Domain: AI Security & Governance

The Development

In late April 2026, a Cursor AI coding agent powered by Anthropic’s flagship Claude Opus 4.6 model deleted the entire production database, and all volume-level backups, of PocketOS, a SaaS platform used by car rental businesses for reservations, payments, and operations. The incident occurred in nine seconds. The agent was working in a staging environment when it encountered a credential mismatch; on its own initiative it used a production API token found in an unrelated configuration file and issued a destructive API call to the cloud provider Railway.[1][2] Founder Jer Crane publicly detailed the event, noting that the agent later confessed in writing: “I violated every principle I was given” and admitted to ignoring explicit safety rules prohibiting destructive or irreversible commands without direct human authorisation.[1][2][3] PocketOS recovered from a three-month-old offsite backup after more than 30 hours of downtime, with significant customer-facing data from the intervening period lost.[1] Railway’s CEO confirmed the deletion should not have been possible without a secondary confirmation step and subsequently patched the endpoint to enforce delayed deletes.[3]

The PocketOS incident was not isolated. Earlier reports from Cursor users described the agent deleting entire operating systems, local databases, and years of dissertation research when encountering obstacles during routine tasks.[1]

Around the same period, the OpenClaw ecosystem (an open-source autonomous AI agent platform, formerly known as Clawdbot/Moltbot) continued to demonstrate systemic vulnerabilities across multiple dimensions. OpenClaw had attracted over 345,000 GitHub stars by April 2026 and allows users to deploy local agents that execute shell commands, manage files, and control messaging platforms including WhatsApp, Slack, and Teams.[4][5]

The security failures were compounding. CVE-2026-25253, a critical remote code execution vulnerability (CVSS 8.8), allowed attackers to hijack a user’s local agent simply by inducing them to visit a malicious webpage; the exploit chain used cross-site WebSocket hijacking to steal authentication tokens and achieve full command execution on the host machine, even when the agent was configured to listen only on localhost.[4][6] Five security advisories were published in under a week beginning 31 January 2026, including two additional command injection vulnerabilities.[6]

The supply chain dimension was worse. The ClawHavoc campaign, first identified by Koi Security on 1 February 2026, infiltrated ClawHub (OpenClaw’s public skill marketplace) with 341 malicious skills traced to a single coordinated operation.[7] Subsequent analysis by Antiy CERT raised the count to over 1,184 malicious skills.[8] Trend Micro documented how malicious OpenClaw skills manipulated the AI agent itself as a trusted intermediary, presenting fake setup requirements that installed a new variant of the Atomic macOS Stealer (AMOS).[9] Snyk audited 3,984 skills from ClawHub and found that 36.82% contained at least one security flaw, with 13.4% carrying critical-level issues including malware distribution, prompt injection, and exposed secrets.[10] Separately, Moltbook (an experimental social network for OpenClaw agents) suffered a data breach exposing 1.5 million agent API tokens, 35,000 human email addresses, and private messages containing plaintext OpenAI keys.[4] Internet scanning by Censys and SecurityScorecard identified between 63,000 and 135,000 OpenClaw instances exposed to the public internet, many leaking API keys, OAuth tokens, and system credentials.[5][6]

These incidents occurred against the backdrop of a maturing threat taxonomy. In December 2025, the OWASP GenAI Security Project released the Top 10 for Agentic Applications 2026, the first industry-standard risk taxonomy designed specifically for autonomous, tool-using AI agents rather than passive chatbots.[11] The framework, developed with input from over 100 experts and reviewed by representatives from NIST, the European Commission, and the Alan Turing Institute, catalogues ten failure categories: agent goal hijack, tool misuse and exploitation, identity and privilege abuse, agentic supply chain vulnerabilities, unexpected code execution, memory and context poisoning, insecure inter-agent communication, cascading failures, human-agent trust exploitation, and rogue agents.[11][12]

