Newsletter

The Enterprise AI Brief | Issue 9 Inside This Issue The Threat Room MCP Tool Calls Are Becoming a Security Signal for AI Agents AI agents may not expose their reasoning, but their tools leave a trail. New MCP security research is treating tool-call sessions as a detection surface, where the sequence of file reads, database queries, emails, errors, and arguments can reveal misuse that a single prompt log might miss. The catch is that the same traffic used for detection may also contain secrets, customer data, and execution paths. MCP tool-call monitoring is becoming useful evidence, but it also has to be handled like sensitive infrastructure telemetry. → Read the full article The Operations Room The Database Layer Is Absorbing Agent Infrastructure Agent teams used to stitch together embeddings, vector databases, rerankers, memory stores, and operational databases just to answer one grounded question. That stack is starting to compress into the data layer itself, where retrieval, memory, access control, and observability can sit closer to the data agents actually use. The shift could simplify production AI systems, but it also raises a harder question: When the database becomes part of the agent runtime, who owns freshness, memory governance, workload isolation, and retrieval-time access control? → Read the full article The Engineering Room Why Coding Agents Need More Than Containers A coding agent that fixes a test may also run shell commands, install packages, edit build files, and touch the network. At that point, the real security question is not just what the model says, but what the runtime lets it do. This weekʼs Engineering Room breaks down the OS-level sandbox architectures that Codex, Docker, Cursor, and Gemini CLI are using for coding agents, and why standard containers do not fully fit the problem. → Read the full article The Governance Room When AI Agents Get Their Own Secrets AI agents are starting to get their own secrets. GitHubʼs new Agents scope for Copilot cloud agent is a small platform change with a larger governance signal: agent access is becoming something enterprises need to separate, review, and investigate on their own terms. The next access-management question may not be whether an AI agent can act. It may be which credentials it is allowed to carry while it does. → Read the full article

The Enterprise AI Brief | Issue 5 Inside This Issue The Threat Room BitBypass: Binary Word Substitution Defeats Multiple Guard Systems BitBypass hides one sensitive word as a hyphen-separated bitstream, then uses system-prompt instructions to make the model decode and reinsert it. In testing across five frontier models, this approach substantially reduced refusal rates and bypassed multiple guard layers. All five tested models produced phishing content at rates between 68-92%. If your safety controls assume plain-language detection will catch malicious intent, this research deserves close attention.  → Read the full article The Operations Room When Prompts Started Breaking Production By early 2026, prompts were breaking production often enough that teams stopped treating them as configuration and started treating them like code: versioned, regression-tested, blocked in CI/CD when quality metrics slip. This is what happened when informal text became the functional interface defining system behavior, and why the teams that got ahead of it caught failures before their users did. → Read the full article The Engineering Room Structured Outputs Are Becoming the Default Contract for LLM Integrations For two years, “return JSON” was a polite request followed by parsing code and retries when the model ignored you. Structured outputs move schema enforcement into the decoding layer, and the ecosystem is converging on this as the default contract. If your automations break when a field is missing, this shift changes what reliability means and where validation effort needs to sit. → Read the full article The Governance Room NIST’s Cyber AI Profile Draft: How CSF 2.0 Is Being Extended to AI Cybersecurity NIST just tried to solve a problem every enterprise AI program keeps tripping over: how to talk about AI cybersecurity in the same control language as everything else. The draft Cyber AI Profile overlays “Secure, Defend, Thwart” onto CSF 2.0 outcomes, which sounds simple until you see what it forces you to inventory, log, and govern. If your org is doing AI without turning it into a parallel security universe, this is the blueprint NIST is testing. → Read the full article

