AI Sec Watch

As companies adopt generative and agentic AI (AI systems that can take actions autonomously), they need to update their GRC (Governance, Risk & Compliance, the framework for managing rules, risks, and regulatory requirements) programs to account for AI-related risks. According to a 2025 security report, about 1 in 80 requests from company devices to AI services poses a high risk of exposing sensitive data, yet only 24% of companies have implemented comprehensive AI-GRC policies.

Parse Dashboard versions 7.3.0-alpha.42 through 9.0.0-alpha.7 have a CSRF vulnerability (cross-site request forgery, where an attacker tricks a logged-in user into unknowingly sending requests to a website). An attacker can create a malicious webpage that, when visited by someone authenticated to Parse Dashboard, forces their browser to send unwanted requests to the AI Agent API endpoint without their knowledge. This vulnerability is fixed in version 9.0.0-alpha.8 and later.

Parse Dashboard versions 7.3.0-alpha.42 through 9.0.0-alpha.7 have a security flaw in the AI Agent API endpoint (a feature for managing Parse Server apps) where authorization checks are missing, allowing authenticated users to access other apps' data and read-only users to perform write and delete operations they shouldn't be allowed to do. Only dashboards with the agent feature enabled are vulnerable to this issue.

Parse Dashboard versions 7.3.0-alpha.42 through 9.0.0-alpha.7 have security vulnerabilities in the AI Agent API endpoint that allow unauthenticated attackers to read and write data from any connected database using the master key (a special admin credential that grants full access). The agent feature must be enabled to be vulnerable, so dashboards without it are safe.

India has become the world's largest market for generative AI (artificial intelligence systems that can create text, images, and other content) app downloads in 2025, with installs jumping 207% year-over-year, but major AI companies like OpenAI and Google are now ending free promotional offers to convert users into paying subscribers. Despite India driving roughly 20% of global GenAI app downloads, it accounts for only about 1% of in-app purchases, and revenue has actually declined in recent months as companies rolled out cheaper or free options like ChatGPT Go. The challenge reflects a tension between rapid user growth and actual monetization (converting users into paying customers) in a price-sensitive market.

The U.S. Department of Defense is pressuring Anthropic, an AI company, to allow their technology to be used for surveillance and autonomous weapons systems (weapons that operate without human control) by threatening to label them a 'supply chain risk' that would prevent other defense contractors from using their AI. Anthropic has publicly stated these are 'bright red lines' they will not cross, and the article argues they should maintain this position rather than give in to government pressure.

Multiverse Computing, a Spanish startup, has released a free compressed AI model called HyperNova 60B 2602 that reduces the size of large language models (AI systems trained on massive amounts of text) to make them cheaper and faster to use. The company uses CompactifAI, a compression technology inspired by quantum computing (using principles from quantum mechanics to process information), to create models that are roughly half the size of the original while maintaining similar performance and accuracy. The model is now available for free on Hugging Face (a platform where developers share AI models) and includes improved support for tool calling and agentic coding (where AI systems can use external tools or plan sequences of actions).

OpenAI won a legal case against xAI, which had sued claiming that OpenAI stole its trade secrets (confidential information that gives a company a competitive advantage) and hired away its employees. The judge ruled that xAI failed to prove OpenAI actually did anything wrong, noting that while eight former xAI employees did move to OpenAI, there was no evidence that OpenAI directed them to steal anything.

The US Pentagon is threatening to remove AI company Anthropic from its supply chain and invoke the Defense Production Act (a law allowing the government to compel companies to produce goods for national security) unless Anthropic allows unrestricted use of its Claude AI chatbot for military applications by Friday evening. Anthropic has refused to allow its technology for certain uses, including autonomous kinetic operations (AI making final targeting decisions without human input) and mass domestic surveillance, citing safety concerns.