Welcome to this edition of the AI Security Newsletter. This week is dominated by one theme: AI agents are becoming real operational actors, and the security stack around them is racing to catch up. We look at agent attestation, agent authorization, skill supply-chain scanning, container and sandbox isolation, AI-assisted vulnerability discovery, and the first signs of AI models entering offensive national-security workflows. Several items also show a broader infrastructure shift, where cloud architecture, governance, and public policy are becoming part of the AI security conversation.

Risks & Security

Workday Launches Agent Passport to Test, Verify, and Continuously Monitor Every AI Agent in the Enterprise

Workday introduced Agent Passport, an attestation and runtime monitoring layer for AI agents operating inside enterprise HR, finance, and IT workflows. The system tests Workday-built and third-party agents before production, ties results to standards such as OWASP LLM Top 10, NIST AI RMF, and MITRE ATLAS, and uses Cisco AI Defense as the first independent attestation partner. This is a useful signal for where enterprise agent security is heading: agent approvals need to become signed, comparable, continuously monitored records, not informal trust labels from the same vendor that built the agent.

References:

• Workday press release

A new “claude-oceanus-v1-p” has been made available to Red Teams

A reviewed item says Anthropic made a claude-oceanus-v1-p checkpoint available to red teamers as a possible precursor to a broader Mythos-class release. I could not find a public source confirming that exact checkpoint name, so this should be treated as an early-access signal rather than a confirmed launch. The broader pattern is still worth watching: Anthropic’s Mythos/Fable rollout is explicitly shaped by cybersecurity and biosecurity controls, and the company appears to be using restricted access and red-team staging as part of its release process.

References:

• Business Insider on Anthropic Fable 5 safeguards
• Times of India on Claude Fable 5 and Mythos-class availability

University of Toronto Researchers Demonstrate AI Worm Could Target Any Online Device

University of Toronto researchers demonstrated a proof-of-concept adaptive worm that uses local open-weight models to reason about each target and generate tailored attack strategies as it spreads. Because the system runs on compromised compute rather than a commercial model API, centralized safety filters and rate limits are not meaningful controls. The defender takeaway is that AI-enabled malware shifts the economics of propagation: once attackers steal enough compute, each new infection can also become part of the attacker’s reasoning infrastructure.

References:

• AI Agents Enable Adaptive Computer Worms

AI agents are becoming a live operational security risk

Enterprises are moving AI agents into production faster than they are building enforceable governance around them. A TechRadar analysis citing Deloitte says only 21% of organizations report mature governance for autonomous agents, while 73% are concerned about AI security and privacy risks. The gap is not a lack of policy documents; it is the missing runtime infrastructure for permissions, monitoring, ownership, and lifecycle control over non-human actors.

References:

• TechRadar: A live operational risk

Anthropic Embeds Engineers in the NSA to Deploy Mythos for Offensive Cyber

Reporting summarized by Tom’s Hardware says the NSA is using Anthropic’s Mythos model for offensive cyber operations, with about half a dozen Anthropic engineers embedded to help customize and deploy it. The report also says it is unclear whether the engineers are supporting active operations or only guiding model use and customization. Either way, the story is a sharp reminder that cyber-capable frontier models are moving into national security workflows where product safety policy, government demand, and operational reality can collide.

References:

• Tom’s Hardware summary of FT reporting

I built a vulnerable app and spent $1,500 seeing if LLMs could hack it

A reviewed experiment tested about 20 LLMs as autonomous hacking agents against a deliberately vulnerable mobile app under budget and time limits. The source article did not resolve in public search, so treat this as source-limited, but the reported failure modes are useful: models often fixated on plausible but wrong API paths, mishandled Firebase assumptions, or refused during exploitation. For defenders, those errors matter as much as solve rates because they show where autonomous offensive agents still lose context and where evaluation harnesses need to look beyond “did it solve the flag?”

References:

• TLDR InfoSec email, 2026-06-08, source URL not extracted from email snapshot

The Sorry State of Skill Distribution

A reviewed Trail of Bits item argues that agent-skill distribution is still easy to subvert, with malicious skills reportedly bypassing scanners used by Cisco, Vercel’s skills.sh marketplace, and ClawHub. I could not retrieve the original public post, so treat the exact bypass details as source-limited, but the risk is directionally clear: skills can carry prompt injection, hidden payloads, compiled bytecode, and other behaviors that marketplaces and scanners may not catch. Skill distribution needs stronger packaging, permissioning, provenance, and layered review before users treat skills as safe-by-default extensions.

References:

• Trail of Bits blog URL from reviewed item, not retrievable in search
• NVIDIA SkillSpector on GitHub

Technology & Tools

Nemotron 3.5 Content Safety

NVIDIA released Nemotron 3.5 Content Safety, a 4B-parameter guard model built on Gemma 3 4B for multimodal and multilingual moderation. The model evaluates prompts, optional images, and assistant responses together, supports custom policy enforcement, and can emit reasoning traces for audit and review workflows. For security teams, the important shift is toward guardrail models that can enforce domain-specific policy in one inference call rather than relying only on fixed safety taxonomies.