The Enterprise AI Brief | Issue 4 Inside This Issue The Threat Room The Reprompt Attack on Microsoft Copilot A user clicks a Copilot link, watches it load, and closes the tab. The session keeps running. The data keeps flowing. Reprompt demonstrated what happens when AI assistants inherit user permissions, persist sessions silently, and cannot distinguish instructions from attacks. The vulnerability was patched. The architectural pattern that enabled it, ambient authority without session boundaries, still exists elsewhere..  → Read the full article Operation Bizarre Bazaar: The Resale Market for Stolen AI Access Operation Bizarre Bazaar is not a single exploit. It is a supply chain: discover exposed LLM endpoints, validate access within hours, resell through a marketplace. A misconfigured test environment becomes a product listing within days. For organizations running internet-reachable LLM or MCP services, the window between exposure and exploitation is now measured in hours.. → Read the full article The Operations Room Why Your LLM Traffic Needs a Control Room Most teams don’t plan for an LLM gateway until something breaks: a surprise invoice, a provider outage with no fallback, a prompt change that triples token consumption overnight. This article explains what these gateways actually do on the inference hot path, where the operational tradeoffs hide, and what questions to ask before your next production incident answers them for you. → Read the full article Retrieval Is the New Control Plane RAG is no longer a chatbot feature. It is production infrastructure, and the retrieval layer is where precision, access, and trust are won or lost. This piece breaks down what happens when you treat retrieval as a control plane: evaluation gates, access enforcement at query time, and the failure modes that stay invisible until an audit finds them. → Read the full article The Engineering Room Every Token Has a Price: Why LLM Cost Telemetry Is Now Production Infrastructure Usage triples. So does the bill. But no one can explain why. This is the observability gap that LLM cost telemetry solves: the gateway pattern, token-level attribution, and the instrumentation that turns opaque spend into actionable data. → Read the full article Demo-Ready Is Not Production-Ready A prompt fix ships. Tests pass. Two weeks later, production breaks. The culprit was not the model. This piece unpacks the evaluation stacks now gating enterprise GenAI releases: what each layer catches, what falls through, and why most teams still lack visibility into what’s actually being deployed. → Read the full article The Governance Room The AI You Didn’t Approve Is Already Inside Ask a compliance team how AI is used across their organization. Then check the network logs. The gap between those two answers is where regulatory risk now lives, and EU AI Act enforcement is about to make that gap harder to explain away. → Read the full article AI Compliance Is Becoming a Live System How long would it take you to show a regulator, today, how you monitor AI behavior in production? If the honest answer is “give us a few weeks,” you’re already behind. This piece breaks down how governance is shifting from scheduled reviews to always-on infrastructure, and offers three questions to pressure-test your current posture. → Read the full article

The Enterprise AI Brief | Issue 3 Inside This Issue The Threat Room When AI Agents Act, Identity Becomes the Control Plane A single poisoned document. An agent following instructions it should have ignored. An audit log that points to the wrong person. AI agents are no longer just automation: they’re privileged identities that can be manipulated through their inputs. Regulators are catching up. NIST is collecting security input, FINRA is flagging autonomy and auditability as governance gaps, and Gartner predicts 25% of enterprise breaches will trace to agent abuse by 2028. The question isn’t whether agents create risk. It’s whether your controls were built for actors that can be turned by a document.  → Read the full article The Operations Room Agentic AI in Production: The System Worked. The Outcome Was Wrong. The system worked. The outcome was wrong. Most enterprises are running agentic pilots, but few have crossed into safe production. This piece explains what’s blocking the path. → Read the full article Enterprise GenAI Pilot Purgatory: Why the Demo Works and the Rollout Doesn’t Why do so many GenAI pilots impress in the demo, then quietly die before production? Research from 2025 and early 2026 reveals the same five breakdowns, again and again. This piece maps the failure mechanisms, and what the rare exceptions do differently. → Read the full article The Engineering Room AI Agents Broke the Old Security Model. AI-SPM Is the First Attempt at Catching Up. Traditional model security asks: what might the AI say? Agent security asks: what might the system do? Microsoft and AWS are shipping AI-SPM capabilities that track tools, identities, and data paths across agent architectures, because when agents fail, the breach is usually a tool call, not a hallucination.  → Read the full article The Governance Room From Disclosure to Infrastructure: How Global AI Regulation Is Turning Compliance Into System Design A retailer’s AI system flags fraudulent returns. The documentation is flawless. Then auditors ask for logs, override records, and proof that human review actually happened. The system passes policy review. It fails infrastructure review. This is the new compliance reality. Across the EU, US, and Asia-Pacific, enforcement is shifting from what policies say to what systems actually do. This piece explains why AI governance is becoming an infrastructure problem, what auditors are starting to look for, and what happens when documentation and architecture tell different stories. → Read the full article