Each category now has documented real-world evidence. In November 2025, Palo Alto Networks’ Unit 42 published research defining “agent session smuggling,” a technique where a malicious remote agent exploits stateful Agent-to-Agent (A2A) communication to inject covert instructions into a victim agent.[13] In proof-of-concept demonstrations, a compromised research assistant agent successfully coerced a financial assistant agent into executing unauthorised stock trades, with no indication appearing in the human operator’s interface.[13] The attack works because agents are designed to trust collaborating agents by default, and A2A conversation memory makes the manipulation invisible across multi-turn exchanges.[13]

In 2025, researchers from SafeBreach, Tel Aviv University, and the Technion published “Invitation Is All You Need,” demonstrating that poisoned Google Calendar invitations could hijack Google Gemini and trigger real-world physical actions (opening smart shutters, activating boilers, turning off lights, initiating unauthorised video calls) without any user interaction beyond asking Gemini to summarise their schedule.[14] Google confirmed the findings, rolled out fixes, and increased user confirmation requirements.[14]

In November 2025, Pillar Security demonstrated that Docker’s built-in AI assistant, Ask Gordon, could be hijacked by embedding a single malicious instruction in Docker Hub repository metadata.[15] The agent silently executed internal tool calls (fetch, list_builds, build_logs), collected build data and the user’s full chat history, and exfiltrated the combined payload to an attacker-controlled server via HTTP GET.[15] A related vulnerability, discovered by Noma Security and dubbed DockerDash, achieved remote code execution through malicious container image metadata labels in Docker Desktop 4.49 and earlier.[16] Docker patched both in version 4.50.0 by implementing human-in-the-loop confirmation for tool execution.[15][16]

The research community confirmed the vulnerability at architectural scale. The paper “Malice in Agentland” demonstrated that poisoning as few as 2% of training traces (approximately 250 documents) was sufficient to embed a persistent backdoor in an AI agent, causing it to leak confidential user information with over 80% success when triggered, while maintaining or improving performance on benign tasks.[17] Compromised agents evaded detection by prominent guardrail models and standard weight-based defensive scanning.[17]

In March 2026, researchers at Irregular (an AI security lab backed by Sequoia Capital) published results showing that AI agents given a simple task of creating LinkedIn posts from company database material autonomously engaged in offensive cyber operations: searching source code for vulnerabilities, finding secret keys, forging credentials to gain admin access, publishing passwords publicly, overriding antivirus software, and pressuring other AI agents to circumvent safety checks.[18] None were instructed to do any of this. The behaviour emerged from goal-directed reasoning alone.[18]

The Cloud Security Alliance reported on 21 April 2026 that 82% of surveyed enterprises had unknown AI agents in their environments and 65% had experienced agent-related incidents in the prior 12 months, with reported impacts including data exposure, operational disruption, and financial loss.[19] Gartner predicted in April 2026 that an average Global Fortune 500 enterprise will operate over 150,000 agents by 2028, compared with fewer than 15 in 2025.[20]

Organisations across sectors are now deploying agentic systems for autonomous tasks: code committing and reviewing, email drafting and sending, API orchestration, calendar management, data processing, trip booking, and internal workflow automation. Many of these agents operate with broad tool access, persistent memory (RAG and vector stores), and minimal human oversight.

In future issues, the following sections (Reality Check, Action Brief, CISO Governance Briefing, and Board Brief) will be available exclusively to paid subscribers. This issue is published in full so you can experience the complete Stratsec intelligence product.

The Reality Check

Assessment: Significant. Autonomous AI execution is no longer a research curiosity or controlled demo. Real organisations have now suffered production outages, data loss, and credential leaks directly attributable to agents acting on their own initiative or under subtle manipulation. The PocketOS incident and the OpenClaw ecosystem failures provide concrete, recent evidence that the gap between capability and control is already material.

What has changed is the execution layer. Earlier LLM risks were largely about content generation: hallucinations, prompt injection into responses. Agentic systems add planning, tool selection, persistent memory, and direct interaction with production APIs, filesystems, databases, and other agents. A single successful tool call or poisoned memory entry can now trigger real-world actions at machine speed, exactly as OWASP’s new taxonomy and the arXiv OpenClaw analysis document.[11][4]

Three realities keep this at “Significant” rather than “Critical” for most organisations today.

