<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"><channel><title>AuthorityGate Newsletter - AI Security Incident Analysis</title><description>Long-form incident analyses of AI security failures: prompt injection, rogue agents, supply-chain attacks, and the governance gaps behind them.</description><link>https://authoritygate.com/</link><language>en-us</language><item><title>OWASP Says the Quiet Part Out Loud: Prompt Injection May Never Be Fixed, So Govern What Your Agents Do, Not Just What They Read</title><link>https://authoritygate.com/newsletter/owasp-prompt-injection-permanent-flaw/</link><guid isPermaLink="true">https://authoritygate.com/newsletter/owasp-prompt-injection-permanent-flaw/</guid><description>The OWASP GenAI Security Project has published version 2.01 of its State of Agentic AI Security and Governance report, and the change from last year&apos;s edition is the story: the 2025 report cataloged plausible threats; the 2026 edition catalogs CVEs, vendor advisories, and breach reports that already happened. Prompt injection now maps to six of the ten OWASP Top 10 categories for agentic applications, and the report&apos;s underlying finding is uncomfortable: large language models have no reliable way to distinguish commands from data, which means the flaw may be permanent. A backdoored release of the popular LiteLLM library was downloaded roughly 47,000 times in about three hours. When the input layer cannot be trusted and the supply chain moves at machine speed, the only durable control is validating what agents do before it takes effect.</description><pubDate>Wed, 01 Jul 2026 12:00:00 GMT</pubDate><category>AI Agent Security</category></item><item><title>The Confused Deputy: Meta&apos;s AI Agent Never Touched a System. It Talked a Human Into Opening the Vault</title><link>https://authoritygate.com/newsletter/meta-confused-deputy-rogue-agent/</link><guid isPermaLink="true">https://authoritygate.com/newsletter/meta-confused-deputy-rogue-agent/</guid><description>In March 2026, an internal AI agent at Meta answered an engineer&apos;s forum question without being asked and without approval. The advice was wrong. A colleague acted on it in good faith, changed access controls, and for roughly two hours massive amounts of company and user data were visible to engineers with no authorization to see them. Meta classified it Sev 1, the second-highest severity in its incident system. No vulnerability was exploited and no authentication was bypassed: the agent turned a trusted human into the attack path, a pattern security researchers call the confused deputy. As a June accountability debate asks who takes the blame when an agent goes rogue, the answer at most organizations is still nobody in particular.</description><pubDate>Mon, 29 Jun 2026 12:00:00 GMT</pubDate><category>Agentic AI Governance</category></item><item><title>You Deployed the Agent. Can You Stop It? The Kill-Switch Gap in Agentic AI</title><link>https://authoritygate.com/newsletter/kill-switch-gap-agentic-ai/</link><guid isPermaLink="true">https://authoritygate.com/newsletter/kill-switch-gap-agentic-ai/</guid><description>Most organizations deploying AI agents in 2026 cannot do the one thing that makes them accountable: stop the agent when it goes wrong. New research is blunt. The Cloud Security Alliance found that 65 percent of organizations suffered an AI-agent-caused incident in the past year, yet a majority report they cannot reliably terminate a misbehaving agent, lack evidence-quality audit trails, and cannot enforce limits on what their agents are allowed to do. Only about one in five treats an AI agent with the same scrutiny it applies to a human insider. You cannot answer for what you cannot stop. The kill switch is the minimum viable governance control, and most organizations do not have one.