The First Agentic AI Security Quadrant Is Here

Welcome Back to The AI Trust Letter

Once a week, we distill the most critical AI & cybersecurity stories for builders, strategists, and researchers. Let’s dive in!

🗺️ NeuralTrust Named a Star in the MarketsandMarkets Agentic AI Security Quadrant

The Story: 

MarketsandMarkets published its first dedicated Company Evaluation Matrix for agentic AI security, placing NeuralTrust in the top tier alongside a small group of vendors. The report covers the market through 2032.

The details:

• The "Star" tier recognizes vendors with strong product coverage across multiple agentic AI security layers and measurable enterprise adoption. It is the highest classification in the matrix.

• The report frames agentic AI security as a standalone discipline, separate from application or API security, with its own architecture and threat models.

• Four shifts define how the market is moving: runtime protection replacing offline evaluations, continuous red teaming becoming a baseline requirement, and security governance converging into unified control planes built for agentic systems.

• This adds to prior recognition by Gartner (AI Gateways and Guardian Agents market guides) and KuppingerCole (Generative AI Defense Leadership Compass).

Why it matters: 

Traditional security tools were built for systems that respond to requests. AI agents interpret intent, accumulate context, call external tools, and act autonomously across sessions. The risk surface is not a payload, it is a sequence of decisions. The fact that MarketsandMarkets now has a dedicated quadrant for this category signals that security teams and procurement cycles are catching up to where the technology already is.

Read full article

🛡️ The Vatican’s Security Patch for the Age of AI Agents

The Story: 

Pope Leo XIV's encyclical Magnifica Humanitas, released May 25, 2026, addresses AI governance and risk. The framing is theological, but the substance maps closely onto problems that security engineers deal with every day.

The details:

• The document identifies AI as a "cultivated" rather than "built" technology, meaning developers create the conditions for learning but do not directly control what emerges. From a security standpoint, this is a clear statement of the interpretability problem: you cannot audit what you cannot trace.

• It warns against fully delegating sensitive decisions (credit, employment, public services) to systems incapable of context or discretion. The argument is moral, but the structural concern is real: removing human judgment from consequential decisions also removes the last error-correction layer.

• Section 108 flags the concentration of AI capabilities in a small number of private actors as a systemic risk, arguing that data should be treated as a shared resource rather than proprietary property. This reframes data governance as a collective security problem, not just a compliance one.

• On autonomous weapons, the encyclical warns about removing meaningful human control over lethal decisions, a concern shared by anyone who has thought seriously about agent escalation dynamics.

Why it matters: 

The encyclical does not offer technical solutions, but it names the right problems. The opacity of learned systems, the limits of automation in high-stakes decisions, and the risks of concentrated infrastructure control are not philosophical abstractions; they are engineering constraints. It is worth noting that Pope Leo XIV chose his name in deliberate reference to Leo XIII, whose 1891 encyclical addressed the social disruption of industrialization. The comparison is not subtle.

Read full article

🩹 Your Enterprise Patching Process is Way too Slow

The Story: 

Anthropic's Claude Mythos Preview autonomously discovered thousands of zero-day vulnerabilities across major operating systems and browsers, scoring 83.1% on the CyberGym vulnerability reproduction benchmark. One campaign targeting OpenBSD across 1,000 scaffold runs cost under $20,000 in compute. The problem is not the discovery. It is everything that comes after.

The details:

• Project Glasswing, one month in with roughly 50 partners, has surfaced over 10,000 high- or critical-severity vulnerabilities in widely used software. Fewer than 1% have been patched.

• Exploitation timelines are collapsing. Langflow's CVE-2026-33017 (CVSS 9.8) was exploited 20 hours after disclosure with no public proof-of-concept. Google's M-Trends 2026 report found that exploitation is now happening before patches are released.

• Rapid7's 2026 threat landscape report puts the median time from CVE publication to CISA's Known Exploited Vulnerabilities listing at five days. The window between discovery and active exploitation has effectively closed.

• Enterprise authorization policies have not been assessed against the behavior of AI agents, which now hold privileged credentials across many environments. A recent Docker CVE demonstrated that its authorization plugin architecture silently bypasses all plugins when the request body exceeds 1MB, a bypass class that common AuthZ tools (OPA, Casbin, Prisma Cloud) are not built to catch.

