New AI Guardrails, PQC for AWS, and Cloud Intrusions Unfold

Enterprise defenses took a preventive turn today as a new suite detailed by Microsoft put identity, data, and runtime controls around agentic AI, while an open beta from Cloudflare targeted hard-to-find API logic flaws. In identity hygiene, AWS introduced post-quantum signatures for certificate-based workload access. On the incident side, a North Korea–linked operation against a crypto firm and state-backed hijacking of messaging accounts underscored how social engineering and cloud configuration gaps continue to translate into real losses.

Guardrails for agentic AI and API logic flaws

The new Agent 365 and Frontier Suite described in a post by Vasu Jakkal bring a unified control plane to inventory and map agents across platforms, integrate risk signals, and apply role-specific observability. The release extends Identity Protection and Conditional Access to agents, introduces unique Agent IDs, and carries Purview information protection, DLP, insider risk, lifecycle, and eDiscovery controls into agent workflows. Defender-aligned capabilities add posture management for Foundry and Copilot Studio agents, plus runtime protection and hunting through an Agent 365 tools gateway. Microsoft positions this as enabling “Frontier Transformation” by coupling AI productivity with enterprise-grade security.

An open beta from Cloudflare adds a stateful Web and API Vulnerability Scanner, initially for API Shield customers, to surface BOLA authorization failures that slip past WAFs and bot controls. The engine constructs an API call graph, models owner/attacker request sequences, and synthesizes payloads with Workers AI when specs are incomplete. Built in Rust with Temporal for durable orchestration and Vault for key protection, results flow into Security Insights and can be triggered via API for CI/CD. Cloudflare plans to extend beyond BOLA to additional OWASP API Top 10 checks and classic web tests.

Automated code review also advanced: a research evaluation covered by CSOonline says OpenAI’s Codex Security agent flagged 11,000 high-impact issues across 1.2 million commits in 30 days, with sandbox repro and developer-ready patches. The system’s agentic workflow—threat modeling, entry-point analysis, and exploit path exploration—produced dozens of high-severity findings across prominent open-source projects and is rolling into a research preview with initial free usage for eligible customers.

Cloud platforms move on crypto‑agility and AI scale

To reduce long-term cryptographic risk, AWS added support for NIST’s FIPS 204 ML-DSA in IAM Roles Anywhere, enabling post‑quantum CA trust anchors and end-entity certificates for workloads outside AWS to obtain temporary credentials. The rollout spans all supported Regions, including GovCloud, the European Sovereign Cloud, and China. Customers should validate ML‑DSA compatibility across PKI tooling, update key management, and stage deployments.

Compute capacity for AI also expanded as AWS made EC2 G7e instances available in Seoul and Spain. Powered by NVIDIA RTX PRO 6000 Blackwell Server Edition GPUs, the instances target LLM inference, agentic and multimodal workloads, and graphics-intensive tasks, with up to eight GPUs, 5th Gen Intel Xeon CPUs, and up to 1,600 Gbps networking. Support for GPUDirect P2P and RDMA with EFA aims to lower latency for multi-GPU and small multi-node jobs, while multiple purchasing options help align cost with batch and experimental use.

Healthcare and critical sectors: defenses and patch priorities

In clinical environments, CrowdStrike extended Falcon for XIoT to medical devices and systems, adding discovery and behavioral monitoring across IoMT assets with protocol support for DICOM and HL7. Telemetry integrates with Exposure Management, EDR, Next‑Gen SIEM, and Fusion SOAR to triage vulnerabilities, prioritize high‑risk devices, and feed playbooks into SOC processes—aiming to curb operational disruption and patient safety risks in under‑resourced teams. The announcement notes beta features may change.

On patching urgency, an alert from CISA added three actively exploited CVEs to the KEV Catalog: CVE‑2021‑22054 (Omnissa Workspace ONE SSRF), CVE‑2025‑26399 (SolarWinds Web Help Desk insecure deserialization), and CVE‑2026‑1603 (Ivanti Endpoint Manager authentication bypass). Agencies governed by BOD 22‑01 must remediate by due dates; all organizations are urged to inventory affected assets, apply vendor fixes or mitigations, and verify closure to shrink the exploitation window.

Intrusions exploit cloud workflows and messaging trust

A Google-attributed campaign tied to North Korea’s UNC4899, summarized by The Hacker News, shows a developer lured into AirDropping a trojanized archive from a personal device to a work machine. A kubectl‑masquerading backdoor enabled a pivot into cloud projects, where operators abused privileged container modes, altered Kubernetes deployments for persistence, modified CI/CD resources to print tokens, and leveraged insecure secrets to change database credentials and MFA seeds—ultimately withdrawing several million dollars in digital assets. The report highlights defense‑in‑depth: restrict personal‑to‑corporate transfers, enforce phishing‑resistant MFA and context‑aware access, harden runtime isolation, and manage secrets robustly.

Misconfiguration risks also surfaced around Salesforce Experience Cloud. Reporting by BleepingComputer details threat activity abusing the /s/sfsites/aura endpoint and overly permissive guest profiles to query CRM objects. While an extortion group claims widespread impact, guidance emphasizes customer-side hardening: minimize guest permissions, disable public API access and “API Enabled” on guest profiles, set external defaults to Private, restrict user visibility, review Event Monitoring logs, and disable self‑registration if unneeded.

Separately, Dutch intelligence agencies warned of Signal and WhatsApp account takeovers linked to Russian actors, per BleepingComputer. Tactics include phishing for SMS codes and Signal PINs and abusing device‑linking via malicious QR codes or links to silently mirror messages. Recommended steps: never share verification codes, audit and remove unknown linked devices, verify unsolicited contacts over a separate trusted channel, and avoid sending sensitive data on consumer apps unless approved.

Broader espionage pressure continued across Asia, where Unit 42 documented CL‑UNK‑1068 using web‑server exploits to plant web shells, credential theft with Mimikatz, and creative exfiltration methods, including Base64‑encoding archives and printing them via shells for copy‑out, as reported by The Hacker News. Cross‑platform tooling, DLL side‑loading, and living‑off‑the‑land techniques highlight the value of strict server hardening, memory‑forensics readiness, and monitoring for unusual archive and encoding behavior.