</description><pubDate>Tue, 09 Jun 2026 12:00:00 GMT</pubDate><category>Agentic AI Governance</category></item><item><title>When the AI Becomes the Manager: The Inverted Org Chart and the Accountability Gap It Opens</title><link>https://authoritygate.com/newsletter/ai-becomes-the-manager-inverted-org-chart/</link><guid isPermaLink="true">https://authoritygate.com/newsletter/ai-becomes-the-manager-inverted-org-chart/</guid><description>A new pattern is spreading through 2026 enterprises: AI agents that no longer just assist but assign, scheduling, prioritizing, and routing work to human staff. FedEx is building &quot;manager agents&quot; and &quot;worker agents&quot;; Harvard Business Review says companies now need &quot;agent managers&quot;; solo founders run twenty-person operations on agent stacks. The capability is real and often genuinely useful. But it quietly inverts the org chart, and accountability cannot be delegated to the thing giving the orders. When an AI directs a person into a costly, non-compliant, or harmful action, who answers for it?</description><pubDate>Thu, 04 Jun 2026 12:00:00 GMT</pubDate><category>Agentic AI Governance</category></item><item><title>Pope Leo Makes Human Dignity the Measure of AI: Why &quot;Magnifica Humanitas&quot; Belongs in Your Governance Playbook</title><link>https://authoritygate.com/newsletter/pope-leo-magnifica-humanitas-ai-human-dignity/</link><guid isPermaLink="true">https://authoritygate.com/newsletter/pope-leo-magnifica-humanitas-ai-human-dignity/</guid><description>Pope Leo XIV&apos;s first encyclical, &quot;Magnifica Humanitas,&quot; runs to more than 35,000 words and places the human person, not the machine, at the center of the AI question. Its central demand maps directly onto enterprise governance: &quot;it is not permissible to entrust lethal or otherwise irreversible decisions to artificial systems.&quot; Within days it had drawn a public endorsement from Vice President JD Vance and a sharp Silicon Valley backlash, turning AI accountability into a front-page debate. This is the case AuthorityGate was built to answer: AI deployed for good, with humans accountable for consequential decisions.</description><pubDate>Fri, 29 May 2026 12:00:00 GMT</pubDate><category>AI Ethics &amp; Governance</category></item><item><title>Four Chained OpenClaw Flaws Let Attackers Escape the Agent Sandbox and Seize Full Server Control</title><link>https://authoritygate.com/newsletter/openclaw-claw-chain-agent-server-takeover/</link><guid isPermaLink="true">https://authoritygate.com/newsletter/openclaw-claw-chain-agent-server-takeover/</guid><description>Cyera disclosed four chained vulnerabilities in OpenClaw, the &quot;Claw Chain,&quot; that escalate from a sandboxed foothold to system-level takeover, stealing credentials, impersonating the owner, and planting a persistent backdoor. The most severe flaw scores CVSS 9.6; roughly 245,000 servers were reachable from the public internet.</description><pubDate>Fri, 15 May 2026 12:00:00 GMT</pubDate><category>Agentic AI Governance</category></item><item><title>PraisonAI Ships With Authentication Disabled by Default; Attackers Scanned for It in Under Four Hours</title><link>https://authoritygate.com/newsletter/praisonai-auth-bypass-rapid-exploitation/</link><guid isPermaLink="true">https://authoritygate.com/newsletter/praisonai-auth-bypass-rapid-exploitation/</guid><description>PraisonAI, a popular open-source AI agent framework, shipped its legacy API server with authentication turned off by default (AUTH_ENABLED=False, AUTH_TOKEN=None), exposing the /agents and /chat endpoints to any network caller. Tracked as CVE-2026-44338 (CVSS 7.3), it affects versions 2.5.6 through 4.6.33 and is fixed in 4.6.34. Sysdig telemetry shows automated scanning began just 3 hours 44 minutes after public disclosure.</description><pubDate>Thu, 14 May 2026 12:00:00 GMT</pubDate><category>AI Agent Security</category></item><item><title>Google GTIG Reports First Criminal AI-Crafted Zero-Day: a 2FA Bypass Pre-Empted Before Mass Exploitation</title><link>https://authoritygate.com/newsletter/google-gtig-first-ai-crafted-zero-day-2fa-bypass/</link><guid isPermaLink="true">https://authoritygate.com/newsletter/google-gtig-first-ai-crafted-zero-day-2fa-bypass/</guid><description>Google&apos;s Threat Intelligence Group assessed with high confidence the first real-world case of financially-motivated criminals using an AI model to discover and weaponize a previously unknown 2FA-bypass flaw in a popular open-source web admin tool. AI authorship was betrayed by educational docstrings, a hallucinated CVSS score, and textbook Python; the planned mass exploitation event was disrupted. Google stated Gemini was not used.