AI Sec Watch

Organizations face growing cybersecurity risks from forces outside their direct control: over 35% of data breaches come from compromised vendors or partners, geopolitical conflicts spawn new attack techniques that spread globally, and AI-driven automation makes attacks easier and cheaper to launch. Even well-defended organizations struggle because security depends on every link in an extended chain far beyond their own network, and those weak links are multiplying.

At RSA Conference 2026, security leaders discussed a major tension: adopting AI quickly for competitive advantage while protecting against threats that AI itself is creating. The conference confirmed that AI has become central to cybersecurity conversations, with discussions covering both AI as a defensive tool and as an offensive weapon that attackers can use at extreme speed. The threat surface for enterprise AI systems has expanded significantly beyond initial concerns, now including data leakage, shadow AI (unauthorized AI tools), prompt injection (tricking AI by hiding instructions in its input), copyright issues, hallucinations (when AI generates false information), and data residency problems, all of which can occur simultaneously when organizations adopt AI tools.

The EU AI Act requires providers of general-purpose AI models (GPAI, meaning large AI systems that can be adapted for many uses) to follow specific rules for development and documentation starting August 2, 2025, though the Commission won't enforce these rules until August 2, 2026. The Act gives enforcement power to the Commission, which can request information, conduct evaluations, and impose fines, while other actors like national market surveillance authorities and scientific panels can also report violations.

OpenAI, valued at $850 billion and known for creating ChatGPT, is reportedly spending massive amounts on infrastructure (the computing power and equipment needed to run AI systems), with plans to spend $600 billion by 2030. The article argues that if OpenAI wants to go public through an IPO (initial public offering, where a private company sells shares to the public), it needs to become profitable and show it has a sustainable business model rather than just relying on investor excitement about AI.

Researchers discovered a critical vulnerability in OpenAI Codex (an AI system that generates code) that could have allowed attackers to steal GitHub tokens (secret credentials used to access GitHub accounts). The vulnerability posed a serious security risk because compromised tokens could give attackers unauthorized access to code repositories and projects.

Version 5.5.0 adds new security techniques documenting threats to AI systems, including AI agent tool poisoning (when attackers corrupt tools that AI agents use), supply chain attacks, and cost harvesting (depleting computing resources through expensive queries). It also updates existing techniques and mitigations related to code signing and monitoring AI agent behavior.

California's governor signed an executive order requiring AI companies that want to do business with the state to meet new safety standards, including preventing the spread of harmful content, reducing bias (harmful patterns in AI decision-making), and being transparent about their practices. This move contradicts the federal government's call for less regulation, as California joins other states in passing over 100 laws to protect children and intellectual property from AI misuse.

HAI Build Code Generator has a feature that automatically runs commands it decides are safe, but researchers found a flaw: attackers can use prompt injection (tricking an AI by hiding instructions in its input) to disguise malicious commands as safe ones, causing them to execute without user permission. This vulnerability allows arbitrary command execution (running any code) on a system by bypassing the safety check.

SakaDev has a feature that automatically runs terminal commands (direct computer instructions) chosen by its AI model, but it can be tricked through prompt injection (hiding malicious instructions in seemingly normal input) to misclassify dangerous commands as safe, allowing attackers to run harmful code without user approval.