All news with #ai runtime security tag

🛡️ CIOs rushing to deploy AI agents without visibility risk major failures; experts warn that observability and governance are required. Many organizations treat agents like RPA and set-and-forget systems, but agents operate in model runtimes and need end-to-end tracing, least-privilege permissions, and human-in-the-loop checks. Vendors and cloud providers offer tools, yet governance can become a bottleneck if it’s not scalable and actionable.

🔒 Microsoft Defender research shows AI and agentic applications on cloud-native platforms are frequently deployed with insecure defaults and missing authentication, creating exploitable misconfigurations. Observed exposures include public MCP servers, unsecured Helm chart installs, and unauthenticated agent frameworks that enable remote code execution, credential theft, and access to internal tools. Defender for Cloud can detect exposed Kubernetes services and unsafe deployment patterns to help teams prioritize remediation.

🔒 A hands-on April 2026 experiment shows how quickly attackers can target private AI servers: a Raspberry Pi honeypot posed as a high-performance stack (Ollama, LM Studio, AutoGPT, LangServe, text-gen-webui) and claimed a local Qwen3-Coder 30B instance plus RAG/MCP assets. Shodan discovered the server within three hours and, over a month, it logged 113,000+ requests from thousands of IPs with 23% probing AI capabilities. Observed tactics included fingerprinting endpoints like /v1/models and /.well-known/mcp.json and systematic hunts for exposed .env files, highlighting the importance of securing RAG, MCP and private AI deployments from day one.

🔒 Model Context Protocol (MCP), the emerging plugin layer for agentic AI, has become a significant blind spot for security teams, introducing new shadow-AI risks much like shadow IT. CTEM programs can close this gap by extending scoping, discovery, prioritization, validation and mobilization to cover developer workstations, AI toolchains and MCP server configurations. Practical actions include actively enumerating MCP endpoints, scanning agent configuration and markdown context files for hardcoded API keys, and prioritizing exposures by attacker impact to produce actionable remediation tickets for engineering teams.

⚠️ AI agents embedded across SaaS environments can render the traditional kill chain ineffective when they are compromised. The piece cites a September 2025 Anthropic disclosure where a state-backed actor used an AI coding agent to perform autonomous espionage, handling the majority of tactical operations. Because agents already hold broad permissions and move data as part of normal workflows, a breach looks like legitimate activity. Reco is positioned as a solution to discover agents, map blast radius, enforce least privilege, and detect anomalous agent behavior in real time.

⚡ AWS now supports NVIDIA Inference Xfer Library (NIXL) with Elastic Fabric Adapter (EFA) on all EFA-enabled EC2 instances and regions. This integration accelerates disaggregated LLM inference by increasing KV-cache throughput, lowering inter-token latency, and optimizing KV-cache memory use between prefill and decode nodes. NIXL interoperates with frameworks such as NVIDIA Dynamo, SGLang, and vLLM. Supported versions are NIXL 1.0.0+ and EFA installer 1.47.0+, available at no extra cost.

🔒 The integration of Prisma AIRS with ServiceNow's AI Control Tower embeds AI runtime security and model governance directly into enterprise workflows. Prisma AIRS delivers real‑time detection and blocking of threats such as prompt injection and offensive outputs, while Model Security supplies risk profiles, red‑teaming results and vulnerability reports for third‑party and custom models. Together they provide centralized visibility, policy enforcement and safer AI adoption without disrupting user productivity.

🔒 Ceros, an AI Trust Layer from Beyond Identity, runs alongside Claude Code on developers' machines to provide real-time visibility, runtime policy enforcement, and cryptographically signed audit records. Installation is non-disruptive—two CLI commands and a brief enrollment tie sessions to verified human identities with hardware-bound keys. The admin console surfaces conversation transcripts, tool invocations, MCP server connections, and signed activity logs that support compliance.

🔒 Unit 42 examines the security tradeoffs of agentic AI, spotlighting the early 2026 Clawdbot surge and pervasive vulnerabilities such as exposed gateways, plaintext credentials, and overbroad permissions. The piece identifies two primary threat paths: malicious model files and compromised Model Context Protocol (MCP) servers, and explains how compromised agents can act as powerful insider threats. Practical guidance includes scanning and sandboxing models, preferring trusted remote MCPs or auditing local MCP code, enforcing strict least-privilege tool access, implementing prompt-injection guardrails, and maintaining detailed logging and policy reviews.

🔍 Observability is essential for production AI and agentic systems, enabling teams to detect risks, validate policies, and maintain operational control. The post stresses capturing full context—prompts, retrieval provenance, tool invocations, and multi-turn traces—because traditional health metrics can miss trust-boundary compromises. It recommends building AI-native telemetry into the SDL, aligning with standards like OpenTelemetry and platforms such as Azure Monitor, and making reconstructability a release requirement.