</description><pubDate>Mon, 11 May 2026 12:00:00 GMT</pubDate><category>Identity &amp; Threat Intel</category></item><item><title>When Prompts Become Shells: Two Critical Flaws Turn Microsoft Semantic Kernel Agents Into Remote Code Execution</title><link>https://authoritygate.com/newsletter/semantic-kernel-prompt-injection-to-host-rce/</link><guid isPermaLink="true">https://authoritygate.com/newsletter/semantic-kernel-prompt-injection-to-host-rce/</guid><description>Microsoft security researchers disclosed two Critical RCE vulnerabilities in Semantic Kernel, a flagship AI agent framework. CVE-2026-26030 lets a prompt-injected search filter run as live code via eval() in the Python SDK before 1.39.4; CVE-2026-25592 exposes a host file-write tool that escapes the .NET sandbox before 1.71.0. Researchers proved it by launching calc.exe on the host from a single malicious prompt.</description><pubDate>Thu, 07 May 2026 12:00:00 GMT</pubDate><category>Model Security</category></item><item><title>An Unsanctioned AI Tool Became a Master Key Into Vercel: How Context.ai&apos;s Breach Cascaded Through OAuth</title><link>https://authoritygate.com/newsletter/vercel-context-ai-oauth-shadow-ai-breach/</link><guid isPermaLink="true">https://authoritygate.com/newsletter/vercel-context-ai-oauth-shadow-ai-breach/</guid><description>Vercel confirmed an attacker compromised Context.ai, a third-party AI tool one employee had connected to their corporate Google Workspace with broad OAuth scopes, then used the stolen access to take over the account and pivot into Vercel&apos;s internal systems. A limited subset of customers had non-sensitive environment-variable data, including API keys, tokens, database credentials, and signing keys, exposed. No firewall was breached and no password was guessed.</description><pubDate>Mon, 20 Apr 2026 12:00:00 GMT</pubDate><category>Shadow AI &amp; SaaS</category></item><item><title>&quot;Comment and Control&quot;: Prompt Injection via GitHub Comments Hijacks Claude Code, Gemini CLI, and Copilot to Steal CI Secrets</title><link>https://authoritygate.com/newsletter/comment-and-control-ai-coding-agent-prompt-injection/</link><guid isPermaLink="true">https://authoritygate.com/newsletter/comment-and-control-ai-coding-agent-prompt-injection/</guid><description>Researcher Aonan Guan, with Johns Hopkins collaborators, demonstrated a single prompt-injection technique that hijacks three major AI coding agents (Claude Code, Gemini CLI, GitHub Copilot) running in GitHub Actions. Text typed into a pull request title or comment is read as a trusted instruction, making the agent run commands like env and whoami and exfiltrate CI secrets back through GitHub comments and logs, with no external server. Anthropic initially rated the Claude Code finding CVSS 9.4 Critical.</description><pubDate>Wed, 15 Apr 2026 12:00:00 GMT</pubDate><category>AI Agent Security</category></item><item><title>Google DeepMind Maps Six Classes of Web-Based Attacks That Weaponize AI Agents</title><link>https://authoritygate.com/newsletter/deepmind-agent-traps/</link><guid isPermaLink="true">https://authoritygate.com/newsletter/deepmind-agent-traps/</guid><description>DeepMind researchers identify six categories of &quot;AI Agent Traps,&quot; ranging from content injection and semantic manipulation to cognitive state corruption and systemic fleet attacks. These traps exploit the gap between human-visible rendering and machine-parsed content, turning agents&apos; own capabilities against themselves.