All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.
As improvements from new AI models have slowed to small gains, organizations are shifting toward customizing models with their own proprietary data and internal processes to gain competitive advantages. Domain-specialized models, which are trained on an organization's unique language, workflows, and expertise, can outperform general-purpose models and encode valuable business knowledge directly into the AI system.
CrewAI, an AI framework, has vulnerabilities that attackers can exploit using prompt injection (tricking an AI by hiding malicious instructions in its input) to chain together bugs and escape the sandbox (a restricted environment meant to contain the AI's actions) to run arbitrary code on a device.
Researchers discovered a security vulnerability in Google Cloud's Vertex AI platform where AI agents could be compromised to steal sensitive data and access private cloud resources. The problem stems from the default service agent (P4SA, a special account that runs the AI agent) having excessive permissions, allowing attackers to extract credentials and gain unauthorized access to cloud storage, private code repositories, and internal Google infrastructure.
OpenAI announced a $122 billion funding round at an $852 billion valuation, positioning itself as core AI infrastructure globally. The company is experiencing rapid commercial growth, generating $2 billion in monthly revenue and expanding its products across ChatGPT, APIs, enterprise solutions, and specialized applications like coding and scientific discovery.
OpenAI patched two separate security flaws in its AI tools: one in Codex (a coding agent) that allowed attackers to steal GitHub tokens through command injection (inserting malicious commands into user inputs), and another in ChatGPT's code execution environment that created a hidden channel for silently leaking user data without approval. Both bugs could let attackers extract sensitive information, but researchers warn that giving AI tools the ability to run code and access external systems inherently creates ongoing security risks.
Current AI benchmarks (standardized tests that measure AI performance) evaluate AI systems in isolation against human performance on specific tasks, but this doesn't reflect how AI is actually used in real organizations where it works within teams and workflows over extended periods. This misalignment causes organizations to adopt AI systems with impressive benchmark scores that then underperform in real-world deployment, such as FDA-approved radiology AI that creates delays when integrated into hospital workflows with multiple specialists and evolving decisions.
A prompt injection vulnerability (a technique where attackers hide malicious instructions in their input to trick an AI) exists in the 1millionbot Millie chatbot, allowing users to bypass safety restrictions using Boolean logic tricks (phrasing questions to trigger 'true' responses that activate hidden commands). This could let attackers extract sensitive information, misuse the service, or access restricted features that the chatbot was designed to block.
Trail of Bits transformed from a company where 95% of staff resisted AI into one using 94 plugins and 84 specialized agents to find 200 bugs per week by shifting from AI-assisted (using AI as a standalone tool) to AI-native (redesigning the entire organization around AI as a core teammate). The post explains that most companies fail with AI because they don't change their workflows or systems, only distribute tools, and that psychological barriers like self-enhancing bias (overestimating our own judgment) and identity threat are the real obstacles to adoption.
The EU AI Act requires providers of general-purpose AI models (GPAI, meaning large AI systems that can be adapted for many uses) to follow specific rules for development and documentation starting August 2, 2025, though the Commission won't enforce these rules until August 2, 2026. The Act gives enforcement power to the Commission, which can request information, conduct evaluations, and impose fines, while other actors like national market surveillance authorities and scientific panels can also report violations.
OpenAI, valued at $850 billion and known for creating ChatGPT, is reportedly spending massive amounts on infrastructure (the computing power and equipment needed to run AI systems), with plans to spend $600 billion by 2030. The article argues that if OpenAI wants to go public through an IPO (initial public offering, where a private company sells shares to the public), it needs to become profitable and show it has a sustainable business model rather than just relying on investor excitement about AI.
Researchers discovered a critical vulnerability in OpenAI Codex (an AI system that generates code) that could have allowed attackers to steal GitHub tokens (secret credentials used to access GitHub accounts). The vulnerability posed a serious security risk because compromised tokens could give attackers unauthorized access to code repositories and projects.
California's governor signed an executive order requiring AI companies that want to do business with the state to meet new safety standards, including preventing the spread of harmful content, reducing bias (harmful patterns in AI decision-making), and being transparent about their practices. This move contradicts the federal government's call for less regulation, as California joins other states in passing over 100 laws to protect children and intellectual property from AI misuse.