🔐 At the Nvidia GTC conference CEO Jensen Huang introduced NemoClaw, a secure runtime for running OpenClaw-style agents built on the Nvidia Agent Toolkit and the broader NeMo ecosystem. Central to the offering is the open-source OpenShell runtime, which provides kernel-level sandboxing and a “privacy router” to monitor and block unsafe communications. Nvidia says NemoClaw is hardware-agnostic though optimized for its own microservices, and aims to make edge agent deployment viable for enterprises while researchers inspect it for CVE-level flaws.

🚀 Google Cloud announced the preview of the multi-cluster GKE Inference Gateway, an extension of the GKE Gateway API that provides model-aware, intelligent load balancing across multiple GKE clusters and regions. It centralizes ingress configuration in a dedicated "config cluster" while exporting model-serving backends from distributed "target clusters." The gateway pools GPUs/TPUs, supports routing based on custom metrics, and offers in-flight request limits to optimize latency, utilization, and fault tolerance.

🔒 BeyondTrust researchers demonstrated that the Sandbox mode in AWS Bedrock AgentCore Code Interpreter permits outbound DNS A/AAAA queries that can be abused to create a bidirectional covert channel. By encoding data in DNS requests and responses they showed both data exfiltration and an interactive reverse shell without triggering network restrictions. AWS reproduced the report but characterized the behavior as intended and updated documentation rather than issuing a patch.

🔒 Enterprises are confronting a shift: autonomous AI agents now operate inside corporate environments with real permissions and real consequences. Security must move beyond build-time controls to continuous runtime monitoring that observes agent behavior, preserves tamper-proof logs, and applies agent-aware policies. Practical first steps include inventorying agents, extending EDR-style behavioral baselining, and designing incident-response playbooks that stop misbehaving agents without destroying evidence.

🔒 China's CNCERT warned that OpenClaw, an open-source, self-hosted autonomous AI agent, ships with weak default security and broad system privileges that attackers can abuse to seize endpoints and exfiltrate data. The advisory highlights indirect prompt injection (IDPI/XPIA) risks where benign features like web-page summarization and messaging link previews are weaponized to embed malicious instructions or automatically leak secrets. Researchers at PromptArmor demonstrated a technique in which an agent constructs attacker-controlled URLs that, when rendered as link previews, transmit confidential data without user clicks. CNCERT also flagged risks from malicious skills, accidental destructive commands, and disclosed vulnerabilities, urging isolation, tightened network controls, credential protection, and cautious skill sourcing.

🔧 Amazon SageMaker HyperPod now lets operators manage individual cluster nodes directly from the AWS Console. The console enables SSM session launches, copyable pre-populated SSM CLI commands, and direct node actions such as reboot, delete, and replace, with support for batch operations across multiple nodes. Available in all Regions where HyperPod is supported, these controls reduce context switching and speed manual recovery for time-sensitive AI training and inference workloads.

🔒VirusTotal details how OpenClaw skills are being abused as a supply-chain delivery channel, demonstrating five attack patterns that convert convenience into access. The report maps concrete tradecraft — remote execution, semantic worm propagation, SSH-based persistence, silent exfiltration, and prompt-based cognitive rootkits — to representative malicious skills. It concludes with practical mitigations: sandboxing, least privilege, egress controls, dependency hygiene, and protection of persistent instruction files.

🚀 AWS announced general availability of Amazon EC2 Trn3 UltraServers, powered by the new 3nm Trainium3 AI chip designed to deliver improved token economics for agentic, reasoning, and video-generation workloads. Each Trainium3 chip provides 2.52 PFLOPs (FP8), 144 GB of HBM3e, and 4.9 TB/s memory bandwidth, and servers can scale to 144 chips or to hundreds of thousands via EC2 UltraClusters. The platform includes the AWS Neuron SDK with native PyTorch integration so developers can train and deploy without changing model code, while performance engineers gain deeper access to tune kernels and optimize at scale.

🔒 Palo Alto Networks announced that Prisma AIRS now integrates natively with Azure AI Foundry, enabling direct prompt and response scanning through the Prisma AIRS AI Runtime Security API. The integration provides real-time, model-agnostic threat detection for prompt injection, sensitive data leakage, malicious code and URLs, and toxic outputs, and supports custom topic filters. By embedding security into AI development workflows, teams gain production-grade protections without slowing innovation; the feature is available now via an early access program.

🚀 Google outlines its plan to embed Generative AI across enterprise platforms and endpoints, integrating Gemini into Chrome Enterprise, Android, Pixel phones and Chromebook Plus devices. The post highlights the general availability of Cameyo by Google to virtualize legacy and modern apps in the cloud and the launch of Gemini in Chrome with enterprise-grade controls. It also previews Android XR and Pixel features powered by Gemini Nano, while expanding data loss prevention and a one-click SecOps integration to help IT secure AI-driven workflows.