Detailed write-ups
1. Frontier AI models collapse under multi-turn attacks, Cisco finds
Help Net Security · May 28, 2026
Cisco’s AI threat-intelligence team tested 15 frontier models across roughly 30,000 single-turn and 7,000 multi-turn attacks and saw single-turn safety hold up much better than multi-turn — with multi-turn success climbing to 88% against Grok 4.1 Fast. The work formalizes the divergence between vendor safety benchmarks and observed jailbreak resilience: single-turn evals consistently understate risk because real adversaries iterate. CISOs and AI red teams should treat single-turn safety scores as a floor rather than a ceiling and require multi-turn coverage in any model-acceptance pipeline.
Read article →
2. Microsoft Open-Sources RAMPART and Clarity to Secure AI Agents
The Hacker News · May 21, 2026
Microsoft released RAMPART — a Pytest-native red-teaming framework built on its PyRIT toolkit — alongside Clarity, a design-intent sounding board that pushes teams to articulate agent goals and constraints before testing. The pairing matters because most teams skip the “what is this agent allowed to do?” step entirely, and red-team output without that grounding becomes noise. Open-sourcing both lowers the bar for in-house agent safety testing and gives security teams CI-friendly primitives that drop into existing Python test suites.
Read article →
3. Google AI Threat Defense targets attackers using AI to find flaws faster
Help Net Security · May 27, 2026
Google Cloud unveiled AI Threat Defense, fusing Gemini, Wiz, CodeMender, and Mandiant into a four-stage Prepare / Scan / Remediate / Monitor platform aimed at compressing vulnerability-response timelines. The play is explicit: meet attackers using AI to weaponize disclosures faster by giving defenders an equivalent agentic loop on the same data. Strategically, this is Google productizing the agentic-security primitives it has accumulated through Wiz and Mandiant — and signaling that AI-assisted exposure management is now a hyperscaler-scale category rather than a startup one.
Read article →
4. OpenHack: Open-source AI-powered vulnerability research
Help Net Security · May 25, 2026
Hadrian released OpenHack, an MIT-licensed file-based workspace that packages multiple AI agent harnesses for autonomous vulnerability research. The framework lets teams stand up agentic vuln-research pipelines without re-inventing harness plumbing, and it deliberately avoids vendor lock-in by keeping artifacts portable across model providers. For defenders, it’s a credible reference for building internal red-team automation; for the disclosure ecosystem, it’s another datapoint in the same trend that’s simultaneously drowning maintainers in low-quality AI-generated reports (see story #8).
Read article →
5. Microsoft’s new cloud PCs place AI agents under enterprise controls
Help Net Security · May 28, 2026
Windows 365 for Agents spins up dedicated cloud PCs where AI agents run under enterprise IAM and conditional-access policy — a direct architectural response to shadow-AI sprawl and the agent-identity gap. By giving every agent a real machine identity, a tenant boundary, and access controls equivalent to a human user, Microsoft is forcing the runtime question (“who is this agent and what can it touch?”) into existing enterprise governance. Expect this pattern to set the template that other agent-platform vendors compete against.
Read article →
6. Only 11% of production agents pass the AI agent security bar
Help Net Security · June 3, 2026
New research benchmarks production agents against a baseline security-capability bar covering authentication, secrets handling, prompt-injection resistance, and least-privilege tool use — and only 11% clear it. The number is the foundational stat for this issue: most agents now in production lack the controls that any human user account would be required to have. CISOs should use the bar as a procurement and acceptance checklist, and as the spine of internal agent governance policies tied to identity, secrets management, and tool registration.
Read article →
7. Microsoft responds to security challenges facing code, AI agents, and models
Help Net Security · June 3, 2026
Microsoft outlined a coherent agent-security framework across Azure AI and Windows 365 for Agents covering four primitives: prompt-injection resistance, agent identity, runtime sandboxing, and model supply-chain controls. The packaging is significant — it gives the market a shared vocabulary that procurement teams can use to compare vendors. For CISOs evaluating multi-vendor agent stacks, treat the four primitives as the minimum capability set and require each vendor to map their controls back to it before signing.
Read article →
8. AI is drowning software maintainers in junk security reports
Help Net Security · May 18, 2026
AI-assisted vulnerability research is flooding open-source maintainers with low-quality, hallucinated reports, eroding the triage capacity that legitimate disclosures depend on. The disclosure ecosystem is a commons, and AI-spam is the tragedy: maintainers describe spending hours per week dismissing reports that look credible but cite nonexistent functions, fabricated CVEs, or syntactically valid but semantically meaningless exploit paths. Expect pushback in the form of stricter intake gates, paid triage tiers, and disclosure platforms that throttle automated submissions.
