The conversation has moved. Evidence emerging from the RSA Conference period suggests we are no longer in theoretical territory — early cases indicate AI systems are being actively targeted in production environments, and the attack surface is expanding faster than most security teams have modelled. This edition covers four developments that matter: a cluster of agentic AI vulnerabilities disclosed before RSA, a critical enforcement deadline now four months away, a new OWASP framework that should be on every practitioner's desk, and a statistic that will sharpen any board conversation you need to have.
This edition's framing: Security teams are still defending interfaces. Attackers are now targeting decision-making loops. The shift from prompt risk to agentic execution risk is the defining change in this threat landscape.
The RSA Conference period produced a cluster of serious vulnerability disclosures that, taken together, suggest a step-change in adversarial AI sophistication is underway.
Five signals from the past fortnight — grouped by attack category — form a coherent and concerning picture.
Framework vulnerabilities: Testing of OpenClaw across 47 adversarial scenarios (reported by Adversa AI) found sandbox escapes at a rate exposing a default defence effectiveness of just 17%. Four CVEs in CrewAI — a widely used open-source multi-agent framework — were found to allow attackers to chain prompt injection into remote code execution, server-side request forgery, and file read.
Platform vulnerabilities: A command injection flaw in OpenAI Codex (reported by BeyondTrust) enables GitHub OAuth token theft via unsanitised branch name parameters. Unit 42 identified CVE-2026-0628, a high-severity vulnerability in Chrome's Gemini Live panel allowing malicious extensions to hijack the AI assistant and access camera and microphone.
In-the-wild activity: Early reports — still being independently verified — describe autonomous agent activity exploiting GitHub Actions workflows to achieve remote code execution using poisoned Go init() functions.
A vendor-backed survey (primary source not disclosed; reported by Security Boulevard, April 2026) found that 97% of enterprise leaders expect a material AI-agent-driven security or fraud incident within the next 12 months. Nearly half expect one within six months. Separately, data from Reco's 2025 breach review identifies malware hidden in public model and code repositories as the most commonly cited source of AI-related breaches — a supply chain risk category for which most organisations currently have no specific controls.
OWASP has released the Top 10 for Agentic Applications 2026, developed with over 100 industry experts. It maps the critical security risks specific to autonomous AI systems — a materially different set of threats from the LLM Top 10. The Cloud Security Alliance simultaneously launched an initiative focused on "Securing the Agentic Control Plane."
This matters because OWASP provides the shared vocabulary that procurement teams, auditors, and CISOs use when scoping security requirements. The LLM Top 10 is already appearing in RFPs and security questionnaires. The Agentic Top 10 will follow within 12 months.
The August 2, 2026 enforcement date is now four months away, and the gap between awareness and readiness remains wide.
What becomes enforceable on that date: High-Risk AI system requirements become fully applicable. The European Commission begins formal enforcement. Every EU Member State must have designated its national competent authorities. Transparency obligations — including labelling of AI-generated content — kick in. The GPAI Code of Practice on Transparency of AI-Generated Content is expected to be finalised in May–June 2026, meaning the practical implementation guidance will arrive with very little runway before it becomes mandatory.
Map your clients' AI systems against the EU AI Act's Annex III High-Risk categories. Most organisations haven't done this yet. August 2026 is four months away — and the conformity assessment process takes longer than people expect. Start with a scoping exercise. Everything else follows from that.