Blog

Analysis on enterprise AI governance, inline policy enforcement, agentic AI security, and regulatory compliance.

April 7, 2026

You Own the AI Liability, Not the Vendor

Last week, *The Register* reached out to the major AI application vendors—Microsoft, SAP, Oracle, Salesforce, ServiceNow, and Workday—and asked a simple question: How much liability do you accept when your AI agents make bad decisions? Microsoft and SAP declined to comment. Oracle, Salesforce, ServiceNow, and Workday didn't respond. That silence is your answer. For every CISO, CRO or head of legal deploying AI today, that silence has a direct consequence: You are the insurer of last resort for your vendor's model.

AISecurityAuditArchitectureComplianceDue DiligenceDue Care

Read post →

March 31, 2026

Securing the Inference Lifecycle

On March 18, Meta's internal AI agent exposed sensitive user and company data to engineers who shouldn't have seen it. The exposure lasted two hours. Meta classified it as Sev-1. Here's the part that should concern every security architect: the agent was fully authenticated. It had valid credentials. It passed every identity check. And it still caused a data breach. This is the post-authentication gap.

AISecurityAuditComplianceEU AI Act 2026SEC

Read post →

March 24, 2026

Due Diligence is Not Due Care: The AI Compliance Gap

Last year, researchers disclosed EchoLeak (CVE-2025-32711), a zero-click Indirect Prompt Injection in Microsoft 365 Copilot. A poisoned email forced the AI assistant to silently exfiltrate sensitive business data to an external URL. The user never saw it, never clicked a link, and never authorized the transfer, but the data left anyway. Most leaders I talk to think they are "covered" because their LLM provider is SOC2 compliant or has a signed DPA. However, in the eyes of the law, the liability remains with the deployer

AISecurityAuditArchitectureComplianceDue DiligenceDue Care

Read post →

March 17, 2026

Architecting AI Agent Security to Stay Compliant with NIST's Identity and Authorization Framework

NIST's comment window on AI agent identity and authorization closes April 2. If you are deploying AI agents and haven't read the framework, this is the post. Not because the comment window matters to your engineering roadmap, but because NIST just put formal language around a structural gap that most organizations are already sitting in.

AI SecurityAgentic AICybersecurityLLMAI GovernanceNISTIdentity and Authorization

Read post →

March 8, 2026

Model Guardrails Are Not a Security Control

Stanford's Trustworthy AI research has demonstrated that model-level guardrails can be materially weakened under targeted fine-tuning and adversarial pressure. In controlled evaluations summarized by the AIUC-1 Consortium briefing, (developed with CISOs from Confluent, Elastic, UiPath, and Deutsche Börse alongside researchers from MIT Sloan, Scale AI, and Databricks), refusal behaviors were significantly degraded once safety patterns were shifted.

AI SecurityAgentic AICybersecurityLLMAI GovernanceModel Guardrails

Read post →

February 28, 2026

Detecting Model Distillation Attacks in Your AI Traffic

On February 23rd, [Anthropic published](https://www.anthropic.com/news/detecting-and-preventing-distillation-attacks) something the industry had suspected but hadn't seen documented at this scale. Three Chinese AI labs (DeepSeek, Moonshot AI, and MiniMax) ran coordinated campaigns against the Claude API. They generated over 16 million exchanges through approximately 24,000 fraudulent accounts. The goal was not to steal user data but to steal the model itself.

AISecurityDistillationDeepSeekMiniMaxMoonshot AIAnthropicIP TheftAPI Security

Read post →

February 26, 2026

Why Connector Authorization Is Not Enough to Secure an AI Agent (SilentBridge)

Aurascape's research team this week published SilentBridge, a class of indirect prompt injection attacks against Meta's Manus AI agent. The attack exfiltrated email, extracted secrets, achieved root-level code execution, and exposed cross-tenant media files via CDN — all three variants scored CVSS 9.8 (Critical): network-exploitable, no privileges required, no user interaction. The user had authorized Gmail and the agent used it exactly as permitted. Vulnerabilities discovered September 2025, Manus mitigated November 2025, coordinated disclosure February 2026.

AISecurityPrompt InjectionAgentic AIAuthorizationZero Trust

Read post →

February 23, 2026

Securing CI Pipelines from AI Agent Supply Chain Attacks like Clinejection

The Clinejection attack chained prompt injection, cache poisoning, and a credential isolation failure into a supply chain compromise. Here is the attack anatomy and what structural controls actually stop it.

AISecurityCI/CDDevSecOpsGitHub ActionsGovernance

Read post →

January 27, 2026

Making Vector Search Identity-Aware in RAG Systems

Most RAG stacks retrieve top-K chunks first and enforce permissions later in the app. At scale, this breaks the trust boundary and degrades retrieval quality. When users only have access to a subset of the corpus, post-filtering collapses top-K into a tiny context window, even when many relevant authorized chunks exist deeper in the index. The fix is to make retrieval identity-aware so authorization becomes part of ranking. In the blog, I walk through how to design identity-aware retrieval so access control is enforced during search, not after it.

RAGABACDatabase-NativeZero-TrustSecurityVector SearchData Security

Read post →

January 4, 2026

Managing the Agentic Blast Radius in Multi-Agent Systems(OWASP 2026)

The most complex risks in the 2026 OWASP list are not about a single bad action, but about how agents exist over time, interact with each other, and propagate behavior across systems. Unchecked blast radius occurs when **probabilistic agent behavior becomes persistent, trusted, and shared across systems**. This post continues from my previous two pieces on [Loss of Intent as a Failure Mode in OWASP Agentic AI Risks](/blog/loss-of-intent-as-a-failure-mode-in-owasp-agentic-ai-risks-2026) (Part 1) and [Identity and Execution Risks in Agentic AI – The Capability Gap](/blog/identity-and-execution-risks-in-agentic-ai-the-capability-gap-owasp-2026) (Part 2) and is the final part of the series.

AISecurityAgenticAIAIEngineeringCybersecurityOWASP

Read post →

December 30, 2025

Identity and Execution Risks in Agentic AI - The Capability Gap (OWASP 2026)

When moving from intent to execution, the security model for Agentic AI shifts from intent interpretation to traditional systems hardening. Once an LLM can invoke tools and assume identities, the capabilities we grant an agent become the primary attack surface. This post continues from my first piece on [Loss of Intent as a Failure Mode in OWASP's Agentic AI Risks](/blog/loss-of-intent-as-a-failure-mode-in-owasp-agentic-ai-risks-2026). Here, I focus on the second bucket in the [OWASP Top 10 for Agentic Applications 2026](https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026/): agents with too much power.

AISecurityAgenticAIAIEngineeringCybersecurityOWASP

Read post →

December 27, 2025

Loss of Intent as a Failure Mode in OWASPs Agentic AI Risks (2026)

OWASP recently released the Top 10 Vulnerabilities for Agentic Applications (2026). One thing is clear that the agentic systems fail differently than traditional applications or simple LLM integrations. The failure mode is not bad output, but the system taking a valid action for the wrong reason. In this post, I break down three OWASP vulnerabilities that stem from loss of intent, explain how they show up in real systems, and outline some mitigations.

AISecurityAgenticAIAIEngineeringCybersecurityOWASP

Read post →