GOVERNANCE
(13)13 hack(s).
FIRST's mid-year forecast: ~66,000 CVEs in 2026, but exploitable risk stays flat
On June 15, 2026, FIRST revised its 2026 CVE projection to ~66,000 — 46.3% above February — driven mainly by AI-assisted discovery. The actionable subset triaged by EPSS and CISA KEV has not grown at the same rate.
EU AI Act: how the draft guidelines classify agentic systems as high-risk
The European Commission's 19 May 2026 draft guidelines on Article 6 say agentic AI systems must be assessed as a whole — a single narrow component can pull the entire configuration into the high-risk regime.
AI CEOs ask Congress to make DNA synthesis screening mandatory
On June 5, 2026, the heads of OpenAI, Anthropic, Google DeepMind and Microsoft AI co-signed a letter urging Congress to require nucleic-acid synthesis screening — framing it as a defensive control against AI-eroded bioweapon barriers.
Disclosure at machine speed: lessons from the first AI vulnerability ledger
Anthropic's coordinated-disclosure ledger, analysed by VulnCheck on June 9, 2026, shows AI surfacing 23,019 candidate bugs while just 1,596 reached maintainers — a preview of coordinated disclosure under machine-speed discovery.
When a government pulls a model: the Fable 5 / Mythos 5 suspension
On June 12, 2026, a US export-control directive forced Anthropic to disable Claude Fable 5 and Mythos 5 worldwide. The reported trigger was a 'jailbreak' that amounts to asking a model to read code and fix flaws — a capability defenders use daily.
OWASP State of Agentic AI Security 2026: prompt injection ties most agent failures together
OWASP's State of Agentic AI Security and Governance v2.01 (June 1, 2026) moves from hypothetical threats to documented CVEs and breaches. Prompt injection now maps to six of the ten agentic risk categories.
DeepMind and partners open a $10M multi-agent AI safety research fund
On June 11, 2026, Google DeepMind, Schmidt Sciences, the Cooperative AI Foundation and ARIA opened a $10M call to build a research field around the safety of millions of interacting AI agents.
OWASP's agentic maturity model: don't run in the red cells
OWASP's June 2026 State of Agentic AI report adds an Enterprise Adoption Maturity Model — a two-axis grid where agent autonomy outruns governance, leaving 'red cells' no one can see into.
No two labs measure prompt injection the same way
A June 1, 2026 comparison of the prompt-injection disclosures from Anthropic, OpenAI, Google and Meta found that no two labs share a metric, a surface, or a definition of success — so vendor numbers cannot be compared.
US AI security executive order: a vulnerability clearinghouse and frontier review
Signed June 2, 2026, the US executive order on AI innovation and security creates a federal AI vulnerability clearinghouse and a voluntary 30-day pre-release review of 'covered frontier models'.
CISA + Five Eyes publish the first joint guidance on agentic-AI adoption
On May 1, 2026, CISA, NSA and the Five Eyes cyber agencies released 'Careful Adoption of Agentic AI Services' — a 5-risk taxonomy and a deployment playbook that critical-infrastructure operators are now expected to fold into their existing cybersecurity frameworks.
NSA AISC publishes MCP security design guidance for production AI
On May 20, 2026, NSA's Artificial Intelligence Security Center released a 15-page Cybersecurity Information Sheet on Model Context Protocol — eight classes of weakness, five real-world incidents, nine defensive recommendations.
The pressure: open-source security teams under the AI-assisted vulnerability flood
On May 26, 2026, curl's Daniel Stenberg published 'The pressure' — more than one credible security report per day, twelve confirmed CVEs in half a release cycle, and a pattern other maintainers are now reporting in parallel.