GOVERNANCE
(22)22 hack(s).
GPT-5.6 Sol: a frontier model released through a government gate
OpenAI previewed GPT-5.6 Sol on June 26, 2026 and, at the US government's request, started with a partner-only rollout. The release turns an emerging pattern into policy: advanced cyber capability now ships behind a government-in-the-loop gate.
Adobe splits Patch Tuesday in two as AI compresses the exploit window
From 14 July 2026 Adobe publishes security bulletins twice a month instead of once, citing AI-accelerated vulnerability discovery that is shrinking the disclosure-to-exploitation window from days to hours.
AI moved to production before its security did: the 2026 posture gap
Orca's 2026 State of AI Security Report (July 2026, 1,200+ cloud environments) finds 56% run AI agents in production, 81% ship vulnerable AI packages, and 99.9% of fixable AI vulnerabilities stay unpatched.
The EU's Cybersecurity and AI Action Plan: pre-market evaluation reaches frontier models
On July 7, 2026 the European Commission unveiled an Action Plan that builds the missing testing capacity behind the AI Act — third-party evaluation of advanced models before they reach the EU market, plus an ENISA blueprint for secure access.
Institutional red-teaming: deployment rules shape multi-agent safety
A July 2026 paper shows the rules you set for a multi-agent deployment causally change safety outcomes — moving collective harm by 22-58 points with the model held fixed.
AI-found vulnerabilities are reshaping the Windows patch cycle
Microsoft is moving AI vulnerability discovery into the Windows lifecycle and warns Patch Tuesday will get heavier. The real story is what defenders should change now.
South Korea publishes the first government standard for AI red teaming
On July 8, 2026, South Korea's Ministry of Science and ICT released two guidelines that turn 'we red-teamed our AI' from an unverifiable claim into an auditable one — the first such government standard anywhere.
An AI agent platform lands in CISA's exploited-vulnerabilities catalog
On July 7, 2026, an open-source AI-agent builder became the first orchestration platform ever listed in CISA's Known Exploited Vulnerabilities catalog — a signal for how defenders should prioritize AI infrastructure.
Do your agent logs actually prove what it did? A benchmark for evidence sufficiency
A late-June 2026 benchmark shows that having traces, ledgers, or schemas in place is not the same as having enough evidence. Presence-based logging overclaims 'sufficient' on up to 75% of cases.
FIRST's mid-year forecast: ~66,000 CVEs in 2026, but exploitable risk stays flat
On June 15, 2026, FIRST revised its 2026 CVE projection to ~66,000 — 46.3% above February — driven mainly by AI-assisted discovery. The actionable subset triaged by EPSS and CISA KEV has not grown at the same rate.
EU AI Act: how the draft guidelines classify agentic systems as high-risk
The European Commission's 19 May 2026 draft guidelines on Article 6 say agentic AI systems must be assessed as a whole — a single narrow component can pull the entire configuration into the high-risk regime.
AI CEOs ask Congress to make DNA synthesis screening mandatory
On June 5, 2026, the heads of OpenAI, Anthropic, Google DeepMind and Microsoft AI co-signed a letter urging Congress to require nucleic-acid synthesis screening — framing it as a defensive control against AI-eroded bioweapon barriers.
Disclosure at machine speed: lessons from the first AI vulnerability ledger
Anthropic's coordinated-disclosure ledger, analysed by VulnCheck on June 9, 2026, shows AI surfacing 23,019 candidate bugs while just 1,596 reached maintainers — a preview of coordinated disclosure under machine-speed discovery.
When a government pulls a model: the Fable 5 / Mythos 5 suspension
On June 12, 2026, a US export-control directive forced Anthropic to disable Claude Fable 5 and Mythos 5 worldwide. The reported trigger was a 'jailbreak' that amounts to asking a model to read code and fix flaws — a capability defenders use daily.
DeepMind and partners open a $10M multi-agent AI safety research fund
On June 11, 2026, Google DeepMind, Schmidt Sciences, the Cooperative AI Foundation and ARIA opened a $10M call to build a research field around the safety of millions of interacting AI agents.
OWASP State of Agentic AI Security 2026: prompt injection ties most agent failures together
OWASP's State of Agentic AI Security and Governance v2.01 (June 1, 2026) moves from hypothetical threats to documented CVEs and breaches. Prompt injection now maps to six of the ten agentic risk categories.
OWASP's agentic maturity model: don't run in the red cells
OWASP's June 2026 State of Agentic AI report adds an Enterprise Adoption Maturity Model — a two-axis grid where agent autonomy outruns governance, leaving 'red cells' no one can see into.
No two labs measure prompt injection the same way
A June 1, 2026 comparison of the prompt-injection disclosures from Anthropic, OpenAI, Google and Meta found that no two labs share a metric, a surface, or a definition of success — so vendor numbers cannot be compared.
US AI security executive order: a vulnerability clearinghouse and frontier review
Signed June 2, 2026, the US executive order on AI innovation and security creates a federal AI vulnerability clearinghouse and a voluntary 30-day pre-release review of 'covered frontier models'.
CISA + Five Eyes publish the first joint guidance on agentic-AI adoption
On May 1, 2026, CISA, NSA and the Five Eyes cyber agencies released 'Careful Adoption of Agentic AI Services' — a 5-risk taxonomy and a deployment playbook that critical-infrastructure operators are now expected to fold into their existing cybersecurity frameworks.
NSA AISC publishes MCP security design guidance for production AI
On May 20, 2026, NSA's Artificial Intelligence Security Center released a 15-page Cybersecurity Information Sheet on Model Context Protocol — eight classes of weakness, five real-world incidents, nine defensive recommendations.
The pressure: open-source security teams under the AI-assisted vulnerability flood
On May 26, 2026, curl's Daniel Stenberg published 'The pressure' — more than one credible security report per day, twelve confirmed CVEs in half a release cycle, and a pattern other maintainers are now reporting in parallel.