Governance for AI Agents, Exploited Edge Flaws, and Cloud Defenses

AI agent governance and edge-hardening led today’s developments. In a detailed post from Microsoft, the company mapped the OWASP Top 10 for Agentic Applications to concrete controls in Copilot Studio and previewed an enterprise control plane, Agent 365. In parallel, CISA added a Citrix NetScaler vulnerability to its Known Exploited Vulnerabilities catalog, underscoring active attacks and the urgency of patching. Vendors also expanded client‑side and cloud protections, while investigators continued to assess the scope of a significant public‑sector breach.

Governing agentic AI

Microsoft framed agentic systems as privileged, auditable applications rather than free‑running automations, aligning controls to the OWASP Agentic Top 10 risks—from goal hijack and tool misuse to identity abuse, context poisoning, and rogue agents. Copilot Studio constrains arbitrary code execution and unsafe tool chaining through predefined actions, isolated runtimes, and republish controls, and agents can be restricted or disabled to prevent cascading faults. Operationally, Microsoft plans to offer Agent 365 as a centralized control plane (general availability announced for May 1) to enforce identity, access, and data policies and to detect prompt injection, tool misuse, compromised agents, and risky data access. The company positions the OWASP list, AI red‑team learnings, and related resources as a community baseline for building and governing agentic workflows.

At RSA Conference, Google Cloud emphasized a pragmatic path for adopting and securing AI, from task automation to agent‑driven workflows and function re‑design, while advocating multi‑model and multicloud resilience. The team highlighted emerging threats—model theft, prompt injection, agent‑enabled phishing, AI‑assisted malware, and supply‑chain abuse—and recommended treating identity as the new perimeter and prompts as code. Their perspective supports controls such as the Secure AI Framework, identity‑based prompt sanitation, agent observability, and agentic SOC practices, alongside product and research updates announced at RSAC, including acquisition progress and new defensive capabilities. Google Cloud’s takeaway: pair identity governance for agentic identities with supply‑chain security and multicloud posture management to secure AI‑driven operations.

Client‑side and cloud defenses roll out

Cloudflare expanded access to Client‑Side Security by opening its Advanced tier to self‑serve customers and delivering domain‑based threat intelligence at no cost to all users of the free bundle. Its detection pipeline combines a high‑recall Graph Neural Network on JavaScript ASTs with an open‑source LLM validator to reduce false positives, and it has already surfaced a sophisticated zero‑day campaign that abused compromised browser extensions. Every GNN‑flagged script is archived for auditing and tuning, and the Advanced tier targets compliance needs such as PCI DSS v4. Cloudflare says the goal is to help smaller sites and merchants investigate and remediate skimmers and supply‑chain compromises faster.

AWS added network‑aware flexibility for bioinformatics and analytics. HealthOmics now supports VPC‑connected workflows so managed pipelines can reach public datasets and cross‑Region resources without code changes, with per‑run network settings to align with compliance and separation‑of‑duties needs. In analytics, Athena Capacity Reservations expanded to many additional Regions, giving teams dedicated, isolated query capacity closer to their data for predictable performance and data‑residency alignment.

Within SageMaker, Amazon integrated the SageMaker Data Agent into the Unified Studio Query Editor, bringing conversational SQL to Redshift and Athena with step‑plan reviews and a Fix with AI flow for error analysis. The feature aims to speed analytics development for non‑SQL users; organizations should pair it with least‑privilege IAM and governance to protect sensitive data.

Actively exploited and high‑risk vulnerabilities

Citrix NetScaler CVE‑2026‑3055 was added to CISA’s Known Exploited Vulnerabilities catalog, signaling observed in‑the‑wild activity and elevating remediation priority. Research indicates the flaw is an out‑of‑bounds read affecting appliances explicitly configured as a SAML identity provider, enabling unauthenticated data leakage from memory, with patched builds available across supported versions. Operators should update quickly, consider vendor deny‑list signatures as a temporary measure if upgrades must be deferred, and monitor for scanning and exploitation against SAML endpoints.

Separately, F5 BIG‑IP APM CVE‑2025‑53521 was reclassified from DoS to critical RCE and is being exploited, enabling attackers to execute code and plant webshells on exposed appliances; indicators of compromise and recovery guidance are available, and federal agencies have been directed to secure affected systems. BleepingComputer reports the urgency of patching or isolating vulnerable configurations. Fortinet also faces active exploitation of a critical SQL injection in FortiClient EMS (CVE‑2026‑21643) that allows unauthenticated attackers to smuggle SQL via an HTTP header and achieve code execution; defenders should upgrade to the fixed release, restrict internet exposure, and audit for compromise. Details and exposure telemetry are summarized by BleepingComputer.

In the AI stack, researchers detailed a LangChain path traversal bug (CVE‑2026‑34070) alongside earlier unsafe deserialization and SQL injection issues in related components, illustrating how input‑validation gaps across templates, object handling, and checkpointing can expose host files, credentials, and conversation state. Fixes are available; recommended mitigations include strict allowlists, filesystem sandboxing, schema validation, and parameterized queries. The analysis from CSO Online underscores that AI pipelines magnify traditional security failures and deserve the same hardening as other critical services.

Confirmed incidents and ongoing investigations

The European Commission confirmed a cyber‑attack discovered March 24 and said initial containment protected website availability for Europa.eu. Early findings suggest data were exfiltrated from cloud‑hosted systems rather than internal networks, with affected Union entities being notified. The extortion group ShinyHunters claims roughly 350GB of stolen data spanning mail servers, databases, confidential documents, contracts, and personal information, and analysts reported additional alleged thefts such as DKIM keys and admin details. The Commission says it is continuing monitoring, forensics, and coordinated notifications. Infosecurity notes concerns about identity risk, operational disruption, and secondary spear‑phishing. Why it matters: cloud‑resident data and identities create broad blast radius when compromised.