Read article →
9. NSA CSI: Securing Model Context Protocol Implementations
NSA · May 2026
NSA published a Cybersecurity Information Sheet on securing Model Context Protocol against design-level RCE and zero-click prompt-injection risks affecting Claude Code, Cursor, Windsurf, Gemini-CLI, and Copilot. The CSI is the first national-authority guidance on MCP, and its arrival marks the protocol’s transition from developer-tool plumbing to regulated agent infrastructure. Security teams running MCP servers should treat the document as a baseline: enforce per-server allowlists, isolate untrusted content, and gate tool invocation behind explicit human or policy approval for high-blast-radius actions.
Read article →
10. Top MCP security resources — May 2026
Adversa AI · May 2026
Adversa’s curated roundup catalogues the month’s leading MCP security research, tools, and disclosures — a useful single-screen snapshot of where the agent-protocol security ecosystem sits during the coverage window. Read it alongside the NSA CSI for breadth: the CSI tells you what national authorities are emphasizing, the Adversa roundup tells you what red teams and tool builders are actually shipping. Both are required input for any team building an internal MCP threat model this quarter.
Read article →
11. Netskope Revolutionizes Security and Network Operations with AgentSkope
GlobeNewswire (Netskope) · May 5, 2026
Netskope launched AgentSkope, an architectural foundation that deploys six initial AI agents — DLP AISecOps, Insider Threat, Private Access AIOps, two DEM agents, and CCI Insights — into SOC and NOC workflows. The bet is that SASE telemetry is the right substrate for agentic SecOps and NetOps because it already spans identity, network, data, and application context. For Netskope customers it’s a path to consolidated agentic operations; for the broader market it’s the strongest current example of a SASE vendor moving up into agent-operations territory.
Read article →
12. Agent Skills Work, but Most Teams Are Building Them Wrong
O’Reilly Radar · May 2026
A research-grounded critique of the common mistakes teams make when designing agent skills: poor decomposition, leaky abstractions, and weak evaluation harnesses that make it impossible to tell whether a skill is improving or regressing. The piece is practical — it names the failure modes and ties each to a fix — and lands at the right moment as security teams begin building skill libraries internally. Pair this with the OpenAI macro-evals cookbook (#24) for a defensible skill-design and skill-evaluation methodology.
Read article →
13. 21 LLMs tuned for special domains
InfoWorld · May 2026
A survey of 21 domain-tuned LLMs spanning legal, medical, code, finance, and security with capability notes and usage tradeoffs. For security buyers it’s a useful reference when deciding whether to fine-tune, retrieve, or default to a frontier general model for an internal workload — an increasingly common procurement question as cost-aware teams look for cheaper substitutes. Treat the list as a starting point for build-vs-buy conversations rather than a definitive ranking; many of the entries are still moving targets.
Read article →
14. Okta pushes vendor-neutral identity governance for AI agents
BiometricUpdate · May 2026
Okta proposed a vendor-neutral identity framework for AI agents, directly challenging the hyperscaler-bound agent-identity stacks emerging from Microsoft and Google. The pitch is that agent identity should sit outside any single cloud, on the same control plane that already governs humans and machines. For enterprises building multi-cloud agent estates the argument is strong; for hyperscalers it’s a competitive threat. Watch which standards bodies pick it up — that will determine whether vendor-neutral agent identity becomes a real lane or an Okta-only marketing position.
Read article →
15. Tamnoon introduces skill-based AI orchestration for autonomous cloud defense
Help Net Security · May 26, 2026
Tamnoon launched TAMI AI Skills, skill-based orchestration that strings autonomous cloud-defense workflows across detection, remediation, and posture management. It’s the latest example of agentic cloud security shipping as a productized category rather than a custom integration. Procurement angle: ask how skills are versioned, how they handle rollback when a remediation goes wrong, and whether the orchestration layer enforces approval gates for high-impact actions — the design choices that separate an autonomous defender from a foot-gun.
Read article →
16. AI security needs a shift from models to systems, researchers argue
CSO Online · May 2026
Researchers argue that AI security has over-indexed on model-level evals and now has to move to systems-level threat modeling — covering data flows, tool use, and human-AI handoffs. The framing matters because most production failures are not model failures but composition failures: a safe model wired to an unsafe tool, or a careful prompt subverted by an upstream summarization step. Use it to reset internal AI threat models away from “is the model jailbroken?” toward “what can the system actually do when something goes wrong?”