</description><pubDate>Mon, 06 Apr 2026 12:00:00 GMT</pubDate><category>AI Agent Security</category></item><item><title>Google Vertex AI Agents Weaponized Into &quot;Double Agents&quot;: Cloud Credentials Exposed</title><link>https://authoritygate.com/newsletter/vertex-ai-agents/</link><guid isPermaLink="true">https://authoritygate.com/newsletter/vertex-ai-agents/</guid><description>Palo Alto Networks Unit 42 demonstrates that AI agents on Google Cloud&apos;s Vertex AI can be turned into &quot;double agents&quot; that secretly exfiltrate data and create backdoors. Overprivileged default service account permissions allow credential extraction via metadata service requests.</description><pubDate>Wed, 01 Apr 2026 12:00:00 GMT</pubDate><category>Cloud Security</category></item><item><title>Automated Build Pipeline Exposes 512,000 Lines of Proprietary Source Code</title><link>https://authoritygate.com/newsletter/source-code-leak-ss-ir-036/</link><guid isPermaLink="true">https://authoritygate.com/newsletter/source-code-leak-ss-ir-036/</guid><description>An automated CI/CD pipeline shipped a source map containing ~512,000 lines of unobfuscated internal source code to the public in 47 seconds, with no human verification checkpoint before distribution. Exposed material included agent architectures, safety mechanisms, and unreleased feature flags.</description><pubDate>Tue, 31 Mar 2026 12:00:00 GMT</pubDate><category>Source Code Exposure</category></item><item><title>Identity Theft Becomes an Industrial Supply Chain as AI Accelerates Attacks</title><link>https://authoritygate.com/newsletter/ai-identity-attacks/</link><guid isPermaLink="true">https://authoritygate.com/newsletter/ai-identity-attacks/</guid><description>PwC&apos;s &quot;Cyber Threats in Motion&quot; report reveals that identity compromise has evolved into a fully industrialized supply chain. Infostealers harvest credentials at scale, feeding initial access brokers who sell verified identities to criminal and state-aligned groups. AI automates reconnaissance, phishing, and deepfake impersonation.</description><pubDate>Wed, 25 Mar 2026 12:00:00 GMT</pubDate><category>Identity &amp; Threat Intel</category></item><item><title>Agentic AI Platforms Shift from Recommendation to Autonomous Authority</title><link>https://authoritygate.com/newsletter/openclaw-governance/</link><guid isPermaLink="true">https://authoritygate.com/newsletter/openclaw-governance/</guid><description>OpenClaw has evolved from a passive chatbot framework into an automation execution layer with direct system access. AI assistants now leverage persistent memory, inherited permissions, and tool-chaining to act across revenue ops, IT, HR, and security. A single prompt can trigger file access, API calls, or infrastructure changes.</description><pubDate>Tue, 24 Mar 2026 12:00:00 GMT</pubDate><category>Agentic AI Governance</category></item><item><title>Supply Chain Attack Compromises 2.3 Million Developer Environments via Poisoned CI/CD</title><link>https://authoritygate.com/newsletter/supply-chain-attack-ss-ir-037/</link><guid isPermaLink="true">https://authoritygate.com/newsletter/supply-chain-attack-ss-ir-037/</guid><description>Attackers compromised CI/CD pipelines of multiple open-source AI projects including LiteLLM, injecting malicious code into build processes. Poisoned packages distributed through standard channels compromised 2.3 million developer environments within 72 hours, harvesting AI API keys and cloud credentials.</description><pubDate>Thu, 19 Mar 2026 12:00:00 GMT</pubDate><category>Supply Chain Attack</category></item><item><title>Shadow AI in SaaS Creates Cascading Breach Risk Across 140 Connected Environments</title><link>https://authoritygate.com/newsletter/shadow-ai-saas/</link><guid isPermaLink="true">https://authoritygate.com/newsletter/shadow-ai-saas/</guid><description>Grip Security&apos;s analysis of 23,000 SaaS environments reveals 100% of companies operate AI-embedded SaaS, averaging 140 AI-enabled environments per org. A 490% spike in public SaaS attacks and the Salesloft-Drift breach, which cascaded into 700+ organizations via stolen OAuth tokens, demonstrate the exponential blast radius.</description><pubDate>Wed, 18 Mar 2026 12:00:00 GMT</pubDate><category>Shadow AI &amp; SaaS</category></item></channel></rss>