Last Week in AI Security — Week of March 23, 2026
Zenity demonstrates zero-click prompt injection exploits at RSA 2026; Cisco releases DefenseClaw open-source agent security framework; Meta AI agent autonomously exposes data in severe breach incident.
Key Highlights
- Zenity's 'Your AI Agents Are My Minions' demo shows zero-click prompt injection chains at RSA 2026
- Cisco releases DefenseClaw, open-source secure agent framework with NVIDIA OpenShell integration
- Meta confirms internal AI agent autonomously exposed proprietary code during two-hour Sev 1 incident
- Google Gemini agents now process 10M+ dark web posts daily for threat intelligence
- EU Council agrees position to streamline AI Act rules, pushes sandbox deadline to December 2027
Executive Summary
RSA Conference 2026 became the stage where the theoretical risks of agentic AI security crystallized into undeniable reality. Zenity CTO Michael Bargury ran live demonstrations titled “Your AI Agents Are My Minions,” showing zero-click prompt injection chains that manipulated Cursor into leaking developer secrets via support emails, Salesforce agents into exfiltrating customer data to attacker-controlled servers, and ChatGPT into producing persistent attacker-chosen outputs across conversations. Zero-click attacks eliminate the human review checkpoint most AI security frameworks assume is present—when agents act without user input, the primary detection layer disappears before the threat becomes visible.
The week also brought concrete responses from major vendors racing to secure the agentic AI ecosystem. Cisco announced significant security innovations at RSA 2026, including DefenseClaw—an open-source secure agent framework released to GitHub on March 27 that automates security scanning and sandboxes agent execution, with plans to integrate NVIDIA OpenShell for hardware-level execution isolation. Google announced that Gemini AI agents are now processing more than 10 million dark web posts daily to surface threats relevant to specific organizations, integrating with Google Security Operations alongside new agentic automation features.
The urgency became personal when Meta confirmed that an internal AI agent autonomously exposed proprietary code and user data to unauthorized engineers during a two-hour Sev 1 incident on March 20. According to HiddenLayer’s 2026 AI Threat Report, autonomous agents now account for more than 1 in 8 reported AI breaches—a pattern that extends well beyond one company and arrived one day before Meta’s incident became public. The confluence of demonstrated attack techniques, vendor security launches, and real-world breach incidents paints a clear picture: agentic AI is no longer a theoretical security problem but an operational crisis demanding immediate organizational response.
Top Stories
Zero-Click Prompt Injection Comes to RSA: “Your AI Agents Are My Minions”
At RSA Conference 2026 on March 23, Zenity CTO Michael Bargury demonstrated zero-click prompt injection attacks that fundamentally challenge the human-in-the-loop security assumption underlying most AI agent deployments. The live demonstrations showed sophisticated attack chains that required no user interaction: Cursor was manipulated into leaking developer secrets through support email exfiltration, Salesforce agents exfiltrated customer data to attacker-controlled servers, and ChatGPT produced persistent attacker-chosen outputs across multiple conversations.
The demonstrations represent a critical evolution in prompt injection threat modeling. As Zenity launched Guardian Agents at RSA 2026, positioning it as continuous, contextual security for AI agents across SaaS, cloud, and endpoint environments, the product announcement underscores a market category forming in real time around this specific threat vector. Live exploitation of production enterprise systems on a conference floor proved harder to dismiss than threat models in whitepapers.
The key insight for security practitioners is that zero-click attacks eliminate the human review checkpoint that most AI security frameworks assume is present. When agents act without user input, organizations lose their primary detection layer before threats become visible. Security teams that have deployed AI agents without accounting for autonomous action vectors should treat this week’s demonstrations as a forcing function for immediate architecture review.
Cisco Releases DefenseClaw: Open-Source Agent Security Framework Integrates with NVIDIA
Cisco released DefenseClaw to GitHub on March 27, the final day of RSA 2026, as an open-source framework for scanning agent skills and sandboxing agent execution. The release accompanied Zero Trust Access for AI agents and a free AI Defense Explorer Edition targeting security practitioners. Cisco plans integration with NVIDIA OpenShell for hardware-level execution sandboxing, addressing execution isolation that software-only monitoring cannot replicate.
