← All posts

Problem-Aware

111 posts on problem-aware.

AI Agent Lateral Movement: How an LLM Turns a Single Compromised Credential into a Multi-System Incident

An AI agent operating with credentialed access to multiple SaaS systems collapses the traditional lateral-movement kill chain. What used to take a human attacker hours of enumeration and pivoting takes an LLM-orchestrated agent seconds. The Marimo CVE-2026-39987 incident is the first widely reported case. This piece walks through the mechanism, why endpoint detection is blind to it, and the inspection-layer controls that block the pattern at the HTTP AI request boundary.

ai-agent-securitylateral-movementagentic-aiincident-responseai-security
Read post →

AI Audit Log Hashing Patterns: The Cryptographic Choices That Make an Audit Trail Tamper-Evident

An AI audit log that a regulator or an auditor will accept has to prove two properties: the records were written at the times they claim, and the records have not been altered after the fact. Hashing is the mechanism that produces the second property. This piece walks through the hashing patterns that fit an inline AI gateway's audit stream: hash-chained append, Merkle-tree batching, external witness anchoring, and the trade-offs each pattern makes against write latency and audit verification cost.

audit-logsai-securitycompliancecryptographytamper-evidentai-gateway
Read post →

AI Agent Privilege Scoping: Six Patterns That Contain an Agent's Blast Radius

An agent is a program that acts on behalf of a human, and the acting has authorization consequences the traditional privilege model does not cover. The agent's identity, the human's session, the tool's permission, and the enterprise policy all compose into the authorization decision on each call. Privilege scoping is the design pattern set that keeps the composed authorization tight. This piece walks through six patterns that appear in production agent deployments and the audit records each pattern produces.

ai-agentprivilege-scopingagentic-aiai-securityauthorizationblast-radius
Read post →

AI Jailbreak Monitoring: Detecting the Prompts That Bypass Model Guardrails in Production Traffic

Jailbreak attempts against production LLM deployments have moved from novelty to routine traffic. Attackers, curious employees, and automated red-team tools all produce prompts intended to bypass the model's built-in safety layers. Detection at the model provider catches some patterns but not the enterprise-specific patterns tied to the deployer's own system prompt and policy configuration. Detection at the AI gateway catches both categories. This piece walks through the four detection surfaces (input pattern, response deviation, session behavior, follow-through action), the signals each surface produces, and the SIEM integration that lands the detection in the SOC's existing workflow.

jailbreakai-securityprompt-injectionsiemthreat-detectionmonitoring
Read post →

Agentic AI News in 2026: The Incidents, Regulatory Actions, and Framework Releases That Changed the Threat Model

Agentic AI shifted from a research topic to a production security concern across the first half of 2026. Microsoft documented prompt-to-shell escalation paths in LangChain, AutoGen, and Semantic Kernel. Marimo CVE-2026-39987 became the first widely-reported incident where attackers operated an LLM as their post-exploitation tool. LiteLLM disclosed seven CVEs in June alone, one authentication bypass in the gateway itself. OWASP published its Top 10 for Agentic Applications and the AISVS 1.0 verification standard. This piece walks through the specific incidents, the regulatory actions in the EU and Colorado, and the framework releases that have changed how security teams evaluate agentic AI deployments in 2026.

agentic-aiai-security-newsowaspaisvslitellmcve
Read post →

LLM Audit Log Retention: What Each Regulation Actually Demands and How Long the Records Have to Survive

The retention period for LLM audit logs depends on which regulation the deployment falls under. EU AI Act Article 12 sets a floor at the lifetime of the AI system. HIPAA sets 6 years on required records. SOX sets 7 years on records material to financial statements. GDPR requires retention only as long as necessary for the processing purpose, then erasure. FINRA sets 6 years on communications records. The gap between the shortest and longest applicable retention is often the value the organization sets. This piece walks through each regulation's actual retention rule for AI decision records, the maximum-of-applicable-floors rule most compliance teams end up applying, and the tamper-evident storage properties the records need to survive the retention period.

