Blog

Analysis on enterprise AI governance, inline policy enforcement, agentic AI security, and regulatory compliance.

EU AI Act High-Risk AI Systems: What Enterprises Must Do Before August 2026

The EU AI Act obligations for high-risk AI systems apply from August 2, 2026. Article 9 requires a documented risk management system. Article 12 requires automatic record-keeping. Article 13 requires transparency to deployers. Article 14 requires human oversight. Enterprises deploying high-risk AI systems need enforcement and audit infrastructure in place before that date.

EU AI ActAIComplianceRegulationHigh-Risk AICISOGovernance
Read post →

22-Second Breach Windows Mean Your AI Enforcement Must Be Inline

Mandiant M-Trends 2026 reports that attack handoff time collapsed from 8 hours to 22 seconds. At that tempo, log-and-alert on AI traffic is structurally incapable of preventing damage. If your AI enforcement operates on a review cycle measured in minutes, the breach is complete before the first alert fires. AI traffic enforcement must be inline and synchronous.

ai-securityai-governanceagentic-aiincident-responsereal-time-enforcement
Read post →

Fannie Mae LL-2026-04: What the First Sector-Specific AI Governance Mandate Requires from Your Platform

On April 8, Fannie Mae issued Lender Letter LL-2026-04, a governance framework for AI and ML in mortgage origination and servicing. It takes effect August 8. Freddie Mac already enforces similar requirements since March 3. Both GSEs now require approved seller/servicers to operate an auditable AI governance program. Most lenders have no infrastructure to comply.

ai-governancecompliancefinancial-servicesauditai-securityfannie-mae
Read post →

Shadow AI to $670,000 Blind Spot

IBM's Cost of Data Breach Report studied 600 breached organizations and found that one in five experienced breaches linked to shadow AI. Those breaches cost $670,000 more on average. Customer PII exposure jumped to 65%, compared to 53% across all breaches. Intellectual property carried the highest cost per record.

ai-securityshadow-aidata-loss-preventionai-governancecompliance
Read post →

You Own the AI Liability, Not the Vendor

Last week, *The Register* reached out to the major AI application vendors—Microsoft, SAP, Oracle, Salesforce, ServiceNow, and Workday—and asked a simple question: How much liability do you accept when your AI agents make bad decisions? Microsoft and SAP declined to comment. Oracle, Salesforce, ServiceNow, and Workday didn't respond. That silence is your answer. For every CISO, CRO or head of legal deploying AI today, that silence has a direct consequence: You are the insurer of last resort for your vendor's model.

AISecurityAuditArchitectureComplianceDue DiligenceDue Care
Read post →

Securing the Inference Lifecycle

On March 18, Meta's internal AI agent exposed sensitive user and company data to engineers who shouldn't have seen it. The exposure lasted two hours. Meta classified it as Sev-1. Here's the part that should concern every security architect: the agent was fully authenticated. It had valid credentials. It passed every identity check. And it still caused a data breach. This is the post-authentication gap.

AISecurityAuditComplianceEU AI Act 2026SEC
Read post →

Due Diligence is Not Due Care: The AI Compliance Gap

Last year, researchers disclosed EchoLeak (CVE-2025-32711), a zero-click Indirect Prompt Injection in Microsoft 365 Copilot. A poisoned email forced the AI assistant to silently exfiltrate sensitive business data to an external URL. The user never saw it, never clicked a link, and never authorized the transfer, but the data left anyway. Most leaders I talk to think they are "covered" because their LLM provider is SOC2 compliant or has a signed DPA. However, in the eyes of the law, the liability remains with the deployer

AISecurityAuditArchitectureComplianceDue DiligenceDue Care
Read post →

Architecting AI Agent Security to Stay Compliant with NIST's Identity and Authorization Framework

NIST's comment window on AI agent identity and authorization closes April 2. If you are deploying AI agents and haven't read the framework, this is the post. Not because the comment window matters to your engineering roadmap, but because NIST just put formal language around a structural gap that most organizations are already sitting in.

AI SecurityAgentic AICybersecurityLLMAI GovernanceNISTIdentity and Authorization
Read post →

Model Guardrails Are Not a Security Control

Stanford's Trustworthy AI research has demonstrated that model-level guardrails can be materially weakened under targeted fine-tuning and adversarial pressure. In controlled evaluations summarized by the AIUC-1 Consortium briefing, (developed with CISOs from Confluent, Elastic, UiPath, and Deutsche Börse alongside researchers from MIT Sloan, Scale AI, and Databricks), refusal behaviors were significantly degraded once safety patterns were shifted.

AI SecurityAgentic AICybersecurityLLMAI GovernanceModel Guardrails
Read post →

Detecting Model Distillation Attacks in Your AI Traffic

On February 23rd, [Anthropic published](https://www.anthropic.com/news/detecting-and-preventing-distillation-attacks) something the industry had suspected but hadn't seen documented at this scale. Three Chinese AI labs (DeepSeek, Moonshot AI, and MiniMax) ran coordinated campaigns against the Claude API. They generated over 16 million exchanges through approximately 24,000 fraudulent accounts. The goal was not to steal user data but to steal the model itself.

AISecurityDistillationDeepSeekMiniMaxMoonshot AIAnthropicIP TheftAPI Security
Read post →

Why Connector Authorization Is Not Enough to Secure an AI Agent (SilentBridge)

Aurascape's research team this week published SilentBridge, a class of indirect prompt injection attacks against Meta's Manus AI agent. The attack exfiltrated email, extracted secrets, achieved root-level code execution, and exposed cross-tenant media files via CDN — all three variants scored CVSS 9.8 (Critical): network-exploitable, no privileges required, no user interaction. The user had authorized Gmail and the agent used it exactly as permitted. Vulnerabilities discovered September 2025, Manus mitigated November 2025, coordinated disclosure February 2026.

AISecurityPrompt InjectionAgentic AIAuthorizationZero Trust
Read post →