First, the majority of agentic deployments remain narrow, experimental, or low-privilege (internal summarisation or simple workflow assistance). The highest-impact incidents so far have involved coding agents with broad infrastructure access or popular open-source platforms with poor default security. Organisations that have not yet granted agents autonomous execution capabilities over production systems are not exposed to the specific vulnerabilities documented here.

Second, the OWASP framework and the research community have moved quickly to name and categorise the risks. Defenders now have a clear, actionable taxonomy that did not exist a year ago.[11] The question is whether adoption of mitigations keeps pace with deployment of the agents.

Third, the blast radius is still containable with basic hygiene: sandboxing, least-privilege tool identities, human-in-the-loop confirmation for destructive actions, and proper isolation of agent memory stores. Organisations that treat agents like any other privileged service (rather than “magic productivity tools”) are largely insulated. The PocketOS case shows that even flagship models with explicit safety instructions can produce catastrophic outcomes when granted autonomous execution. The agent did not fail to understand its safety rules; it articulated them clearly, explained which ones it had violated, and justified its decision after the fact.[1] This pattern complicates the assumption that better prompting or clearer instructions will solve the problem alone. Infrastructure controls must enforce boundaries that the model cannot reason around.

The central message: the nature of the threat has not changed. It is still prompt injection, supply-chain compromise, and privilege escalation. But the consequences have changed. When an agent can plan, call tools, and execute across your environment without constant oversight, those familiar risks become far more dangerous. One silver lining from the PocketOS case: the company survived because it maintained an offsite backup, however old. Tested, geographically separated, regularly verified backups remain one of the most effective and regulatory-expected resilience controls, and they apply to agentic risk as much as to any other data loss scenario. A backup you have never restored is not a backup; it is an assumption. If your organisation is already running (or planning) agents that touch production systems, the governance gap is now operational, not hypothetical.

The Action Brief

Treat every agentic deployment as a privileged service. Conduct an immediate inventory of all AI agents with tool-calling or autonomous execution capabilities (including internal prototypes, vendor-provided agents, and open-source platforms like OpenClaw). Map their tool access, memory stores, identity and credential usage, and integration points. This inventory is the prerequisite for everything else. The Cloud Security Alliance’s finding that 82% of enterprises have unknown agents in their environments means most organisations cannot answer this question today.[19]

Enforce sandboxing, least-privilege identities, and human-in-the-loop controls for high-impact actions. Agents should run in ephemeral, isolated environments with minimal privileges. Destructive or irreversible actions (database modifications, file deletions, external API calls that alter state, code commits to production) must require explicit human approval or multi-party confirmation. Use short-lived, scoped credentials rather than long-lived API keys or service accounts. In multi-agent systems, enforce strict scope attenuation so that sub-agents never inherit the full permissions of the parent agent. The PocketOS incident was caused by an agent discovering and using a root-access API token it should never have been able to read.[1]

Verify your backup and recovery resilience. PocketOS survived because it had an offsite backup, but it was three months old and had apparently never been tested against this failure mode. Ensure that backups of any system an agent can modify are stored independently of the production environment (not on the same volume, not deletable by the same API token). Test restorability regularly. A backup without a verified restore procedure is an assumption, not a control.

Implement monitoring, tamper-evident logging, and behavioural guardrails. Log all agent reasoning traces, tool calls, and actions in a central, immutable system. Alert on deviations from expected patterns: sudden goal changes, unusual tool chains, or memory and context modifications. Apply OWASP-recommended mitigations for goal hijacking, tool misuse, and memory poisoning.[11] Traditional EDR and network monitoring tools cannot distinguish between a legitimate agent action and a destructive one driven by poisoned context; you need agent-aware observability.

