Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

SOC 2 audits are won or lost on evidence. When an auditor asks how an organization controls access to sensitive data, prevents unauthorized exfiltration, and monitors for anomalous behavior, the answer has to be documented and defensible. For most security and GRC teams, that answer depends heavily on whether their data security tooling is configured to produce audit-ready outputs, not just enforce policies.

Cybersecurity teams today are not short on tools or alerts. In many organizations, continuous signals are being generated across endpoints, networks, cloud platforms, and identity systems. The challenge is not visibility, but the execution. The gap seen in cybersecurity skills is not just a hiring problem. It directly affects an organization's ability to detect, investigate, and respond to threats. Security teams may miss reviewing some alerts or struggle to understand certain incidents.

The Trump administration has spent much of its second term removing regulatory constraints on AI development. On June 2, it added one back voluntarily and carefully. Earlier this week, President Trump signed "Promoting Advanced Artificial Intelligence Innovation and Security" after months of internal debate, a last-minute pull of the signing in May, and a compressed final timeline. The result of this tumult is an order that strikes a deliberate balance.

Least privilege is foundational. It's been a core security principle for decades, and it's no less relevant in agentic AI environments. An agent shouldn't hold permissions beyond what its task requires, and remediating over-permissioned agents is one of the highest-value quick wins available to any agentic AI security program. But here's what the security industry has been slow to acknowledge: correctly implemented least privilege still isn't sufficient.

Non-human identities (NHIs) authenticate pipelines, connect microservices, pull from secret managers, and provision cloud resources around the clock. They are also, for most security teams, almost completely invisible. Because there has never been a single place to see all of them at once.

The other day, someone said, “AI security is fundamentally data security”. And this got me thinking. Is it? Can AI security simply be solved with a typical data security strategy? It’s one of those statements that sounds correct when you first hear it, and it gets a few nods in the room, but then it quietly does a lot of damage to how people think about the problem. So, let’s dive into it, because the statement is really quite misleading.

Agent skills are the newest piece of plumbing quietly making its way onto developer machines. They're easy to install, they get to call into the user's tools on the agent's behalf, and once they're in place they tend to stay in place. While auditing the popular installer vercel-labs/skills, we saw several ways a bad actor can make the tool install something other than what the user thought they were installing.