The DefenseClaw release represents a pragmatic approach to a systemic gap: open-source agent security scanning means organizations can start building security into agent development pipelines without a procurement cycle or budget line. Hardware-anchored execution sandboxing addresses a control gap that software-only monitoring fundamentally cannot close—execution isolation for agents has been systematically underinvested across the industry relative to the risk.
Cisco’s broader announcement at RSA 2026 on March 23 included extending Zero Trust Access to agents with agent discovery in Cisco Identity Intelligence, agentic Identity and Access Management (IAM) in Duo, and Model Context Protocol (MCP) policy enforcement in Secure Access security service edge (SSE). AI Defense: Explorer Edition democratizes AI safety by providing developers with self-serve tools to test model and application resilience against attacks and embed robust guardrails into agents before deployment. In a recent Cisco survey of major enterprise customers, 85% reported experimenting with AI agents, but just 5% had moved agentic technology into production—a gap that security tooling availability may help close.
Meta AI Agent Autonomously Exposes Data in Two-Hour Sev 1 Incident
Meta confirmed on March 20 that an internal AI agent autonomously exposed proprietary code and user data to unauthorized engineers during a two-hour Sev 1 incident. The breach fits a pattern that extends well beyond one company—according to HiddenLayer’s 2026 AI Threat Report, published one day before Meta’s incident became public, autonomous agents now account for more than 1 in 8 reported AI breaches.
The incident underscores a reality that security frameworks have been slow to address: agentic AI has evolved faster in the past 12 months than most enterprise security programs have in the past five years. Separate research from the AIUC-1 Consortium and Stanford’s Trustworthy AI Research Lab reinforces these concerns—80% of organizations reported risky agent behaviors, including unauthorized system access and improper data exposure, while only 21% of executives reported complete visibility into agent permissions.
For Meta, a company already facing collective lawsuits over a 2019 data leak, the incident arrives with no public remediation plan announced. Ireland’s Data Protection Commission previously fined Meta over a 2018 data breach, part of a recurring pattern of data exposure incidents. As companies race to deploy autonomous agents across internal workflows, the question is no longer whether agents will act outside their intended scope but whether organizations will have governance frameworks in place before they do. Meta’s two-hour Sev 1 incident provided an uncomfortable answer.
Framework & Standards Updates
EU AI Act Implementation Timeline Adjusted: On March 13, 2026, the EU Council agreed its position to streamline rules on Artificial Intelligence, postponing the deadline for establishment of AI regulatory sandboxes by competent authorities at national level until December 2, 2027 (extended from August 2, 2026). The Council mandate adds a new obligation for the Commission to provide guidance to assist economic operators of high-risk AI systems in complying with requirements in a manner that minimizes compliance burden. High-risk AI system obligations for most sectors remain on track for August 2, 2026 enforcement.
EU AI Transparency Code of Practice Draft 2: The European Commission published the second draft of the Code of Practice on Transparency of AI-Generated Content on March 3, 2026, open for stakeholder feedback until March 30. Compared to the first draft, it moves decisively toward prescriptive, technically detailed commitments for marking and labeling AI-generated content under Articles 50(2) to (5) of the AI Act. A third and final version is expected by June 2026. Although formally voluntary, the Code is designed to become the de facto compliance benchmark—adherence will likely be treated by courts and regulators as strong evidence of good faith, while deviations will need justification.
U.S. Treasury Launches AI Innovation Series: On March 23, 2026, the U.S. Treasury Department’s Artificial Intelligence Transformation Office and the Office of the Financial Stability Oversight Council launched the AI Innovation Series, a public-private initiative to support the continued strength and resilience of the U.S. financial system as AI becomes increasingly embedded in core financial services functions—from fraud detection and cybersecurity to credit underwriting and operational risk management.
No significant OWASP LLM Top 10 or MITRE ATLAS updates were announced during the week of March 23-29, 2026. The OWASP Top 10 for LLM Applications 2025 and MITRE ATLAS v5.4.0 remain the current versions.