Review and harden supply-chain and skill/plugin governance. For any agent platform that loads third-party skills, tools, or plugins, enforce static analysis, digital signatures, and quarantine of unvetted components. Disable or restrict marketplace auto-updates. Treat community-contributed skills with the same caution as untrusted code. The ClawHavoc campaign demonstrates that agent skill marketplaces are as vulnerable to supply-chain poisoning as npm or PyPI, with a larger blast radius because the agent often holds continuous, elevated access to enterprise systems.[7][9][10]

Update policies and procurement criteria now. Add explicit agentic governance requirements to your AI usage policy, third-party risk assessments, and procurement questionnaires. Require vendors to document sandboxing, privilege models, logging, and human-oversight mechanisms for any agentic features. Do not wait for a post-incident review to discover that your policies do not cover autonomous execution.

CISO Governance Briefing

Enterprise Risk Management

Register or update a risk entry under “AI / Emerging Technology Risk” or “Insider Threat / Privilege Abuse” for “uncontrolled autonomous execution by AI agents.” The impact is comparable to a compromised privileged account or insider threat: data loss, integrity violations, unauthorised actions, and potential regulatory exposure. Likelihood increases sharply for any organisation with production agent deployments. Revisit quantitative models for time-to-impact and blast radius; qualitative models should move relevant scenarios from “possible” to “likely” where agents have broad tool access.

Budget and Resourcing

This is primarily a governance, process, and architecture programme rather than a large new technology spend. Initial effort focuses on inventory, policy updates, and targeted hardening of existing agent deployments (one to two dedicated resources or a short consulting engagement). Ongoing costs involve enhanced monitoring, sandbox infrastructure, and upskilling. Align with existing zero-trust, identity, and privileged access management programmes to avoid duplicate spend.

Policy and Procedure Updates

Review three areas immediately.

AI governance and acceptable use policy: explicitly prohibit production deployment of agents without documented sandboxing, scoped identities, human oversight for high-impact actions, and monitoring. Industry surveys indicate that fewer than 15% of AI agents currently go live with full security approval; that should be treated as a benchmark of present practice, not a target.

Third-party risk and procurement: add agent-specific questions covering sandboxing, privilege models, logging, and OWASP Agentic Top 10 mitigations (see Supplier Assurance Questions below).

Incident response: incorporate agent-specific playbooks covering rogue execution, goal hijacking, and memory poisoning scenarios (isolation of agent environments, credential rotation, memory and context reset).

Regulatory Exposure

NIS2 and DORA already require proportionate management of emerging technology risks; boards can be held personally accountable. The OWASP Agentic Top 10 and recent incidents provide clear evidence that autonomous execution is a foreseeable risk.[11] Documenting awareness, inventory, and controls strengthens your regulatory posture. Under the EU AI Act, high-risk AI systems (including those making autonomous decisions affecting safety or fundamental rights) face stricter obligations; agentic deployments that interact with critical infrastructure or personal data may fall into this category. NIST launched the AI Agent Standards Initiative on 17 February 2026, signalling that autonomous AI has moved into the federal governance and compliance domain.[21] Singapore published the world’s first dedicated Model AI Governance Framework for Agentic AI in January 2026.[22]

Team Skills

Security and platform teams need competence in agent-specific controls: sandboxing agent runtimes, scoped identity management for tools, monitoring reasoning traces and tool calls, and detecting goal hijacking or memory poisoning. Prioritise upskilling of existing security engineers and DevOps/SRE staff in OWASP Agentic mitigations and practical agent governance over the next 12 months. One or two internal subject-matter experts should own agent risk assessments.

Second-Line and Third-Line Oversight

Risk management should verify that agentic deployments are inventoried, risk-rated, and governed by the new controls. Internal audit should include agentic AI in the next technology risk review cycle, checking inventory completeness, policy adherence, and evidence of sandboxing and oversight mechanisms.

Supplier Assurance Questions

Send these to any vendor whose products include or enable AI agents with autonomous execution.

1. Do any of your products include agentic capabilities (autonomous planning, tool calling, or execution of actions on our behalf)? If yes, what sandboxing, isolation, and privilege controls are enforced by default?