• Claude Security, in public beta for Enterprise customers, has patched over 2,100 vulnerabilities in three weeks. The bottleneck is not AI capability but human capacity to triage, coordinate disclosure, and deploy.

Why it matters: 

AI can now find vulnerabilities faster than organizations can respond to them. That asymmetry is not a future problem. The result is unlikely to be a single patch event; it is more likely to be a prolonged wave of updates as vendors respond at different speeds. Security teams that still treat patching as periodic and mostly manual are not behind on process, they are behind on threat model.

Read full article

🔍 145 AI laws passed in 2025 and Privacy Teams aren’t catching a break

The Story: 

A study analyzed 2,400 business software providers and found that the majority advertising AI capabilities have not updated their legal documentation to reflect it. For their customers, that means data is flowing into AI pipelines that were never reviewed or approved.

The details:

• 63.6% of vendors that prominently advertise AI features do not disclose a third-party AI subprocessor in their data processing agreements. Most companies buying AI-enabled software have no legal visibility into where their customers' data actually goes.

• 32.8% of AI systems that do disclose their capabilities also report at least one high-risk activity alongside it, such as processing sensitive personal data or powering automated decision-making.

• Consent enforcement is no longer theoretical. California reported $4.3 million in public consent management settlements in 2025, not counting non-public ones. Over 1,400 class action lawsuits were filed around tracking pixels and session replay software. 63% of websites still do not honor browser opt-out signals, despite being legally required to in more than 10 states.

• Data subject requests rose for the fifth consecutive year. Deletion requests alone increased 398% compared to 2024, reaching over 2,000 per month on average. For a mid-sized company, handling these manually costs around $1.5 million per year.

• California now requires formal privacy risk assessments, with executive attestation under penalty of perjury and annual audits starting in April 2028. AI initiatives are explicitly flagged as requiring particular attention.

• Privacy teams have seen headcount reductions of up to 33% while compliance obligations have expanded. In 2025, 42% of companies abandoned AI projects citing data privacy concerns.

Why it matters: 

The DPA was supposed to be the document teams use to evaluate AI risk before signing a contract. It no longer serves that function for most vendors. Regulatory pressure is accelerating, enforcement is materializing, and privacy teams are smaller than they were. The organizations that will manage this are not the ones with the largest compliance departments, but the ones that have stopped treating privacy as a manual process.

Read full article

🧠 OWASP Releases a Tool for AI Agent Memory

The Story: 

OWASP published Agent Memory Guard, an open-source tool that screens every read and write to an AI agent's memory store. It is the reference implementation for ASI06, the memory poisoning entry in the OWASP Top 10 for Agentic Applications.

The details:

• AI agents persist memory across sessions: conversation history, vector stores, scratchpads, RAG indexes. Anything written into that store becomes a privileged input the agent reads back in future sessions. An attacker who plants text in the right field can override instructions, extract user data, or redirect tool calls, and the effect persists because the memory does.

• Agent Memory Guard sits between the agent and its memory store, running five detection categories: prompt injection, protected key tampering, sensitive data leakage, size anomalies, and SHA-256 integrity baselines to catch out-of-band tampering.

• Tested against 55 real-world attack payloads, it reached 92.5% recall, 100% precision, and zero false positives, at a median latency of 59 microseconds. Prompt injection and protected key tampering were detected at 100%.

• Policy enforcement is declarative via YAML, with block, warn, and strip actions. The tool integrates as drop-in middleware for LangChain, LlamaIndex, and CrewAI, with Redis and PostgreSQL backends.

• The roadmap includes ML-based anomaly detection (v0.4.0), a plugin interface for custom detectors (v0.3.0), and evasion-aware adversarial testing through AgentThreatBench.

Why it matters: 

Memory poisoning is one of the few agentic attack vectors where the damage is not contained to a single session. A compromised memory entry can steer agent behavior indefinitely, across users and contexts, until it is explicitly detected and rolled back. Most organizations deploying agents today have no visibility into what is being written to memory or whether it has been tampered with. Agent Memory Guard is free, open-source, and available on GitHub now.

Read full article

What´s next?

Thanks for reading! If this brought you value, share it with a colleague or post it to your feed. For more curated insight into the world of AI and security, stay connected.