All news with #ai runtime security tag

⚠️ AI agents embedded across SaaS environments can render the traditional kill chain ineffective when they are compromised. The piece cites a September 2025 Anthropic disclosure where a state-backed actor used an AI coding agent to perform autonomous espionage, handling the majority of tactical operations. Because agents already hold broad permissions and move data as part of normal workflows, a breach looks like legitimate activity. Reco is positioned as a solution to discover agents, map blast radius, enforce least privilege, and detect anomalous agent behavior in real time.

⚡ AWS now supports NVIDIA Inference Xfer Library (NIXL) with Elastic Fabric Adapter (EFA) on all EFA-enabled EC2 instances and regions. This integration accelerates disaggregated LLM inference by increasing KV-cache throughput, lowering inter-token latency, and optimizing KV-cache memory use between prefill and decode nodes. NIXL interoperates with frameworks such as NVIDIA Dynamo, SGLang, and vLLM. Supported versions are NIXL 1.0.0+ and EFA installer 1.47.0+, available at no extra cost.

🔒 The integration of Prisma AIRS with ServiceNow's AI Control Tower embeds AI runtime security and model governance directly into enterprise workflows. Prisma AIRS delivers real‑time detection and blocking of threats such as prompt injection and offensive outputs, while Model Security supplies risk profiles, red‑teaming results and vulnerability reports for third‑party and custom models. Together they provide centralized visibility, policy enforcement and safer AI adoption without disrupting user productivity.

🔒 Ceros, an AI Trust Layer from Beyond Identity, runs alongside Claude Code on developers' machines to provide real-time visibility, runtime policy enforcement, and cryptographically signed audit records. Installation is non-disruptive—two CLI commands and a brief enrollment tie sessions to verified human identities with hardware-bound keys. The admin console surfaces conversation transcripts, tool invocations, MCP server connections, and signed activity logs that support compliance.

🔒 Unit 42 examines the security tradeoffs of agentic AI, spotlighting the early 2026 Clawdbot surge and pervasive vulnerabilities such as exposed gateways, plaintext credentials, and overbroad permissions. The piece identifies two primary threat paths: malicious model files and compromised Model Context Protocol (MCP) servers, and explains how compromised agents can act as powerful insider threats. Practical guidance includes scanning and sandboxing models, preferring trusted remote MCPs or auditing local MCP code, enforcing strict least-privilege tool access, implementing prompt-injection guardrails, and maintaining detailed logging and policy reviews.

🔍 Observability is essential for production AI and agentic systems, enabling teams to detect risks, validate policies, and maintain operational control. The post stresses capturing full context—prompts, retrieval provenance, tool invocations, and multi-turn traces—because traditional health metrics can miss trust-boundary compromises. It recommends building AI-native telemetry into the SDL, aligning with standards like OpenTelemetry and platforms such as Azure Monitor, and making reconstructability a release requirement.

🔐 At the Nvidia GTC conference CEO Jensen Huang introduced NemoClaw, a secure runtime for running OpenClaw-style agents built on the Nvidia Agent Toolkit and the broader NeMo ecosystem. Central to the offering is the open-source OpenShell runtime, which provides kernel-level sandboxing and a “privacy router” to monitor and block unsafe communications. Nvidia says NemoClaw is hardware-agnostic though optimized for its own microservices, and aims to make edge agent deployment viable for enterprises while researchers inspect it for CVE-level flaws.

🚀 Google Cloud announced the preview of the multi-cluster GKE Inference Gateway, an extension of the GKE Gateway API that provides model-aware, intelligent load balancing across multiple GKE clusters and regions. It centralizes ingress configuration in a dedicated "config cluster" while exporting model-serving backends from distributed "target clusters." The gateway pools GPUs/TPUs, supports routing based on custom metrics, and offers in-flight request limits to optimize latency, utilization, and fault tolerance.

🔒 BeyondTrust researchers demonstrated that the Sandbox mode in AWS Bedrock AgentCore Code Interpreter permits outbound DNS A/AAAA queries that can be abused to create a bidirectional covert channel. By encoding data in DNS requests and responses they showed both data exfiltration and an interactive reverse shell without triggering network restrictions. AWS reproduced the report but characterized the behavior as intended and updated documentation rather than issuing a patch.

🔒 Enterprises are confronting a shift: autonomous AI agents now operate inside corporate environments with real permissions and real consequences. Security must move beyond build-time controls to continuous runtime monitoring that observes agent behavior, preserves tamper-proof logs, and applies agent-aware policies. Practical first steps include inventorying agents, extending EDR-style behavioral baselining, and designing incident-response playbooks that stop misbehaving agents without destroying evidence.