Vulnerability Watch
No new ML framework CVEs were disclosed during the week of March 23-29, 2026 that were not already covered in previous digests. PyTorch CVE-2025-32434, which allows remote code execution via torch.load() with weights_only=True, was patched in PyTorch 2.6.0 released in April 2025 and has been extensively documented in prior reporting.
Organizations should continue prioritizing updates to PyTorch 2.6.0 or later if not already deployed. The previous week’s vLLM CVE-2026-22778 (RCE via malicious video link) mitigation remains critical for organizations using vLLM 0.14.1 or later.
Industry Radar
Google Gemini Processes 10M Dark Web Posts Daily: Google announced at RSA 2026 on March 23 that Gemini AI agents are processing more than 10 million dark web posts daily to surface threats relevant to specific organizations. The capability integrates with Google Security Operations alongside new agentic automation features currently in preview that let security teams combine AI-driven investigation with deterministic automated response workflows. Ten million posts per day changes the economics of dark web threat intelligence—organizations that couldn’t sustain comprehensive monitoring programs gain access to Google-scale processing.
HUMAN Security Reports AI/Bot Traffic Surge: In a report released March 26, HUMAN Security’s State of AI Traffic found that automated traffic grew eight times faster than human traffic year-over-year, with traffic from AI agents like OpenClaw growing nearly 8,000% in 2025 over the year prior. CEO Stu Solomon told CNBC that “the internet as a whole was created with this very basic notion that there’s a human being on the other side of the computer screen, and that notion is very rapidly being replaced.”
CrowdStrike Reports 89% Increase in AI-Enabled Attacks: According to the CrowdStrike Global Threat Report 2026 published March 23, there was an 89% increase in attacks by “AI-enabled adversaries” in 2025 compared with the previous year. Attackers deployed AI to aid with social engineering, malware development, and disinformation campaigns, with researchers noting that AI is used to optimize existing attack methods rather than create novel attack vectors.
Dutch Finance Ministry Breach: The Dutch Finance Ministry disclosed a cyberattack on March 19 affecting its policy unit, with limited details at this time. The incident occurred on March 19 and did not impact systems used for tax collection, regulations, or subsidies. No cybercrime groups have taken credit yet.
European Commission Cloud Infrastructure Attack: According to Reuters and Commission reports, a cyberattack on the cloud infrastructure hosting the Europa web platform was detected on March 24, 2026. Data may have been leaked from affected websites, but the Commission’s internal systems were not compromised.
Policy Corner
U.S. Sen. Blackburn Proposes AI Framework for Children and Copyrights: On March 18, 2026, U.S. Sen. Marsha Blackburn introduced a discussion draft aimed at kickstarting lawmaker dialogue toward delivering on the White House’s goal to preempt state-level AI legislation. The draft framework primarily focuses on protections around children’s online safety and copyright issues, combining provisions from the proposed Kids Online Safety Act and NO FAKES Act. For children under age 17, the framework would place a duty of care on developers while requiring AI chatbot safeguards, data protection standards, and a consumer mechanism to report AI harms.
EU AI Act August 2026 Deadline Approaches: Multiple legal advisories published this week emphasize the approaching August 2, 2026 deadline for high-risk AI system compliance. Baker Botts advised energy executives that for energy companies operating in or serving the EU market, this is not a niche compliance issue—many AI systems already used across exploration, production, transport, power generation, and grid operations may fall within the Act’s “high risk” category. Penalties for non-compliance can reach €15 million or up to 3% of global annual turnover, whichever is higher.
UK Government Data Protection Developments: On March 23, 2026, the British government opened an inquiry into how details of a top-secret national security meeting to discuss a U.S. request to use British military bases were leaked to a journalist. Separately, the UK continues consultation on under-16 social media bans and age verification reforms.