The Enterprise AI Brief | Issue 2 Inside This Issue The Threat Room The Context Layer Problem Enterprise AI breaches are not happening at the model layer. They are happening in the plumbing: context assembly, retrieval pipelines, tool orchestration. This article breaks down five documented failure modes, walks through a realistic attack scenario, and explains why prompt injection has become OWASP’s top GenAI risk. Worth a read for anyone building or deploying AI systems with access to internal data. → Read the full article The Operations Room Why Enterprises Are Versioning Prompts Like Code When an LLM application starts producing bad outputs, the model is rarely the culprit. A prompt tweak, a stale retrieval index, or a missing evaluation case is more likely to blame. GenAIOps treats these components as deployed infrastructure with versioning, rollback, and tracing. This article explains why traditional MLOps was not built for this shift and what enterprises are doing about it. → Read the full article The Engineering Room The Prompt Is the Bug Prompts are no longer just text strings. MLflow 3.x treats them as deployable artifacts with versioning, tracing, and audit trails. As LLM failures shift away from models and into orchestration logic, this changes how enterprises debug, govern, and roll back AI behavior. Prompt tracking is becoming an engineering decision, not an afterthought. → Read the full article The Governance Room California’s 2026 AI Laws: When a Documentation Gap Becomes a Reportable Incident California’s 2026 AI laws make cybersecurity controls a regulated safety obligation for frontier model developers. A documentation gap in model weight access controls is no longer an internal cleanup. If it leads to unauthorized access, it becomes a reportable incident with a 15-day deadline. This article covers what developers must document, what triggers reporting, and what downstream enterprises should expect in vendor contracts and procurement requirements.  → Read the full article Texas AI Law Shifts Compliance Focus from Outcomes to Intent Texas is regulating AI differently. Starting in 2026, compliance won’t hinge on outcomes alone. It will turn on documented intent, testing records, and internal controls. For enterprises operating across states, TRAIGA redefines what a defensible AI program looks like. → Read the full article

The Enterprise AI Brief | Issue 1 Inside This Issue The Threat Room Model Confusion Turns AI Model Loading Into a Supply-Chain Attack Surface Model confusion exposes an AI supply-chain risk hiding in plain sight. Code that appears to load a local model can silently resolve to a public registry model with the same name, opening the door to remote code execution or silent compromise. The risk lives in everyday ML code paths, not infrastructure, turning model loading itself into a security boundary enterprises rarely treat as one. → Read the full article The Operations Room Agentic AI Gets Metered: Vertex AI Agent Engine Billing Goes Live AI agents remember conversations, persist state, and execute tools on demand. Starting January 28, Google will charge for all of it. Vertex AI Agent Engine’s new billing model treats memory, state, and execution as metered resources, and costs can escalate faster than teams expect. This article breaks down how the billing works, walks through a realistic usage scenario, and explains why agentic AI is about to get a lot more expensive to run in production. → Read the full article The Engineering Room Registry-Aware Guardrails: Moving AI Safety and Policy Into External Control Planes As AI systems scale, teams are moving guardrails out of individual models and into shared control planes. This article explains the core architecture behind registry-aware guardrails, compares the two dominant implementation patterns, and outlines the tradeoffs teams face when centralizing AI safety and policy enforcement across pipelines. → Read the full article The Governance Room Shadow AI Metrics Expose a Governance Gap in Enterprise AI Programs Shadow AI is no longer invisible, but it is still hard to control. Enterprise telemetry now reveals thousands of GenAI policy violations each month, most occurring outside managed identity and enforcement boundaries. As AI use shifts toward copy-paste workflows and personal accounts, governance teams face a growing gap between what policies say and what controls can actually stop. → Read the full article