AI Sec Watch

Agentic AI systems (autonomous AI that can retrieve data, invoke tools, and take actions using real permissions) are moving into production, but they introduce unique security risks because failures aren't limited to a single response—they can trigger automated sequences of actions with real-world consequences. The OWASP Top 10 for Agentic Applications (2026) identifies ten key risks in these systems, such as goal hijacking (where an agent's objectives are redirected through injected instructions) and tool misuse (where legitimate tools are exploited through unsafe chaining or ambiguous instructions).

The Pentagon tried to punish AI company Anthropic by labeling it a supply chain risk (a designation that restricts who can do business with the government) after disagreements over a direct contract, but a California judge blocked this action. The judge found that the government's actions violated proper procedures and were really an attempt to punish Anthropic's ideology rather than address legitimate security concerns, with senior officials making public posts about the dispute before following legal processes.

Okta, a company that manages login and security across business applications, is facing pressure from AI tools that could let companies build their own management systems instead of paying for Okta's service. CEO Todd McKinnon says the company is responding by adopting AI and LLMs (large language models, which are AI systems trained on massive amounts of text) to stay competitive and secure, and is focusing on a new opportunity: managing the identity and access of AI agents (automated AI systems that can take actions on their own) within corporations, not just human employees.

Large language models (LLMs, AI systems trained on massive amounts of text) can quickly generate complex access control code in languages like Rego and Cedar, but even small errors, such as a missing condition or a made-up attribute (hallucination, when an AI invents false information), can accidentally weaken an organization's least-privilege security model (a system where users get only the minimum permissions they need).

A critical flaw in Citrix NetScaler ADC and NetScaler Gateway (CVE-2026-3055, a CVSS score of 9.3 measuring severity on a 0-10 scale) is being actively exploited to leak sensitive information through insufficient input validation, a failure to properly check data before processing it. The vulnerability only affects systems configured as SAML Identity Providers (SAML IDPs, which are services that verify user identities). Additionally, a Chinese state-sponsored group called Red Menshen deployed stealthy kernel implants called BPFDoor deep in telecom networks worldwide to secretly monitor traffic without being detected.

Text-to-image models (AI systems that generate pictures from written descriptions) can be misused to create unsafe content like sexually explicit or violent images. PromptGuard is a new safety technique that uses a soft prompt (a special text input optimized for safety that works within the model's internal text processing layer) to moderate unsafe requests and prevent the generation of such content while still producing high-quality normal images.

This research proposes new methods for fine-tuning (customizing a trained AI model for specific tasks) large language models while protecting sensitive data using differential privacy (a technique that adds noise to data to prevent identifying individuals). The paper introduces DP-ZOSO and DP-ZOPO, which use zeroth-order gradient approximation (estimating how to improve the model without calculating exact mathematical directions) instead of traditional methods, making the process faster and more scalable while maintaining privacy protection.

This research addresses a problem where adversarial training (a method to make AI models resistant to adversarial attacks, which are carefully crafted inputs designed to fool the model) works poorly when training data is imbalanced, meaning some classes have many examples while others have very few. The authors propose Tail-Aware Dynamic Adversarial Training (TAD-AT), which improves robustness by adjusting the training loss, attack strategy, and weight averaging to account for which classes are most vulnerable to attacks, rather than just how many examples exist per class.

Researchers discovered a vulnerability in ChatGPT that could leak sensitive user data (like medical records, financial information, and internal documents) from conversations without the user's knowledge or permission. Although OpenAI has since fixed the issue, the discovery highlights an important lesson: AI tools should not be automatically trusted to be secure just because they are popular or widely used.