🔒 China's CNCERT warned that OpenClaw, an open-source, self-hosted autonomous AI agent, ships with weak default security and broad system privileges that attackers can abuse to seize endpoints and exfiltrate data. The advisory highlights indirect prompt injection (IDPI/XPIA) risks where benign features like web-page summarization and messaging link previews are weaponized to embed malicious instructions or automatically leak secrets. Researchers at PromptArmor demonstrated a technique in which an agent constructs attacker-controlled URLs that, when rendered as link previews, transmit confidential data without user clicks. CNCERT also flagged risks from malicious skills, accidental destructive commands, and disclosed vulnerabilities, urging isolation, tightened network controls, credential protection, and cautious skill sourcing.

🔧 Amazon SageMaker HyperPod now lets operators manage individual cluster nodes directly from the AWS Console. The console enables SSM session launches, copyable pre-populated SSM CLI commands, and direct node actions such as reboot, delete, and replace, with support for batch operations across multiple nodes. Available in all Regions where HyperPod is supported, these controls reduce context switching and speed manual recovery for time-sensitive AI training and inference workloads.

🔒VirusTotal details how OpenClaw skills are being abused as a supply-chain delivery channel, demonstrating five attack patterns that convert convenience into access. The report maps concrete tradecraft — remote execution, semantic worm propagation, SSH-based persistence, silent exfiltration, and prompt-based cognitive rootkits — to representative malicious skills. It concludes with practical mitigations: sandboxing, least privilege, egress controls, dependency hygiene, and protection of persistent instruction files.

🚀 AWS announced general availability of Amazon EC2 Trn3 UltraServers, powered by the new 3nm Trainium3 AI chip designed to deliver improved token economics for agentic, reasoning, and video-generation workloads. Each Trainium3 chip provides 2.52 PFLOPs (FP8), 144 GB of HBM3e, and 4.9 TB/s memory bandwidth, and servers can scale to 144 chips or to hundreds of thousands via EC2 UltraClusters. The platform includes the AWS Neuron SDK with native PyTorch integration so developers can train and deploy without changing model code, while performance engineers gain deeper access to tune kernels and optimize at scale.

🔒 Palo Alto Networks announced that Prisma AIRS now integrates natively with Azure AI Foundry, enabling direct prompt and response scanning through the Prisma AIRS AI Runtime Security API. The integration provides real-time, model-agnostic threat detection for prompt injection, sensitive data leakage, malicious code and URLs, and toxic outputs, and supports custom topic filters. By embedding security into AI development workflows, teams gain production-grade protections without slowing innovation; the feature is available now via an early access program.

🚀 Google outlines its plan to embed Generative AI across enterprise platforms and endpoints, integrating Gemini into Chrome Enterprise, Android, Pixel phones and Chromebook Plus devices. The post highlights the general availability of Cameyo by Google to virtualize legacy and modern apps in the cloud and the launch of Gemini in Chrome with enterprise-grade controls. It also previews Android XR and Pixel features powered by Gemini Nano, while expanding data loss prevention and a one-click SecOps integration to help IT secure AI-driven workflows.

🔍 Google Threat Intelligence Group (GTIG) reports an operational shift from adversaries using AI for productivity to embedding generative models inside malware to generate or alter code at runtime. GTIG details “just-in-time” LLM calls in families like PROMPTFLUX and PROMPTSTEAL, which query external models such as Gemini to obfuscate, regenerate, or produce one‑time functions during execution. Google says it disabled abusive assets, strengthened classifiers and model protections, and recommends monitoring LLM API usage, protecting credentials, and treating runtime model calls as potential live command channels.

⚠️Google's Threat Intelligence team reports a shift from experimentation to operational use of AI by threat actors, including AI-enabled malware and prompt-based command generation. GTIG highlighted PROMPTSTEAL, linked to APT28 (FROZENLAKE), which queries a Hugging Face LLM to generate scripts for reconnaissance, document collection, and exfiltration, while adopting greater obfuscation and altered C2 methods. Google disabled related assets, strengthened model classifiers and safeguards with DeepMind, and urges defenders to update threat models, monitor anomalous scripting and C2, and incorporate threat intelligence into model- and classifier-level protections.

🚀 Google Cloud and Anyscale describe tighter integration between Ray and Kubernetes to improve distributed AI scheduling and autoscaling on GKE. The release introduces a Ray Label Selector API (Ray v2.49) to align task, actor and placement-group placement with Kubernetes labels and GKE custom compute classes, enabling targeted placement and fallback strategies for GPUs and markets. It also adds Dynamic Resource Allocation for A4X/GB200 racks, writable cgroups for Ray resource isolation on GKE v1.34+, TPU/JAX training support via a JAXTrainer in Ray v2.49, and in-place pod resizing (Kubernetes v1.33) for vertical autoscaling and higher efficiency.

🛡️ This recap of the Agent Factory episode explains practical strategies for securing production AI agents, demonstrating attacks like prompt injection, invisible Unicode exploits, and vector DB context poisoning. It highlights Model Armor for pre- and post-inference filtering, sandboxed execution, network isolation, observability, and tool safeguards via the Agent Development Kit (ADK). The team demonstrates a secured DevOps assistant that blocks data-exfiltration attempts while preserving intended functionality and provides operational guidance on multi-agent authentication, least-privilege IAM, and compliance-ready logging.