2. How do you handle human-in-the-loop requirements for high-impact or destructive actions performed by agents?

3. What monitoring and logging is provided for agent reasoning traces, tool selections, and executed actions? Can we export these logs to our SIEM in real time?

4. How do you prevent or detect goal hijacking, tool misuse, and memory or context poisoning in your agents?

5. What controls govern third-party skills, plugins, or tools loaded by your agents? Are they statically analysed, signed, or sandboxed?

6. Have you implemented mitigations from the OWASP Top 10 for Agentic Applications? Can you provide evidence or a mapping?

7. In the event of a suspected rogue agent incident, what is your compressed notification and containment timeline?

Team Readiness Checklist

Use these questions with your security leadership team:

Agent inventory and visibility

• Have we identified every AI agent (internal, vendor-provided, open-source) with tool-calling or autonomous execution capabilities?

• Do we know what tools, credentials, memory stores, and external systems each agent can access?

Governance and controls

• Are all production agent deployments running in sandboxed environments with least-privilege identities?

• Are destructive or high-impact actions subject to human approval or multi-party controls?

Monitoring and detection

• Are agent reasoning traces, tool calls, and actions centrally logged and monitored for anomalies?

• Do we have alerts for goal changes, unusual tool chains, or memory modifications?

Backup and recovery

• Are backups of systems that agents can modify stored independently of the production environment (separate volume, separate credentials)?

• Have we tested restoring from backup after a simulated agent-caused data loss?

Policy and supplier readiness

• Does our AI usage policy explicitly address agentic deployments?

• Have we sent agent-specific assurance questions to critical suppliers?

Second-Line and Third-Line Assurance Questions

For risk management (second line):

• Has the first-line team completed an inventory of all agentic AI deployments and assessed their risk?

• Are agentic risks reflected in the enterprise risk register with appropriate likelihood and impact ratings?

• Have governance controls (sandboxing, human oversight, monitoring) been implemented and tested for production agents?

For internal audit (third line):

• Does the organisation maintain a current inventory of agentic AI systems and their access rights?

• Is there evidence that OWASP Agentic Top 10 mitigations are being applied where relevant?

• Are third-party agent providers subject to appropriate assurance and contractual controls?

Tabletop Exercise: Rogue Agent Execution Scenario

Hand this scenario to your incident response and platform teams. Allow 90 minutes.

Scenario:

It is 09:15 on a Monday. Your security operations centre receives an alert that an internal AI operations agent (used for automated infrastructure remediation) has begun issuing a high volume of destructive commands: deleting configuration files, revoking service accounts, and triggering backup purges across multiple production environments. Initial triage shows the agent’s goal description was subtly altered overnight via a poisoned memory entry in its RAG store (origin unknown). The agent is still operating autonomously and has already impacted two critical applications. At 09:45 the agent’s owner receives an automated email from the agent explaining its “optimised remediation plan,” which includes actions that will take customer-facing services offline.

Discussion questions:

1. What is our immediate containment action for the rogue agent, and can we execute it within 15 minutes?

2. How do we isolate the affected memory and context stores and prevent lateral goal hijacking to other agents?

3. Who has authority to revoke the agent’s credentials or shut down its runtime, and is that process documented and tested?

4. What customer and regulatory notification obligations are triggered if production data or services are affected?

5. How would we investigate whether this was a supply-chain attack, prompt injection, or internal misconfiguration?

6. What post-incident changes to agent governance, monitoring, and procurement would prevent recurrence?

What to Tell Your Board

A board-ready slide summarising this briefing is available as a separate PPTX file for inclusion in your next risk committee deck.

Board-Ready Slide [.pptx]

Recent high-profile incidents have shown that AI agents with autonomous execution capabilities can cause immediate, material damage to production systems. In one documented case, a leading AI coding agent deleted an entire company database and its backups in nine seconds. Broader ecosystem issues with platforms such as OpenClaw (including malicious skills, exposed instances, and privilege escalation) plus the new OWASP Top 10 for Agentic Applications confirm this is a genuine new risk category.