ai-audit-logslog-retentioncomplianceeu-ai-acthipaasox
Read post →

AI Usage Policy Template: The Clauses That Actually Get Enforced at the Gateway

Most AI usage policies get written as documents and stored in a compliance drive. The document alone changes no request that leaves the employee's browser and reaches ChatGPT, Claude, or a shadow copilot. The clauses in this template are the ones that map to enforcement at the AI request layer, where a policy statement translates into a permit-or-deny decision on live traffic. The template covers scope, sanctioned providers, data classes prohibited from AI prompts, allowed use cases per role, monitoring, incident reporting, and the enforcement mechanism that binds the policy to the traffic. Adopt the template as the policy artifact, then wire the clauses to the gateway that produces the audit records the policy owner samples at quarterly review.

shadow-aiai-policypolicy-templateai-usage-policygovernanceciso
Read post →

AI Agent Permission Escalation: Five Patterns That Promote an Agent Past Its Authorized Scope

When an AI agent makes calls that exceed its authorized scope, the call path crosses a gateway, an LLM, and downstream services. Escalation can occur at any boundary in the chain. The pattern is rarely a single exploit; the pattern is the agent stitching together several legitimate primitives into a chain that produces an outcome the deployer did not authorize. This article walks five escalation patterns observed in production, the gateway signals that catch each, and the policy structure that prevents the chain from completing even when the model is induced to attempt it.

agentic-aipermission-escalationagent-securityauthorizationai-securitypolicy-enforcement
Read post →

AI Agent Context Window Poisoning: How a Single Bad Retrieval Steers an Entire Session

An AI agent runs in a context window: the system prompt, the user request, the retrieved documents, the prior tool calls, and the prior model responses. The window is the model''s working memory for the session. Context window poisoning is the attack pattern where attacker-controlled content lands in the window and steers the model''s subsequent decisions. A single bad retrieval can alter the model''s behavior for the rest of the session. This article walks the attack vectors, the detection signals at the gateway, the redaction patterns that prevent the poison from reaching the model, and the audit record that supports investigation.

agentic-aicontext-poisoningprompt-injectionai-securityrag-securityagent-security
Read post →

Prompt Injection via MCP Tool Descriptions: The Attack Surface in the Schema Itself

When a client connects to a Model Context Protocol server, the server advertises its tools to the model through descriptions. The model reads the descriptions to decide which tool to call. A malicious MCP server can place prompt-injection content in the tool descriptions themselves. The model treats the description as instructions, not as data. The attack surface lives inside the schema that the protocol uses to advertise its capabilities. This article walks the attack pattern, the variants that have surfaced, the detection signals, and the gateway controls that contain the blast radius.

mcpprompt-injectionagent-securityai-securitytool-useagentic-ai
Read post →

AI Audit Log Chain of Custody: What Forensic Integrity Requires at the Request Boundary

An AI audit log that has to survive a regulatory inquiry or a legal proceeding needs more than the data it captures. The log needs a chain of custody: the proof that the record at the moment of inquiry is the record that was written at the moment of the decision, that nobody has modified it in between, and that the writer and the reader are the entities they claim to be. The chain of custody applies to the AI request-and-response log as much as to physical evidence in any other regulated context. This article walks the requirements, the failure modes, the cryptographic and operational controls that produce a defensible chain, and the architectural pattern that holds up under examination.

audit-loggingforensicscomplianceevidencetamper-evidenthigh-risk-ai
Read post →

RAG Poisoning Prevention: Defending the Retrieval Layer Against Adversarial Content

Retrieval-augmented generation grounds an LLM response in a corpus of documents the application retrieves at query time. The retrieval surface is also an attack surface. An attacker who can write to the corpus or to a source the corpus ingests from can inject content that steers the model toward attacker-chosen outputs. RAG poisoning has three production patterns: corpus injection, indirect prompt injection through retrieved content, and adversarial document crafting that pollutes the embedding space. This article walks the failure modes, the defense layers, the controls a policy gateway enforces against the model-call boundary, and the operational checklist.

ragprompt-injectionllm-securityagentic-aipolicy-enforcementdata-poisoning
Read post →