Read article →
17. Coming Soon: Gemini to Add Adobe, Canva, and CapCut for AI Editing
eWeek · May 2026
Google previewed forthcoming integrations connecting Gemini to Adobe, Canva, and CapCut for in-flow AI editing. The headline is consumer/creative; the security implication is enterprise data flow. Each new agent-to-app integration creates a new data path that DLP, IRM, and content-classification systems have to recognize. Security teams should map these integrations as they ship and decide pre-emptively which to allow, which to broker, and which to block at the SASE or browser-extension layer.
Read article →
18. The AI agent bottleneck isn’t model performance — it’s permissions
VentureBeat · May 2026
The argument: the binding constraint on enterprise agent deployment is not model capability but authorization and permissions architecture. Agents are blocked from acting at scale because they don’t have a coherent way to inherit, delegate, or scope rights across tools and tenants. The piece reframes the procurement conversation away from model benchmarks and toward identity, delegation, and policy engines. It pairs cleanly with the Okta and Microsoft pieces in this issue — permissions are the layer everyone is now competing to own.
Read article →
19. Opus 4.8 Made Claude Smarter. Token Discipline Got Urgent.
The New Stack · May 2026
Opus 4.8’s capability gains amplify the cost and operational risks of unbounded agent loops, and the piece argues token discipline has become a first-class design concern rather than a finance afterthought. Security teams should care because runaway loops are not just expensive — they are an attack surface (cost-amplification denial-of-wallet, prompt-injection-induced context bloat). The recommended primitives — hard token budgets per task, observable cost telemetry, automatic suspension on anomaly — double as both finance and security controls.
Read article →
20. DNS-AID will make AI agents easier to discover, says Linux Foundation
InfoWorld · May 2026
The Linux Foundation proposed DNS-AID, an agent-discovery protocol layered on DNS. The discoverability story is compelling — agents need a way to find each other — but the security tradeoff is direct: a successful DNS-AID makes the agent population trivially enumerable to defenders and attackers alike. Network security teams should engage early on resolver-level controls, anti-enumeration patterns, and rate-limiting, the same way they did when service-discovery on internal networks first went public.
Read article →
21. Microsoft is building a super app combining coding, chat, and other Copilot AI tools
Fortune · May 29, 2026
Fortune reports Microsoft is consolidating Copilot capabilities into a single super app spanning coding, chat, productivity, and agent orchestration. The consolidation reshapes how agents reach enterprises — a single client surface means a single set of policy-enforcement points, a single telemetry stream, and a single negotiation table for enterprise buyers. Security teams should plan for both sides: simpler control on the Microsoft estate, and increased pressure on every other vendor whose agent stack now has to compete with a bundled hyperscaler default.
Read article →
22. Debugging the undebuggable: building observability into probabilistic AI systems
The New Stack · May 2026
A practical guide to observability for probabilistic AI systems — covering telemetry, replay, and root-cause workflows for non-deterministic agent behavior. The piece is engineering reference material that security and AI-ops teams should adopt jointly: incident response on agents is impossible without the ability to reconstruct what the agent saw and decided. Look especially at the patterns for capturing prompt, context, and tool-call traces at the call site, where they remain useful weeks later when an unexpected behavior finally surfaces.
Read article →
23. Reactor, real-time AI video startup founded by ex-Apple engineers, raises $59M
Variety · May 2026
Reactor raised $59M led by Jeffrey Katzenberg to scale real-time AI video. The funding is a leading indicator for the synthetic-media attack surface defenders will face: every dollar invested upstream in cheaper, faster, more realistic generation translates into harder downstream detection problems for fraud, KYC, and trust & safety teams. Security leaders should be in conversation now with synthetic-media detection vendors and identity providers about live-call attestation, watermarking adoption, and the limits of detection-only strategies.
Read article →
24. Macro Evals for Agentic Systems
OpenAI Cookbook · May 2026
OpenAI published a macro-eval cookbook for agentic systems — covering scenario coverage, behavioral metrics, and CI integration. The cookbook is a defensible methodology security teams can adapt for agent risk testing: it shifts evals from one-shot benchmarks to ongoing, scenario-grounded suites that catch regression over time. Combine it with RAMPART (#2) for red-teaming and the agent-skill design critique (#12) for skill-level coverage, and you have a credible end-to-end agent-assurance pipeline that CI can actually run on every change.
Read article →
|
