Taher Behbehani

@GG_Observatory Memory changes the risk model too. Once agents persist context across sessions, mistakes are no longer isolated events, they compound.

Here is what nobody talks about in 2026 agent hype: we are building agents with 200K+ context windows but zero long-term memory. Relying on giant prompts instead of proper memory systems is like using RAM instead of a hard drive. Every session starts from scratch. Every agent forgets what it learned yesterday. The real agent infrastructure breakthrough will not be a smarter model — it will be persistent, queryable agent memory that survives restarts. What is your approach to giving agents memory that actually persists?

@a16z It’s both a policy and governance problem; the challenge is not just deploying more agents, but governing what they can access, what they’re allowed to do and how their behavior is controlled according to different forms of regulation across different countries.

Agents will eventually outnumber humans by orders of magnitude. Aaron Levie on the infrastructure that will be needed to manage them: "Whether you think the number is 10x or 100x... we're going to have some order of magnitude more agents than people." "There's going to be just incredibly spectacularly crazy security incidents that will happen with agents, because you'll prompt-inject an agent and find your way through the CRM system and pull out data you shouldn't have access to." "How do you make sure you have the right security, the permissions, the access controls, the data governance?" "We actually don't yet exactly know in many cases how we're going to regulate some of these agents." "No matter what, there's going to need to be a layer that manages the data they have access to and the workflows they're involved in." "This is the new infrastructure opportunity in the era of agents." @levie on @latentspacepod

@rryssf_ we are building agentic control system, may have unique approach, can we connect

2️⃣ Why software guardrails cannot solve it Every major vendor announced an agentic AI security product in the past 90 days. Every one addresses one layer - output monitoring, access control, or behavior analysis. None were built from the ground up to cover all four threat surfaces. Simon Willis framed the probabilistic problem precisely: you can train a model to detect prompt injection at 99% accuracy and that is a failing grade. A hacker sends 100 requests for every 1 they need. 🧵3/5

1️⃣ The attack surface existing tools cannot see When an enterprise sends data to an LLM - even on an enterprise agreement - the contract restricts training use. It does not protect data during inference. Access a sensitive document with an AI system and it proliferates: copied into training sets, embedded in search indices, captured in logs. One document becomes five copies across systems nobody is watching. Vector databases are widely assumed to be safe because the data looks like meaningless numbers. It isn’t. Open-source inversion tools now recover original text from embedding vectors at 90-100% accuracy. 🧵2/5

The world’s biggest enterprises are spending billions on cybersecurity. Their AI inference pipelines - where sensitive data meets the model - have no meaningful defense. Security stacks were built for a different era: perimeter firewalls for networks, endpoint tools for devices, DLP for data at rest or in transit. None were designed for the moment when a hospital’s patient records, a bank’s financial models, or a law firm’s client files travel in clear text to a large language model. That moment is now happening millions of times a day. 🧵1/5

@archiexzzz Vibe coding is not the real issue. The issue is deploying systems into production before anyone has really tested what breaks once real data and real permissions are involved.

hacked an ai^ startup, retrieved all prod data - users, datasets, <redacted_table> through a small IDOR injection. took me < 2 mins to figure out "this is vulnerable as hell." vibe coding has made us more productive, but not at the cost of our users. please be more secure.

The issue isn’t unauthorized use, it’s that agents create persistent, autonomous data flows that enterprises can’t audit. That breaks a core assumption in enterprise security that workflows are observable and enforceable. That’s a security issue, but it’s also a compliance and liability problem.

Google's Cybersecurity 2026 Forecast Report warns of a "Shadow Agent" crisis. These AI agents, deployed by employees without corporate oversight, can create invisible pipelines for sensitive information, leading to data leaks, compliance violations, and IP theft. services.google.com/fh/files/misc/…

@theonejvo It’s not just that attacks are cheaper, it’s that capability is decoupling from expertise. You no longer need deep technical skill to execute complex attacks. That breaks a core assumption most security models rely on: that capability scales slowly. It doesn’t anymore.

Few people realise just how many cyber attack capabilities have gone from "requires a nation-state" to "requires an LLM subscription" in the last 6 months. It's going to start to show.

@rez0__ @OpenAI The dangerous part is not just prompt injection itself but giving an untrusted content a path to tools that can read, send or act on sensitive data.

🎉New Blog Post 🎉 I break down an amazing bug (prompt injection to account takeover) in @OpenAI's ChatGPT. It's a self-contained proof-of-concept exploit. "From Theory to Reality: Explaining the Best Prompt Injection Proof of Concept" rez0.blog/hacking/2023/0…

@commando_skiipz It’s uncomfortable because nothing is actually “broken” in the traditional sense, a model just needs a bit of trusted access and the wrong reasoning path.

Imagine an AI customer support agent that’s supposed to help you with banking issues… but somehow ends up teaching you how to make a deadly weapon 🫠

@andyzou_jiaming This is the part the market still underestimates: once agents can use tools, the UI can look safe while the system is already compromised underneath. That is why prompt fixes alone will not hold.

We deployed 44 AI agents and offered the internet $170K to attack them. 1.8M attempts, 62K breaches, including data leakage and financial loss. 🚨 Concerningly, the same exploits transfer to live production agents… (example: exfiltrating emails through calendar event) 🧵

@deedydas AI coding tools don't remove engineering debt but they can accelerate it. The real wall comes when no one can clearly explain how the system works, what it can safely change or where control actually lives.