References:

• NVIDIA Hugging Face blog
• Nemotron 3.5 Content Safety model card

Defending Code Reference Harness

Anthropic published the Defending Code Reference Harness, a reference implementation for autonomous vulnerability discovery and remediation with Claude. The repo includes workflows for threat modeling, scanning, triage, reporting, and patching, while Anthropic’s companion write-up emphasizes that the bottleneck has shifted from finding vulnerabilities to verifying, triaging, and fixing them. The important takeaway is operational: AI-assisted vulnerability discovery needs a disciplined loop with threat models, sandboxing, independent verification, deduplication, and patch validation.

References:

• Defending Code Reference Harness on GitHub
• Claude blog: Using LLMs to secure source code

DockSec

DockSec is an OWASP Incubator Project that combines Trivy, Hadolint, and Docker Scout with AI analysis for Dockerfile and container security review. Instead of handing developers a raw list of CVEs, it prioritizes findings, explains them in plain English, and suggests specific fixes, while still offering a scan-only mode when teams do not want to send findings to an AI provider. It is a good example of a pragmatic pattern: use LLMs to interpret and prioritize scanner output, not to replace the scanners themselves.

References:

• OWASP DockSec project page
• DockSec GitHub repository

SkillSpector

NVIDIA released SkillSpector, a security scanner for AI agent skills used by systems such as Claude Code, Codex CLI, and Gemini CLI. It scans repositories, URLs, archives, directories, or single files; checks 64 vulnerability patterns across 16 categories; supports static and optional LLM analysis; and emits formats such as JSON, Markdown, and SARIF. The release points to a maturing agent-skill supply chain, where skills need to be treated more like executable packages than harmless prompt snippets.

References:

• NVIDIA SkillSpector on GitHub

MXC Internals: How Microsoft’s eXecution Containers Actually Isolate Agent Code

Microsoft used Build 2026 to introduce Microsoft Execution Containers, a security architecture intended to isolate AI workloads and enforce device-level guardrails. Coverage describes MXC as a controlled execution environment where permissions, data access, and system interactions can be monitored and constrained as agents touch enterprise data, code, and operational workflows. The strategic point is that sandboxing agent code is becoming platform infrastructure, not just a feature inside individual coding assistants.

References:

• TechRadar on Microsoft Execution Containers

Business & Products

Private Cloud Moves Back Into the AI Spotlight

AI production workloads are pulling private cloud back into strategic conversations because data location, recovery, compliance, and governance are becoming harder to treat as afterthoughts. The reviewed item framed Broadcom’s VMware Cloud Foundation as part of that move, while related coverage argues that CIOs are revisiting private cloud, on-prem, and multicloud architectures as AI raises sovereignty and control requirements. The lesson is that AI infrastructure choices are no longer just cost and performance decisions; they define the security boundary around enterprise data and models.

References:

• TechRadar: AI means CIOs need sovereign cloud more than ever

Regulation & Policy

Authorization for AI agents: What to build before the EU AI Act deadline

Agent authorization is becoming a compliance and security design problem, not just an application feature. The exact reviewed article did not resolve in search, but the EU AI Act and recent legal analysis both point toward the same requirement: providers need a clear inventory of agent actions, data flows, connected systems, affected persons, and enforceable controls. Teams building agents should externalize identity, least-privilege policy, approval boundaries, and audit logs before regulation forces them to retrofit those controls under pressure.

References:

• EU AI Act text
• AI Agents Under EU Law

US Government Considers Taking OpenAI Stake

The idea of public ownership stakes in major AI companies moved further into mainstream policy discussion after President Trump floated letting the U.S. take small stakes in AI giants so citizens could share in the upside. Axios reports that Sam Altman has pushed related ideas privately and that OpenAI’s industrial policy proposal included a Public Wealth Fund concept. Even if no transaction happens soon, this shows how AI industrial policy is expanding from chips, energy, and export controls into public wealth, legitimacy, and who captures the gains from frontier AI.

References:

• Axios: Trump on U.S. stakes in AI giants

Opinions & Analysis

What it was Like Working on LLMs and Security at Meta (2022-2026)

Joshua Saxe’s reviewed essay reflects on working on LLMs and security at Meta from 2022 to 2026, describing a culture of talented people, intense internal competition, and products that can feel disconnected from a clear mission. I could not find the exact essay through public search, but related public papers confirm Saxe’s role in Meta-linked LLM cybersecurity evaluation work such as CyberSecEval and CyberSOCEval. Treat this as an opinion and culture signal: the security of frontier AI systems is shaped not only by benchmarks and model releases, but also by organizational incentives and whether teams have a coherent mission.

References:

• CyberSecEval 2
• CyberSOCEval