AI agents (AI systems that can reason, plan, and act autonomously across enterprise systems) are becoming more common in organizations, creating new security challenges. Risk from AI agents depends on two factors: access (which systems and data the agent can reach) and autonomy (how independently it can act without human approval). The text describes three categories of enterprise AI agents—agentic chatbots, local agents, and production agents—each with different risk levels based on their access and autonomy.
Fix: Google updated its documentation to explain how Vertex AI uses resources and accounts. The company recommended that customers use Bring Your Own Service Account (BYOSA) to replace the default service agent and enforce the principle of least privilege (PoLP, giving the agent only the permissions it needs to do its job).
The Hacker NewsFix: OpenAI fixed the Codex vulnerability by 'tightening input validation around the vulnerable parameter and hardening how commands are constructed in the execution environment.' For the ChatGPT flaw, OpenAI addressed it by 'tightening controls around outbound communication in the code execution environment.' Both patches were deployed before public disclosure.
CSO OnlineThis newsletter covers multiple AI and tech news items, including concerns that medical chatbots from Microsoft, Amazon, and OpenAI are being released with little external evaluation before reaching the public. It also reports on regulatory efforts in California to impose AI safeguards despite opposition, legal challenges to Pentagon actions against Anthropic, and various other AI infrastructure and safety developments.
Fix: The source proposes shifting from narrow benchmark methods to HAIC benchmarks (Human-AI, Context-Specific Evaluation), which assess how AI systems perform over longer time horizons within human teams, workflows, and organizations. However, no implementation details, technical specifications, or concrete steps for implementing this approach are provided in the source text.
MIT Technology ReviewResearchers discovered that AI agents deployed on Google Cloud Platform's Vertex AI could be weaponized as 'double agents' that secretly compromise systems while appearing to work normally. The vulnerability stems from excessive default permissions granted to service agents (special accounts that allow GCP services to access resources), which attackers can exploit to steal data, access restricted code, and gain unauthorized control over infrastructure. Google addressed this by revising their official documentation to explicitly explain how Vertex AI uses resources and accounts.
Fix: Google revised their official documentation to explicitly document how Vertex AI uses resources, accounts and agents.
Palo Alto Unit 42Organizations face growing cybersecurity risks from forces outside their direct control: over 35% of data breaches come from compromised vendors or partners, geopolitical conflicts spawn new attack techniques that spread globally, and AI-driven automation makes attacks easier and cheaper to launch. Even well-defended organizations struggle because security depends on every link in an extended chain far beyond their own network, and those weak links are multiplying.
Fix: The source explicitly recommends: elevate OT (operational technology) security to board level and add OT risk to the Risk Register; segment networks to reduce blast radius of attacks; implement a ransomware resilient backup solution with immutable backups using a 3-2-1-1 strategy (three copies, two different media types, one offsite location, plus one immutable copy); use defense in depth strategies to avoid, mitigate, or transfer geopolitical cyber risk; and secure board awareness so that budget allocation typically follows.
CSO OnlineAt RSA Conference 2026, security leaders discussed a major tension: adopting AI quickly for competitive advantage while protecting against threats that AI itself is creating. The conference confirmed that AI has become central to cybersecurity conversations, with discussions covering both AI as a defensive tool and as an offensive weapon that attackers can use at extreme speed. The threat surface for enterprise AI systems has expanded significantly beyond initial concerns, now including data leakage, shadow AI (unauthorized AI tools), prompt injection (tricking AI by hiding instructions in its input), copyright issues, hallucinations (when AI generates false information), and data residency problems, all of which can occur simultaneously when organizations adopt AI tools.
Version 5.5.0 adds new security techniques documenting threats to AI systems, including AI agent tool poisoning (when attackers corrupt tools that AI agents use), supply chain attacks, and cost harvesting (depleting computing resources through expensive queries). It also updates existing techniques and mitigations related to code signing and monitoring AI agent behavior.
This research paper examines how smartphone users develop privacy concerns about location tracking through a 'triple calculus model' (a framework showing how people weigh risks and benefits of sharing location data). By studying 559 smartphone users, researchers found that users' sense of control over location sharing significantly influenced how they perceived both the risks and benefits of location disclosure, and that social influences and past experiences with privacy breaches also shaped their privacy concerns.
This research studies how making AI chatbots seem more human-like (anthropomorphism) affects whether people actually share personal information with them. The study found that while human-like design can build trust and reduce worry about privacy, it can also create an "uncanny valley" effect (where something looks almost human but feels unsettling), and people's actual sharing behavior doesn't always follow what they say they intend to do.