Young startups often struggle with graduation risk from AI coding agents. There’s a wall after which there’s too much code no one understands. Logic is too scattered for both models and devs to grok. Progress stalls. You still need engineering skills to harness their power.

“Shadow AI” seemingly implies edge behavior or something happening outside the norm, like a few rogue employees. But at this point, it isn’t edge behavior, it’s becoming standard workflow. The problem is yes, employees putting company data at risk using unapproved AI tools but the root of it is that that companies aren’t keeping up with the demand and haven’t built environments to use it safely.

Shadow IT - when employees use unapproved tools at work - isn't new. But lately it's evolved into Shadow AI, when people use AI tools without the IT department's approval. Here, @SonyaMoisset discusses why this is an issue, the security risks it poses, and how you can mitigate those risks. freecodecamp.org/news/shadow-ai…

@HedgieMarkets Completely agree. The real danger is not just scale, it’s that malicious logic can be made to look like ordinary maintenance. Once visual review can be fooled that easily, trust has to come from verification and supply-chain controls, not appearances.

🦔 Researchers at Aikido Security found 151 malicious packages uploaded to GitHub between March 3 and March 9. The packages use Unicode characters that are invisible to humans but execute as code when run. Manual code reviews and static analysis tools see only whitespace or blank lines. The surrounding code looks legitimate, with realistic documentation tweaks, version bumps, and bug fixes. Researchers suspect the attackers are using LLMs to generate convincing packages at scale. Similar packages have been found on NPM and the VS Code marketplace. My Take Supply chain attacks on code repositories aren't new, but this technique is nasty. The malicious payload is encoded in Unicode characters that don't render in any editor, terminal, or review interface. You can stare at the code all day and see nothing. A small decoder extracts the hidden bytes at runtime and passes them to eval(). Unless you're specifically looking for invisible Unicode ranges, you won't catch it. The researchers think AI is writing these packages because 151 bespoke code changes across different projects in a week isn't something a human team could do manually. If that's right, we're watching AI-generated attacks hit AI-assisted development workflows. The vibe coders pulling packages without reading them are the target, and there are a lot of them. The best defense is still carefully inspecting dependencies before adding them, but that's exactly the step people skip when they're moving fast. I don't really know how any of this gets better. The attackers are scaling faster than the defenses. Hedgie🤗 arstechnica.com/security/2026/…

@rohanpaul_ai The key design move is separating untrusted input from privileged action. Once agents can plan and use tools, structural separation matters more than adding another brittle filter.

Large Language Model agents are vulnerable to prompt injection attacks that hijack tool use and leak data. The paper proposes six design patterns that restrict where untrusted text can act, giving resistance without crippling usefulness. ⚙️ The Core Concepts Prompt injection slips malicious text into an agent’s context and rewrites its plan. Filters, adversarial training, and user approval are brittle because clever wording can still bypass them. The authors instead isolate untrusted data with structured workflows that block it from gaining control.

@RoundtableSpace When offensive tooling becomes multi-agent, the issue is no longer just automation but coordinated autonomy across the full attack chain. Defenders need runtime control, not just static security.

CYBERSECURITY IS ABOUT TO CHANGE FAST. Someone just open sourced an autonomous AI red team made of multiple agents that coordinate with almost no human input.

@LuizaJarovsky Good to see this. Agentic AI doesn’t just recreate familiar risks in new forms; it also introduces new ones when agents interact, delegate tasks and create feedback loops. The real challenge is turning governance into runtime controls that hold in live environments.

🚨 BREAKING: Singapore takes the lead again and publishes its Model AI Governance Framework for Agentic AI [Bookmark it below]. Other countries should take note: As the document clarifies, the new components of an agent create new sources of risk. "The risks themselves are familiar – fundamentally, agents are software systems built on LLMs. They inherit traditional software vulnerabilities (such as SQL injection) and LLM-specific risks (such as hallucination, bias, data leakage, and adversarial prompt injections). However, the risks can manifest differently through the different components." Many countries and regions (including Europe) are still unsure how to apply their existing legal AI frameworks to agentic AI. Other countries seem to prefer the deregulatory trend. Singapore understands that AI is evolving fast, and new risks are emerging, and the time to establish dynamic AI governance frameworks is NOW. Bookmark the document below and don't miss pages 6-7, which cover agentic AI risks. - 👉 To learn more about AI governance, join my newsletter's 89,300+ subscribers and don't miss the 27th cohort of my AI Governance Training (links below).

@MollySOShea @giliraanan The offensive side may become autonomous first but the real question is whether defense can become autonomous without becoming ungovernable.

In 6 minutes, Gili Raanan (@giliraanan), the foremost expert on cybersecurity, explains why we're all f*cked.

@inference_labs "Evidence is the new perimeter” is a spot on framing. The next phase of enterprise AI will depend on whether organizations can prove what happened during inference. C-suites need to ask themselves “is our AI auditable?” If not “Huston we have a problem…"

1/ Security incidents keep stacking across clouds, extensions, local models, and laptops. Attackers target tokens, identity edges, and silent model tampering. If AI runs without evidence, you inherit the risk.