47 articles
The FIDO Alliance's State of Passkeys 2026 report marks 5 billion active passkeys worldwide, up from 4 billion just six weeks ago. With 90% consumer awareness and 68% of large enterprises deploying passkeys, the challenge has shifted from adoption to making passkeys the default - while the Alliance simultaneously builds standards for AI agent authentication and commerce.
Hackers exploited a logic flaw in Meta's AI-powered support chatbot to take over high-profile Instagram accounts - including the Obama White House and the U.S. Space Force's chief master sergeant - by simply asking the bot to link a new email address. Meta has patched the issue, but the incident exposes the systemic risks of delegating sensitive account operations to AI agents.
As AI-driven vulnerability discovery compresses exploit timelines to under a day, two new analyses from CSA-affiliated researchers argue that industrial environments face a structurally different crisis than IT - one where patching faster is neither safe nor possible, and where the real work is segmentation, hardening, and triage.
A malicious npm package targeting Claude's local file directory, new CrowdStrike audit integrations, and a comprehensive risk catalogue from Akto converge on a single message: Claude has become enterprise infrastructure, and security teams are playing catch-up. Here's what happened this week and what organizations should do about it.
The Cloud Security Alliance has published a structured, eight-step GDPR compliance guide aimed at startups. With enforcement actions increasingly targeting smaller companies and fines exceeding €2.3 billion in 2025, early-stage companies can no longer treat data protection as a later-stage concern.
A public records request revealed that Flock Safety employees accessed sensitive camera feeds - including a children's gymnastics room and a school - to demonstrate products to other police departments. Despite public outcry, Dunwoody's city council renewed the contract.
Three independent analyses published on the same day argue that the identity model underpinning enterprise security is structurally broken. Deepfakes have industrialized impersonation, AI agents operate with borrowed credentials and excessive permissions, and the fix demands a shift from point-in-time authentication to continuous behavioral verification.
A new European pre-standard, prEN 18286, offers a structured quality management system path to EU AI Act compliance that complements ISO 42001. With the August 2026 high-risk enforcement deadline approaching, organizations need to understand where the two standards converge and how to prepare.
The FIDO Alliance has launched two dedicated working groups for agentic authentication and payments, with Google donating its Agent Payments Protocol (AP2) and Mastercard contributing Verifiable Intent. The move consolidates previously independent efforts into an open, industry-governed standards process backed by major payment networks, credential managers, and AI labs.
The Cloud Security Alliance's nonprofit arm, CSAI Foundation, announced a series of milestones at its Agentic AI Security Summit: a new Catastrophic Risk Annex translating extreme AI scenarios into auditable controls, registration as a CVE Numbering Authority for AI vulnerabilities, and an empirical finding that repeated adversarial testing can cause agents to refuse legitimate tasks.
Microsoft's April 2026 Patch Tuesday addresses 164 vulnerabilities - double March's count - including one actively exploited SharePoint zero-day, a disclosed Defender privilege escalation linked to the BlueHammer exploit, and a CVSS 9.8 unauthenticated RCE in the Windows IKE Extension. Browser updates from Google and Mozilla add another layer of urgency.
An AI-powered audit uncovered 38 vulnerabilities in OpenEMR - the open-source EHR platform serving over 200 million patients - while Medtronic confirmed a breach by ShinyHunters involving an alleged 9 million stolen records. Together, these events underscore the healthcare sector's persistent security challenges across both software supply chains and corporate IT infrastructure.
The Cloud Security Alliance introduced its AI Security Maturity Model (AISMM) at RSAC 2026, designed to give enterprises measurable KPIs for AI security across categories including model security, agentic applications, and MCP servers. Paired with a restructured Enterprise Membership program, CSA is betting that scalable analyst support - not just published research - is what organizations need to close the governance gap.
The Cloud Security Alliance has published a structured decision framework to help security and risk teams select the right AI governance standard. The guide distills the choice down to seven questions spanning jurisdiction, risk profile, governance maturity, and supply chain position.
A critical sandbox escape flaw (CVE-2026-5752, CVSS 9.3) in Cohere AI's Terrarium Python sandbox allows attackers to execute arbitrary commands as root via JavaScript prototype chain traversal. The project is abandoned, so no patch is forthcoming.
The UK's National Cyber Security Centre has formally recommended passkeys as the default authentication method, calling passwords "no longer resilient enough for the contemporary world." The announcement at CYBERUK 2026 coincides with Microsoft beginning its rollout of Entra passkey support to Windows devices, including unmanaged PCs.
Two emerging open standards - OpenEoX and CLE - are joining forces to give organizations machine-readable visibility into whether the software and hardware they depend on is still supported. Their collaboration addresses a critical blind spot in supply chain security, just as the EU Cyber Resilience Act makes lifecycle transparency a legal requirement.
Enterprise backup strategies are falling short in ransomware scenarios, with backup usage for recovery hitting a six-year low. The real risk isn't data loss-it's prolonged operational downtime that backups alone cannot prevent.
Identity weaknesses now appear in nearly 90% of breach investigations, and new CSA research confirms most organizations still cannot distinguish AI agent actions from human ones. As both sides of the adversary-defender equation deploy autonomous agents, the identity layer has become the decisive battleground - and the industry's response is racing to catch up.
Three Cloud Security Alliance research efforts released in the same week reveal a unified problem: AI agents are operating at enterprise scale with borrowed identities, excessive permissions, and invisible trust chains - and most organizations lack the controls to detect or contain the resulting risks.