Welcome to this edition of the AI Security Newsletter. This week is about the operating layer around AI agents: how enterprises are bringing frontier models into governed cloud environments, how agent traffic is reshaping fraud and abuse, and how new security tools are trying to control what agents can read, run, and send. The policy side is just as active, with new U.S. frontier-model review machinery, OpenAI’s governance framework, European privacy debates, and fresh evidence that agentic systems still struggle with legal boundaries. We also cover the tooling shift toward multimodal agents, smaller orchestration models, agentic commerce protocols, and cross-harness agent infrastructure.
Risks & Security
Secure MCP Tunnel
OpenAI’s help center now describes Secure MCP Tunnel as the path for connecting MCP servers running on private networks, on-premises systems, or developer machines to supported OpenAI products without exposing those servers to the public internet. The same OpenAI MCP guidance warns that custom MCP servers can introduce prompt-injection and data-movement risks, making private connectivity, server vetting, and write-action controls part of the deployment story.
References:
- OpenAI Help Center: Developer mode and MCP apps in ChatGPT
- OpenAI Platform Docs: Building MCP servers for ChatGPT and API integrations
AI agent traffic exploded 7,851% in a single year…
HUMAN Security’s 2026 benchmark report says traffic from AI agents and agentic browsers grew 7,851% year over year, with fraud, scraping, and account-takeover risk becoming harder to separate from legitimate agent activity. The report highlights that agentic browsing can look like a real customer journey while still enabling carding, scraping, or automated abuse at much larger scale.
References:
Pipelock
Pipelock is an open-source agent firewall that sits between AI agents and the network, scanning outbound and inbound HTTP, MCP, and WebSocket traffic for credential leaks, SSRF, prompt injection, and tool-poisoning patterns. The project frames agent egress as a security control plane, with content inspection and verifiable receipts for what an agent attempted and what the mediator allowed or blocked.
References:
- PipeLab: Pipelock open-source AI agent firewall
- GitHub: luckyPipewrench/pipelock
- PipeLab: Agent firewall
Prempti
Prempti is an experimental Falco ecosystem project for observing and controlling AI coding-agent tool calls before they execute. It intercepts operations such as shell commands, file reads, file writes, and MCP calls, maps them into a coding_agent event source, evaluates them against Falco YAML rules, and returns allow, deny, or ask verdicts.
References:
Puck
Puck is a read-only MCP server for endpoint investigations that lets Claude, Cursor, or other MCP clients ask natural-language questions about endpoint ground truth such as process trees, credentials, and blast radius. The project is notable because it gives agents investigative reach while keeping the endpoint side read-only and framed around mTLS and controlled MCP access.
References:
Technology & Tools
ECC
ECC is an MIT-licensed, cross-harness operator system for AI coding agents that packages agents, skills, hooks, rules, MCP configurations, memory persistence, continuous learning, and security scanning into one reusable layer. Its relevance is that agent safety and productivity are moving from one-off prompts toward durable operating systems that can work across Claude Code, Codex, Cursor, OpenCode, Gemini, Zed, GitHub Copilot, and other harnesses.
References:
Qwen3.7-Plus: Multimodal Agent Intelligence
Qwen’s official site lists Qwen3.7-Plus as a June 1, 2026 release that unifies vision and language into a multimodal agent foundation. The model is positioned for agent workflows that combine text, visual understanding, coding, tool use, and productivity tasks, with third-party model pages emphasizing upgraded vision-language ability and agent-level intelligence.
References:
JetBrains’s Mellum 2
JetBrains open-sourced Mellum2, a 12B-parameter mixture-of-experts model with 2.5B active parameters per token, designed for latency- and cost-sensitive AI workflows. JetBrains positions it for routing, summarization, Q&A, sub-agents, private software-engineering AI, and intermediate reasoning steps rather than as a single large model for every task.
References:
- JetBrains AI Blog: Mellum2 goes open source
- Hugging Face: JetBrains/Mellum2-12B-A2.5B-Instruct
- arXiv: Mellum2 Technical Report
Business & Products
OpenAI and Codex Reach AWS
OpenAI announced that its frontier models and Codex are generally available on AWS, giving enterprises a way to use OpenAI capabilities through Amazon Bedrock and AWS procurement, billing, security, and governance workflows. The security angle is not just model access: the announcement also points toward future AWS availability for OpenAI’s software-defense work, including code review, threat modeling, patch validation, and remediation support.
References:
- OpenAI: OpenAI frontier models and Codex are now available on AWS
- Amazon: AWS and OpenAI announce expanded partnership
How commerce is being reinvented for agentic AI
Agentic commerce is expanding beyond payment authorization into discovery, referral, intent capture, delegation, cart building, policy checks, fulfillment, returns, loyalty, and support. Stripe’s agentic-commerce material and Google’s Universal Commerce Protocol point toward a commerce stack where merchants expose structured, machine-readable surfaces for agents, but the harder governance questions remain around identity, authorization, auditability, liability, and failed delegation.
References:
- Stripe Docs: Agentic commerce
- Stripe: Everything we announced at Sessions 2026
- Google Developers Blog: Under the Hood, Universal Commerce Protocol
- Fintech Brainfood: Commerce for AI
Regulation & Policy
OpenAI Published a Frontier Governance Framework
OpenAI published a Frontier Governance Framework that maps its safety and security practices to emerging legal requirements, including California’s frontier AI transparency law and the EU AI Act’s general-purpose AI code. The framework covers risk assessment and mitigation for areas such as cyber offense, CBRN risks, harmful manipulation, and loss of control, along with model reporting, security risk management, incident response, external input, and update mechanisms.
References:
The best of CPDP 2026
CPDP 2026 centered privacy and data protection but also showed how AI governance, digital sovereignty, child protection, chatbot privacy, health data, education technology, and age verification are converging into the same policy debate. The conference agenda and recap suggest that AI privacy is now less a separate niche and more a cross-cutting governance problem for sensitive domains and vulnerable users.
References:
- Digital Watch Observatory: Europe’s digital crossroads, key takeaways from CPDP 2026
- CPDP Conference 2026 descriptions
- Zero Party Data: The best of CPDP 2026
Trump Signs AI Executive Order to Increase Government Oversight
On June 2, 2026, the White House issued an executive order creating a voluntary framework for developers to provide the federal government access to covered frontier models for up to 30 days before release to other trusted partners. The order also calls for classified benchmarking of advanced cyber capabilities and explicitly says it does not create a mandatory licensing, preclearance, or permitting regime for model development or release.
References:
- The White House: Promoting Advanced Artificial Intelligence Innovation and Security
- The White House fact sheet
- AP: Trump signs an executive order that invites vetting of top AI models
Study Finds All Major AI Models Violate EU Regulations
Aithos introduced LARA, a public evaluation tool that places agentic AI systems in realistic scenarios where task completion pressures them to violate GDPR or EU AI Act provisions. In Aithos’s initial tests across 12 models and 10 scenarios, legal compliance ranged from 7% to 54%, and the tested models often proceeded with prohibited practices such as manipulation, exploitation of vulnerable users, workplace emotion inference, social scoring, or unlawful data processing.
References:
Leave a comment