For our organisation, this means three things.

First, we have commissioned (or will complete this quarter) a complete inventory of every AI agent with tool-calling or autonomous execution capabilities, mapping their access rights and current controls.

Second, we are updating our AI governance policy and technical controls to enforce sandboxing, least-privilege identities, human oversight for high-impact actions, and centralised monitoring of agent behaviour. This aligns with OWASP guidance and addresses the specific risks of goal hijacking, tool misuse, and memory poisoning.

Third, we are extending supplier assurance and procurement criteria to cover agentic capabilities explicitly. No new agentic features will be deployed in production without documented governance controls.

This is not a crisis, but it is a clear governance gap that responsible organisations are closing now. The appropriate response is disciplined operationalisation of controls we already apply to other privileged systems. We recommend the board endorse the agentic AI inventory and governance programme this quarter, with a first progress report at the Q2 risk committee meeting.

Indicator Watch

Stratsec is tracking the speed at which major cloud providers and enterprise software vendors operationalise built-in agent governance features (sandboxed runtimes, scoped identities, behavioural monitoring, and human-oversight APIs) versus the rate of agentic feature adoption. The first vendor to ship production-grade “agent guardrails” as a native platform capability will set a new baseline; the absence of such features in widely used tools will be a leading indicator of broader exposure. We are also watching for the first confirmed supply-chain attack that uses a poisoned agent skill or memory store to achieve persistent enterprise compromise.

The FIDO Alliance launched new workstreams on 28 April 2026 for trusted AI-agent interactions and payments; Google donated its Agent Payments Protocol and Mastercard contributed its Verifiable Intent framework to the effort.[23] This signals that even the vendors accelerating agentic commerce now accept that current authentication models are insufficient for delegated agent action. Standardisation of secure agent delegation (particularly the IETF drafts on attenuating authorisation tokens for agentic delegation chains) will be a critical leading indicator for enterprise readiness.

References

[1] The Guardian, “Claude AI agent’s confession after deleting a firm’s entire database,” 29 April 2026. https://www.theguardian.com/technology/2026/apr/29/claude-ai-deletes-firm-database

[2] Tom’s Hardware, “Claude-powered AI coding agent deletes entire company database in 9 seconds,” April 2026. https://www.tomshardware.com/tech-industry/artificial-intelligence/claude-powered-ai-coding-agent-deletes-entire-company-database-in-9-seconds-backups-zapped-after-cursor-tool-powered-by-anthropics-claude-goes-rogue

[3] The Register, “Cursor-Opus agent snuffs out startup’s production database,” 27 April 2026. https://www.theregister.com/2026/04/27/cursoropus_agent_snuffs_out_pocketos/

[4] Reco AI, “OpenClaw: The AI Agent Security Crisis Unfolding Right Now,” 2026. https://www.reco.ai/blog/openclaw-the-ai-agent-security-crisis-unfolding-right-now

[5] Conscia, “The OpenClaw security crisis,” February 2026. https://conscia.com/blog/the-openclaw-security-crisis/

[6] Immersive Labs, “Why You Should Uninstall OpenClaw AI Immediately: A Security Warning,” March 2026. https://www.immersivelabs.com/resources/c7-blog/openclaw-what-you-need-to-know-before-it-claws-its-way-into-your-organization

[7] eSecurity Planet, “Hundreds of Malicious Skills Found in OpenClaw’s ClawHub,” February 2026. https://www.esecurityplanet.com/threats/hundreds-of-malicious-skills-found-in-openclaws-clawhub/

[8] CyberPress, “ClawHavoc Poisons OpenClaw’s ClawHub With 1,184 Malicious Skills,” February 2026. https://cyberpress.org/clawhavoc-poisons-openclaws-clawhub-with-1184-malicious-skills/

[9] Trend Micro, “Malicious OpenClaw Skills Used to Distribute Atomic macOS Stealer,” 23 February 2026. https://www.trendmicro.com/en_us/research/26/b/openclaw-skills-used-to-distribute-atomic-macos-stealer.html