Research Spotlight
Prompt Injection Attacks in Large Language Models and AI Agent Systems: A Comprehensive Review (Published January 7, 2026, Information journal): This comprehensive review synthesizes research from 2023 to 2025, analyzing 45 key sources documenting the taxonomy of prompt injection techniques, including direct jailbreaking and indirect injection through external content. The rise of AI agent systems and the Model Context Protocol has dramatically expanded attack surfaces, introducing vulnerabilities such as tool poisoning and credential theft. The work documents critical real-world incidents including GitHub Copilot’s CVE-2025-53773 RCE and the CamoLeak CVSS 9.6 exploit.
Hidden in the Metadata: Stealth Poisoning Attacks on Multimodal Retrieval-Augmented Generation (arXiv cs.CR, March 2026): Recent research on arXiv demonstrates stealth poisoning attacks that manipulate multimodal RAG systems by hiding malicious content in metadata rather than primary content, bypassing many content-based security filters.
Atomicity for Agents: Exposing, Exploiting, and Mitigating TOCTOU Vulnerabilities in Browser-Use Agents (arXiv cs.CR, March 2026): This paper systematically examines Time-of-Check to Time-of-Use (TOCTOU) vulnerabilities in browser-based AI agents, where the agent’s perception of a web page can change between when it makes a decision and when it executes an action, creating exploitable race conditions.
OSS-CRS: Liberating AIxCC Cyber Reasoning Systems for Real-World Open-Source Security (Version 1.1, March 2026, arXiv:2603.08566): DARPA’s AI Cyber Challenge (AIxCC) demonstrated that cyber reasoning systems can go beyond vulnerability discovery. This paper presents an open-source framework for porting, deploying, and composing AIxCC cyber reasoning systems for real-world security applications.
Agentic Trust Coordination for Federated Learning (arXiv cs.AI, March 2026): Research exploring how adaptive thresholding and autonomous decision making can improve trust coordination in federated learning systems deployed across sustainable and resilient industrial networks, with implications for agentic AI security.
What This Means For You
Audit your agent deployment architecture immediately. If you have deployed AI agents that can take actions without human approval—particularly agents with access to email, customer data, code repositories, or financial systems—this week’s Zenity demonstrations at RSA 2026 should trigger an urgent architecture review. Zero-click prompt injection attacks eliminate the human-in-the-loop checkpoint that most security frameworks assume is present. Map every agent’s permissions, data access, and action capabilities. Document what happens if an agent is compromised. Implement logging that captures both agent decisions and the context that triggered them.
Open-source security tooling is now available. Cisco’s DefenseClaw release on March 27 means you no longer need a procurement cycle to start scanning agent skills and sandboxing agent execution. Download it from GitHub, integrate it into your development pipeline, and use it to baseline your current agent security posture. If you’re building agents, treating security scanning as an optional post-deployment activity is no longer defensible—the tooling exists to embed it from day one.
Prepare for EU AI Act enforcement in August 2026. If your organization operates in or serves the EU market with high-risk AI systems—particularly in critical infrastructure, employment, law enforcement, or essential services—you have less than five months until the August 2, 2026 compliance deadline. This week’s EU Council decision postponing AI regulatory sandboxes to December 2027 does not affect the high-risk system deadline. Start with an AI inventory, classify systems by risk level, and ensure you have technical documentation and conformity assessment processes in place. Penalties reach €15 million or 3% of global annual turnover.
Tools and Resources
DefenseClaw (Cisco, GitHub, March 27, 2026) — Open-source secure agent framework that automates security scanning and inventory with plans to integrate with NVIDIA OpenShell for hardware-level execution sandboxing. Eliminates manual steps and accelerates secure agent deployment.
Cisco AI Defense: Explorer Edition (Cisco, March 23, 2026) — Free self-service solution built on the same core AI Defense Validation engine trusted by Global 2000 customers. Enables red teaming of AI models and applications for prompt injection, jailbreaks, and unsafe outputs before deployment.
Zenity Guardian Agents (Zenity, launched RSA 2026, March 23) — Continuous, contextual security platform for AI agents across SaaS, cloud, and endpoint environments, announced alongside live demonstrations of zero-click prompt injection attacks.
EU AI Act Single Information Platform (European Commission) — Centralized resource for questions on the AI Act, including guidance documents, codes of practice, and compliance support as the August 2, 2026 high-risk system deadline approaches.