CloudSecurityAlliance

New engineer joins your team Monday. Where do you send them to understand cloud security end-to-end — not a vendor whitepaper, not a 400-tab wiki, something actually coherent? Security Guidance v5 is that reference. Governance, IAM, network, data, incident response, resilience — all in one place, updated for how cloud actually gets built in 2026. Free, no signup. cloudsecurityalliance.org/research/guida…

Shadow AI isn't just employees pasting code into ChatGPT anymore. It's a marketing team spinning up a custom GPT with your customer list as training data, or a product manager wiring Claude into a Zapier flow that touches your CRM. The data leaves your perimeter through a browser tab, not a firewall rule. Start with discovery — you can't govern what you can't see. cloudsecurityalliance.org/research/publi… #ShadowAI

You signed the container. You pinned the dependencies. You audited the SBOM. Then your agent called a model you didn't train, fine-tuned by a vendor you didn't vet, on data nobody published. Every tool call inherits that lineage. Chain of custody doesn't stop at the API boundary. CSAI is building the trust framework for agentic AI: csai.foundation #AISupplyChain

The industry obsesses over advanced threats, but the boring truth is that most cloud breaches trace back to default settings nobody changed and permissions nobody reviewed. Fundamentals still beat frameworks. Skip the hype, learn what actually matters. Get CCSK certified. cloudsecurityalliance.org/education/ccsk

The EU AI Act mandates that high-risk AI systems keep logs detailed enough to trace any automated decision. Here's the uncomfortable part — most organizations deploying AI in cloud environments today can't even inventory which models are running where. The regulation isn't the hard part. The visibility gap is. Start with knowing what you have before worrying about what you owe. cloudsecurityalliance.org/research/publi… #EUAIAct

Pop quiz for your IAM team: what percentage of active identities in your environment are non-human? If the answer surprises them, that's the problem. Non-human identities already dominate most enterprise environments — and agentic AI is creating a new category: autonomous identities that spawn other identities at runtime. No quarterly review catches that. Continuous runtime behavior monitoring is the only control that scales. csai.foundation

Pop quiz: if your CEO asked right now how your team splits security duties with your cloud provider, could you give a clear answer — or would it turn into a five-minute "well, it depends"? Most teams discover those gray zones during an incident, not before one. Get ahead of it. CCSK covers exactly this. cloudsecurityalliance.org/education/ccsk

Most teams evaluate cloud vendors with a patchwork of internal checklists and hope for the best. Then procurement asks "how did you verify their security posture?" and nobody has a good answer. The STAR Registry is the world's largest cloud assurance program — a single place to check whether your provider has been independently assessed against industry-standard controls. Before you sign that next contract: cloudsecurityalliance.org/star #CloudSecurity

Most enterprises have a playbook for deploying AI agents. Almost none have a playbook for governing them. The gap isn't technical — it's organizational. Teams ship agents faster than security can define what "least privilege" even means for an autonomous system that decides its own next action. This is the agentic control plane problem. And it doesn't show up in your threat model until something breaks. The CSAI Foundation is tackling it head-on — 243 control objectives across 18 domains, purpose-built for AI. csai.foundation #AgenticAI

Letting an AI agent access your production data without a governance framework is like handing your car keys to someone who learned to drive from YouTube compilations — technically possible, but you wouldn't sleep well. Build the skills to govern AI securely. Get TAISE certified 🔒 cloudsecurityalliance.org/education/taise

Most AI security conversations start at the model layer. But what about your training data pipeline? Your feature store access controls? Your inference endpoint authentication? The AI Controls Matrix maps 243 control objectives across 18 domains — covering the full AI lifecycle, not just the parts that make headlines. Winner of the 2026 CSO Award for a reason. cloudsecurityalliance.org/artifacts/ai-c… #AISecurity

Expectation: our cloud IAM is locked down — we use role-based access control. Reality: roles named "admin-temp" that were never removed, inline policies bypassing every guardrail, and no access review since the roles were created. RBAC without regular review is just organized chaos. cloudsecurityalliance.org/research/publi… #CloudSecurity

We spent two decades getting human identity governance right — provisioning, reviews, offboarding, the full lifecycle. Agentic AI just reset the clock to zero. Agents spin up with credentials, accumulate access, and never offboard. Most orgs have no identity lifecycle for them at all. CSAI Foundation is building that missing framework. csai.foundation #AgenticAI

@gadievron @rmogull Want to go deeper? Join a CISO Huddle to discuss the briefing with peers and the authors. 📅 Apr 14, 2026 · 9:00–10:30 AM Pacific Space is limited — register here: tinyurl.com/2c4grhu9

@gadievron @rmogull 250 CISOs reviewed this briefing. Contributors from Google, NSA, CISA, and Meta shaped it. If your vuln management still runs on last decade's cadence, this is your wake-up call. Read the full briefing: labs.cloudsecurityalliance.org/mythos-ciso/

AI is discovering vulnerabilities faster than defenders can patch them. This isn't a future risk — it's today's reality. Our new Mythos CISO briefing, "The AI Vulnerability Storm," gives security leaders a concrete playbook to respond. Authored by @gadievron, @rmogull, and @robtlee.

"Most breaches happen because someone bypassed security controls." Not quite. The majority stem from controls that were never configured correctly in the first place. It's not evasion — it's absence. Close the gap between thinking you're covered and actually being covered. Get CCSK certified. cloudsecurityalliance.org/education/ccsk

Most cloud security assessments start with a spreadsheet someone built in-house. It works until it doesn't — gaps appear, auditors ask questions you can't answer, and every team maps controls differently. The Cloud Controls Matrix gives you 207 controls across 17 domains, vendor-neutral and free. One common language for security, compliance, and procurement to work from. Stop reinventing the wheel: cloudsecurityalliance.org/research/cloud… #cloudsecurity

Quick gut check: how many of your GitHub Actions are pinned to a SHA vs. a mutable tag? Tags can be force-pushed. A compromised maintainer — or their stolen credentials — can silently swap what a tag points to, and your next build runs their code with full CI permissions. No PR review, no diff to catch. Pin actions to commit SHAs. It's the simplest supply chain fix most teams still haven't done. cloudsecurityalliance.org/research/publi… #SupplyChainSecurity