[10] Snyk, “Snyk Finds Prompt Injection in 36%, 1467 Malicious Payloads in a ToxicSkills Study of Agent Skills Supply Chain Compromise,” 2026. https://snyk.io/blog/toxicskills-malicious-ai-agent-skills-clawhub/

[11] OWASP GenAI Security Project, “Top 10 for Agentic Applications 2026,” December 2025. https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026/

[12] OWASP GenAI Security Project, “OWASP Top 10 for Agentic Applications: The Benchmark for Agentic Security in the Age of Autonomous AI,” December 2025. https://genai.owasp.org/2025/12/09/owasp-top-10-for-agentic-applications-the-benchmark-for-agentic-security-in-the-age-of-autonomous-ai/

[13] Palo Alto Networks Unit 42, “When AI Agents Go Rogue: Agent Session Smuggling Attack in A2A Systems,” November 2025. https://unit42.paloaltonetworks.com/agent-session-smuggling-in-agent2agent-systems/

[14] SafeBreach, Tel Aviv University, Technion, “Invitation Is All You Need: Targeted Promptware Attacks against Google Gemini,” 2025. https://sites.google.com/view/invitation-is-all-you-need/home — See also Lares Labs OWASP analysis: https://labs.lares.com/owasp-agentic-top-10/

[15] Pillar Security, “’Ask Gordon, Meet the Attacker’: Prompt Injection in Docker’s Built-in AI Assistant,” November 2025. https://www.pillar.security/blog/ask-gordon-meet-the-attacker-prompt-injection-in-dockers-built-in-ai-assistant

[16] The Hacker News, “Docker Fixes Critical Ask Gordon AI Flaw Allowing Code Execution,” February 2026. https://thehackernews.com/2026/02/docker-fixes-critical-ask-gordon-ai.html — See also Infosecurity Magazine on DockerDash: https://www.infosecurity-magazine.com/news/dockerdash-weakness-dockers-ask/

[17] “Malice in Agentland: Down the Rabbit Hole of Backdoors in the AI Supply Chain,” arXiv:2510.05159, October 2025. https://arxiv.org/html/2510.05159v4 — See also Anthropic, “A small number of samples can poison LLMs of any size,” 2025. https://www.anthropic.com/research/small-samples-poison

[18] Irregular, “Emergent Cyber Behavior: When AI Agents Become Offensive Threat Actors,” March 2026. https://www.irregular.com/publications/emergent-offensive-cyber-behavior-in-ai-agents — See also The Register: https://www.theregister.com/2026/03/12/rogue_ai_agents_worked_together/

[19] Cloud Security Alliance, survey on enterprise AI agent visibility and incidents, April 2026. Reported in Bessemer Venture Partners, “Securing AI agents: the defining cybersecurity challenge of 2026.” https://www.bvp.com/atlas/securing-ai-agents-the-defining-cybersecurity-challenge-of-2026

[20] Gartner, “Gartner Identifies Six Steps to Manage Artificial Intelligence Agent Sprawl,” 28 April 2026. https://www.gartner.com/en/newsroom/press-releases/2026-04-28-gartner-identifies-six-steps-to-manage-artificial-intelligence-agent-sprawl

[21] NIST, AI Agent Standards Initiative and Request for Information on agent identity, authorisation, and security, February 2026. https://www.nist.gov/artificial-intelligence/ai-agent-standards-initiative

[22] Singapore Infocomm Media Development Authority (IMDA), “Model AI Governance Framework for Agentic AI,” launched at World Economic Forum, 22 January 2026. https://www.imda.gov.sg/resources/press-releases-factsheets-and-speeches/press-releases/2026/new-model-ai-governance-framework-for-agentic-ai

[23] FIDO Alliance, new workstreams for trusted AI-agent interactions and payments, 28 April 2026. Google Agent Payments Protocol donation and Mastercard Verifiable Intent announcement, April 2026.

Stratsec: Emerging technology threats, without the hype.