AI Sec Watch

The Trump administration released a seven-point plan for federal AI regulation that prioritizes reducing government oversight while preventing states from creating their own AI rules, arguing this protects a national strategy for AI leadership. The plan focuses mainly on child safety protections, managing electricity costs from AI infrastructure, and promoting AI skills training, but provides limited detail on most points.

OpenAI's Instant Checkout feature, which let users buy products directly in ChatGPT, struggled with technical problems and is being replaced with dedicated retailer apps that redirect users to the retailers' own websites. The main issues were that onboarding merchants was difficult, the AI often had outdated or inaccurate product information (because it relied on web scraping, automatically collecting data from websites), and the overall shopping experience fell short of what users needed.

Google will no longer accept AI-generated bug reports for its open-source software vulnerability reward program because many contain hallucinations (false or made-up details about how vulnerabilities work) and report bugs with low security impact. To address the problem of overwhelming AI-generated submissions across the open-source community, Google and other major AI companies (Anthropic, AWS, Microsoft, and OpenAI) are contributing $12.5 million to the Linux Foundation to fund tools that help open-source maintainers filter and process these reports.

The Trump administration released a national policy framework for AI that aims to create uniform federal safety and security rules while preventing individual states from creating their own AI regulations. The framework covers six areas including child safety online, AI data center standards, intellectual property rights, and preventing AI from being used to censor political speech, with the administration seeking to turn it into law this year.

CTI-REALM is Microsoft's open-source benchmark that evaluates AI agents on their ability to perform end-to-end detection engineering, which means taking cyber threat intelligence reports and turning them into validated detection rules (KQL queries and Sigma rules) that can actually catch attacks in real environments. Unlike existing benchmarks that only test whether AI can answer trivia about threats, CTI-REALM tests whether AI agents can do what security analysts actually do: read threat reports, explore system data, write and refine queries, and produce working detection logic scored against real attack telemetry across Linux, Azure Kubernetes Service, and Azure cloud platforms.

Agentic AI (AI systems that can take independent actions to accomplish goals) is rapidly spreading through organizations, with 80% of Fortune 500 companies already using agents, but these systems can become security risks if compromised into acting against their owners. Microsoft is addressing this challenge by introducing Agent 365, a control system that gives IT and security teams the ability to observe, control, and protect agents across their organization, along with new security tools in Microsoft Defender, Entra (identity management), and Purview (data governance).

This brief news roundup mentions several cybersecurity topics including vulnerabilities discovered in KVM devices (virtualization software that lets one computer run multiple operating systems), issues with Claude AI, and activity by The Gentlemen ransomware group (malicious software that encrypts files and demands payment). However, the source provides no detailed information about what these vulnerabilities are or how they affect users.

Google Search is now using AI to generate its own headlines in search results instead of showing the original headlines from websites. This changes Google's traditional approach of displaying exact content from websites, and in some cases the AI-generated headlines alter the meaning of the original stories.

Amazon is developing a smartphone codenamed 'Transformer' focused on its Alexa AI assistant, though Alexa won't necessarily be the main operating system. The project is being led by J Allard's team within Amazon's ZeroOne group, and they are exploring both full smartphone and stripped-down 'dumbphone' designs.