All Issues

#12

June 8, 2026 Current Issue

The Insurability of Autonomous Agents

When does an AI agent become a named insured? The W23 MCP CVE pair (Flowise, LibreChat) makes the principal-agent question concrete; Microsoft Build 2026’s runtime containment stack makes the answer thinkable; the Article 50 evidence substrate makes it documentable. Current cyber and E&O forms were drafted before any of those words meant what they now mean.

Flowise CVE-2026-40933 (1-click stdio MCP RCE) and LibreChat CVE-2026-44653 (MCP secret exposure, fixed 0.8.4) — the connector substrate is the new liability surface
Microsoft Build 2026 Execution Container SDK + Foundry runtime DLP + Defender AI model scanning — runtime containment becomes form-grade underwriting evidence
Article 50 consultation closed June 3 — eight weeks to August 2 effective date (Market Index W23: 37.7 flat against W21, motion in every track)

Read Issue #12 →

#11

May 25, 2026

Post-Market Monitoring & the EU AI Act Clock

August 2, 2026 is no longer hypothetical. We walk Article 50’s May 8 draft guidance, the Article 72 post-market monitoring plan, AIID-aligned serious-incident reporting under Article 73, and the conformity assessment file — the same evidence substrate the underwriting market will read against.

What Article 50 actually requires — from May 8 draft transparency guidance to the operative artifacts every high-risk AI deployer must produce
Post-market monitoring as the evidence substrate — one institution that builds it satisfies regulator, underwriter, and reinsurer
Five moves before the clock — what high-risk AI operators must do in the ten weeks before August 2, 2026 (Market Index W21: 37.7)

Read Issue #11 →

#10

May 18, 2026

Reinsurance & the Cyber Aggregation Problem

Axios npm and AWS Bedrock AgentCore disclosures, a 109-incident AIID cluster, and EU Article 50 draft guidance — the correlated-loss pattern the treaty market is already pricing while primary carriers wait for renewal season.

Axios npm 1.12.0/1.13.0 supply-chain compromise (Sapphire Sleet) — transitive-dependency aggregation at portfolio scale
AWS Bedrock AgentCore CVE-2026-4269 — managed-runtime cyber accumulation when a single dependency runs across thousands of insureds
AIID 109-incident cluster (Feb–Apr 2026) — orchestration-layer failure as a continuous-loss-accumulation profile, not single-event severity

Read Issue #10 →

#09

May 11, 2026

The Open-Source AI Security Paradox

LiteLLM crosses the CISA KEV threshold. PyTorch Lightning and Axios compromised in the same window. When 89% of AI-adopting organizations run open-source AI in their stack, the dependency graph is the actual underwriting exposure — and current cyber forms don’t enumerate it.

LiteLLM CVE-2026-42208 added to CISA KEV May 8, 2026 — first AI infrastructure tool on the federal actively-exploited list
Three open-source supply-chain compromises in three weeks: LiteLLM (gateway), PyTorch Lightning 2.6.2/2.6.3 (framework), Axios 1.14.1/0.30.4 (transitive dependency)
EU AI Act Article 50 transparency guidelines published May 7, 2026 — the August 2 deadline reaches the whole open-source dependency surface

Read Issue #9 →

#08

May 4, 2026

Agentic AI & Autonomous Risk

The Mini Shai-Hulud npm compromise weaponizes developer tooling and CI workflows. Agentic AI is now the attack vector and the propagation vehicle. Underwriters can’t yet price the autonomous-agent blast radius.

SAP npm packages compromised April 29, 2026 — preinstall hooks, Bun runtime, multi-cloud credential theft
METR red-team finds bypasses in mature internal agent monitoring
EU AI Act high-risk obligations effective August 2, 2026 — post-market monitoring no longer optional

Read Issue #8 →

#07

April 27, 2026

The Cyber Insurance Pricing Gap

Twelve consecutive quarters of negative cyber rate change. The first annual decline in US cyber written premium. AI exclusions tightening as premiums fall. The structural mismatch between price and exposure.

US cyber written premium fell from $7.25B (2023) to $7.08B (2024) — first annual decline ever
Beazley H1 2025: 48.5% loss ratio against a −6.8% rate change
EU AI Act high-risk obligations effective August 2, 2026 — the regulatory clock is no longer hypothetical

Read Issue #7 →

#06

April 20, 2026

The Invisible Dependencies

MLflow and Docker Model Runner CVEs expose AI pipeline infrastructure. 0.001% training data poison produces 7–11% harmful output. Five supply chain attacks in March 2026 alone.

CVE-2026-0545: MLflow auth bypass gives attackers job control over AI pipelines
0.001% poisoned tokens increase harmful completions 7–11% — benchmarks missed it
Supply chain interconnection now in 15% of breaches, up from 9% (Verizon DBIR)

Read Issue #6 →

#05

April 13, 2026

The Retrieval Attack Surface

RAG pipelines exploited in 20 hours. Five documents poison a knowledge base at 90% success. The security architecture enterprise AI forgot to build.

Langflow CVE-2026-33017 exploited before any PoC existed
RAG poisoning succeeds with just 5 documents among millions
87% of CISOs cite AI agent security as top concern — 11% are ready

Read Issue #5 →

#04

April 6, 2026

The Red Teaming Renaissance

AI models now jailbreak each other at 97% success rates. The arms race that will define AI security in 2026.

LRMs attack other AI systems at 97.14% jailbreak success
Only 16% of enterprises have ever red-teamed their models
Adversa AI wins RSA 2026 Most Innovative Agentic AI Security

Read Issue #4 →

#03

March 30, 2026

The Insurability Gap

The gulf between AI adoption speed and insurability readiness — and why it threatens the AI-first enterprise.

56% of enterprises can't halt AI after a security incident
Munich Re maps agentic AI to cyber insurance lines
Langflow CVE exploited in 20 hours — the shrinking response window

Read Issue #3 →

#02

March 24, 2026

AI Security Posture Management

AISPM emerges as the essential control plane for governing enterprise AI deployments at scale.

AISPM emerges as the control plane for AI governance
$1.2B acquisition wave validates the category
Shadow AI costs enterprises $4.63M per breach

Read Issue #2 →

#01

March 13, 2026

The AI Security Landscape

A comprehensive overview of the forces shaping the $244B AI security market.

$244B security spending wave and consolidation patterns
EU AI Act timeline and AI agent security crisis
Governance platforms rising across enterprise

Read Issue #1 →

Intelligence Briefings