector under sustained pressure

Financial services ranked as the fourth most targeted sector by Q1 2026, accounting for 12% of all observed adversary activity, according to the CrowdStrike report. Globally, financial institutions faced 43% more hands-on-keyboard intrusions in 2025 compared to two years earlier. In North America, that figure was 48%.

The e-crime side of the problem grew faster than most defenders expected. Big game hunting operators named 423 financial services entities on dedicated leak sites during the reporting period. That is a 27% increase from the 334 entities named in the prior 12 months. REVENANT SPIDER, which operates the Qilin ransomware-as-a-service program, posted the most financial services victims of any e-crime adversary on its dedicated leak site. The group’s financial services victim count jumped from 14 to 97 over the reporting period.

“Who needs a zero day if all you have to do is call the help desk and say, 'I forgot my password'?” Adam Meyers, senior vice president of counter adversary operations at CrowdStrike, told VentureBeat. That one sentence captures the structural shift his team documented across twelve months of financial services intrusions.

The interactive intrusion breakdown tells the story of who is actually getting inside these networks. E-crime actors drove 75% of hands-on-keyboard intrusions against financial services. State-sponsored adversaries accounted for the remaining 25%. That ratio has not moved since 2023. What changed is the total volume and the sophistication of the access techniques.

Mutant Spider’s vishing campaigns over Microsoft Teams represent a structural shift in initial access. The group impersonates IT support, manipulates employees into resetting MFA, then deploys custom post-access tools including PrionFlaire, SocksLoader, and SleepyMutagen. CrowdStrike believes the group sells that access to ransomware operators. The Teams call is step one. The ransom note is step five.

“Who needs a zero day if all you have to do is call the help desk and say, 'I forgot my password'?”

Scattered Spider returned to aggressive ransomware operations against insurance companies from April through July 2025, following a significant operational pause that began in December 2024. The group ran the same playbook it has used since 2022: help desk social engineering; credential and MFA reset requests; then lateral movement through integrated SaaS applications to locate data for extortion. In September 2025, the U.K.’s National Crime Agency arrested and charged two members for allegedly targeting Transport for London. The U.S. Department of Justice separately charged one of them in connection with multiple cyberattacks against U.S. critical infrastructure.

State-sponsored groups added scale and speed

The report’s state-sponsored findings reinforce the identity problem from a different direction. DPRK-nexus adversaries stole $2.02 billion in digital assets in 2025, a 51% increase from the prior year. In February 2025, Pressure Chollima executed the largest single theft ever reported, stealing $1.46 billion in cryptocurrency by compromising Safe{Wallet}, a digital asset management platform supporting the Bybit exchange, after a developer’s machine was infected through a trojanized Python project. China-nexus groups conducted sustained campaigns against financial institutions across multiple continents. Hollow Panda exploited Check Point VPN appliances to target banks in the Philippines, Indonesia, and Brazil. Vault Panda gained initial access through compromised VPN and firewall appliances across four continents. Every state-sponsored campaign CrowdStrike documented shared a common thread. The adversary’s first move targeted an identity, a credential, or a trusted access path.

Elia Zaitsev, CrowdStrike’s CTO, told VentureBeat in April that the speed of these operations is outpacing traditional defense models. “Traditional approaches are just not designed for this sort of behavior,” Zaitsev said.

Kali365 turns token theft into a subscription service

The FBI’s May 21 public service announcement on Kali365 confirmed the second attack path that makes this a compound problem. The platform exploits Microsoft’s OAuth 2.0 device authorization grant flow, a mechanism designed for devices like smart TVs and conference room systems that cannot support interactive login. Kali365 sends phishing emails impersonating trusted services like Adobe Acrobat Sign, DocuSign, and SharePoint. The email contains a device code and instructions to visit a legitimate Microsoft verification page. The victim authenticates normally. MFA fires. The token goes to the attacker.

Arctic Wolf, which published a technical deep dive on Kali365 in April, documented a three-tier commercial structure. An admin tier for the developers, an agent tier for resellers, and a client tier for paying affiliates. Subscription pricing runs from $250 for 30 days to $2,000 for a year. The platform supports 14 languages and includes AI-generated phishing lures, automated campaign templates, and a real-time tracking dashboard.

The device code flow is not a vulnerability. It is a feature. Microsoft designed it for devices that cannot support interactive login. The problem is that default Entra ID configurations do not restrict its use, and most organizations have never audited whether any legitimate workflow actually requires it. Kali365 exploits that gap between design intent and deployment reality.

The Verizon DBIR reinforced that assessment from a different angle. The 2026 edition analyzed more than 22,000 confirmed breaches across 145 countries. Vulnerability exploitation at 31% now leads credential abuse at 13%. The median time for full patching increased to 43 days, up from 32. Organizations patched only 26% of critical flaws in CISA’s Known Exploited Vulnerabilities catalog, down from 38% the prior year.

That data creates a clear picture. The industry has spent two decades building defenses against credential theft. The attacks that are actually working in financial services either remove MFA through social engineering or capture tokens through legitimate authentication flows where MFA does not protect the attacker’s session.

MFA Bypass Exposure Audit Grid

Security directors need to run this audit against their environment this week. Each row represents a confirmed attack path from the three reports above.

Mike Riemer, SVP and field CISO at Ivanti, told VentureBeat in an exclusive interview that the speed problem compounds the budget misalignment. “Threat actors are reverse engineering patches, and the speed at which they’re doing it has been enhanced greatly by AI,” Riemer said. “They’re able to reverse engineer a patch within 72 hours. If I release a patch and a customer doesn’t patch within 72 hours of that release, they’re open to exploit.”

The structural problem is clear

“People are forgetting about runtime security,” Zaitsev said. “We’ve done this before, with endpoint and virtualization and cloud. People really focused on, hey, let’s patch all the vulnerabilities. Impossible. Let’s make sure we lo

ck down all the permissions. Somehow always seem to miss something.”

The attackers who matter most in financial services right now are not stealing passwords. They are calling help desks. They are exploiting legitimate authentication flows. They are capturing tokens that persist for months. The defenses that consumed the largest share of security budgets for the past decade are pointed at a threat that just dropped to third place.

The fix is not adding another layer of MFA — Zaitsev and Riemer both said as much. It's rethinking what MFA actually protects, what it doesn't, and where the budget needs to go next.