Security Frontier

AI Agents That Pay: The CFO/GC Liability Gap Nobody Is Talking About

In the spring of 2025, three of the world's largest payment networks made simultaneous moves. Mastercard unveiled "Agent Pay" on April 29.

April 2026

Agentic AI Governance: The Policy Framework for When AI Stops Suggesting and Starts Acting

Every AI governance document written before mid-2025 assumes a human-initiated workflow. The human asks a question, the AI suggests an answer, the human acts.

April 2026

Agentic Commerce Consumer Protection: The Regulatory Gap No One Is Enforcing

AI agents that initiate purchases on behalf of consumers are a genuinely new phenomenon.

April 2026

AI in Client-Facing Contracts: The Seller's Playbook for MSAs, SOWs, and Engagement Letters

Every mid-market professional services company faces the same structural gap.

March 2026

Compliance and Regulatory Landscape for AI-Generated Code: What Enterprises Must Navigate in 2026

There is no comprehensive federal AI law.

April 2026

Enterprise IP Concerns with AI-Generated Code: The Ownership Gap Nobody Planned For

The foundational problem: U.S. copyright law requires human authorship.

March 2026

AI and Customer-Facing Disclosure: When and How to Tell Customers That AI Is Involved

The FTC has no AI-specific disclosure statute, but Section 5's prohibition on unfair and deceptive practices applies with full force.

March 2026

The Two-Front War: Mid-Market Companies Are Expanding Their Attack Surface While AI-Enabled Threats Accelerate

See also (wiki): [ai-cybersecurity](../../wiki/ai-cybersecurity.md), [shadow-ai](../../wiki/shadow-ai.md)

March 2026

The AI Insurance Application Playbook: 20 Questions Your Underwriter Will Ask and What Answers Get the Best Rates

The questions below are compiled from carrier application updates, broker renewal guidance (Founder Shield, WTW, Amwins, Marsh), and insurer public commentary through March 2026.

March 2026

AI and Data Privacy: The Compliance Layer Every Mid-Market Company Deploying AI Must Address Now

The privacy compliance obligation for AI is not new law.

March 2026

AI Data Residency and Cloud Sovereignty: What Mid-Market US Companies with EU Operations Must Do Before August 2, 2026

A 200-person US company running a European sales office has already triggered GDPR data-transfer obligations for every AI prompt that contains a European employee's name, email, or customer record.

April 2026

When Algorithms Become Defendants: The AI Employment Litigation Landscape Every Employer Needs to Understand

Derek Mobley, a Black applicant over age 40, applied to more than 100 jobs through employers using Workday's AI-powered screening tools. He received no offers.

March 2026

The Other Side of the AI Coin: How Attackers Are Weaponizing AI Against Your Company in 2026

See also (wiki): [ai-cybersecurity](../../wiki/ai-cybersecurity.md)

March 2026

AI Enforcement Action Tracker: What Actually Happens When Companies Get It Wrong

Two enforcement templates have emerged under Operation AI Comply, launched September 25, 2024 and continued without interruption under the new administration.

April 2026

AI and Your Existing Contracts: The Pre-Deployment Audit Every GC Must Run Before Day One

Most mid-market AI governance programs start in the right place: acceptable use policies, vendor evaluations, security controls.

March 2026

AI Exit Clauses and Model-Weight Escrow: What Happens When You Need to Leave

Enterprise AI vendor lock-in operates through three channels that compound over time.

April 2026

Corporate AI Governance Frameworks: The $492M Race to Govern What You Already Deployed

The central problem in enterprise AI is not adoption — it is accountability. Adoption has outrun governance at every company size.

March 2026

The AI Incident Response Playbook: What Happens in the First 72 Hours After AI Goes Wrong

See also (wiki): [ai-cybersecurity](../../wiki/ai-cybersecurity.md), [agentic-ai-governance](../../wiki/agentic-ai-governance.md)

March 2026

The AI Insurance Reckoning: What Your CFO Needs to Know Before the Next Renewal

Most mid-market CFOs treat insurance lines as separate purchasing decisions — cyber with the IT team, D&O with the board, E&O with operations, professional liability with the GC.

March 2026

AI Model Risk Beyond Banking: What Insurance, Investment, and Healthcare Regulators Actually Expect

The NAIC Model Bulletin (Dec 4, 2023) does not create new law.

April 2026

AI Vendor MSA Terms: What the Five Biggest Contracts Actually Say

TermScout analyzed AI vendor contracts against its broader SaaS corpus and published the results through Stanford Law's CodeX program in March 2025. The gap is real and consistent:

April 2026

"AI Told Me To": Operational Liability When an AI Recommendation Causes a Bad Business Outcome

What happens when an AI recommendation causes a concrete bad outcome?

April 2026

AI and Professional Liability: The Malpractice Exposure Nobody Priced

Professional liability insurance was designed for a world where errors came from human judgment. A lawyer missed a filing deadline. An accountant transposed digits. An engineer miscalculated a load.

March 2026

The AI Regulatory Preparation Roadmap: A 2026-2027 Compliance Calendar for Multi-State Companies

The calendar below sequences every actionable compliance deadline for a mid-market company operating across five or more U.S. states.

March 2026

The AI Vendor BAA Landscape: Who Signs, What They Cover, How Long It Takes

Every healthcare, financial services, legal, and professional services organization handling protected health information asks the same question before deploying AI: will the vendor sign a BAA, what d

April 2026

AI Vendor Contract Timelines: Why Six Months Is the New Normal

The sequence most mid-market legal teams run — often without realizing it has a predictable rhythm:

April 2026

AI-Washing Liability: The Enforcement Landscape Every CEO and GC Must Understand

The SEC's AI-washing enforcement has escalated from administrative penalties to parallel criminal prosecutions in 18 months.

March 2026

AI Bill of Materials (AIBOM): Standards Progress, Enterprise Gap, and Why Shai-Hulud Changed the Calculus

CISA/G7 guidance organizes AIBOM into seven clusters:

May 2026

When the Attacker Is an Agent: What Anthropic's Project Glasswing Actually Proves About 2026 Offensive AI

The useful way to read the Glasswing announcement is to split it into three layers: the verified anchor, the benchmarked step-change, and the aggregate vendor claim.

April 2026

Trustworthy Agents in Practice: What Anthropic's April 2026 Framework Tells CIOs and CISOs Deploying Agentic AI

Source credibility: HIGH as a primary-source statement of how the model maker recommends governing its agents.

April 2026

Arctic Wolf Aurora: AI-Powered Managed SOC — Platform Data and Case Study Inventory

Announced March 2026, Aurora Superintelligence combines:

May 2026

Assume Breach for AI Agents: Zero Trust Security in the Age of Autonomous Systems

The security model that worked for SaaS applications does not work for AI agents. SaaS applications receive instructions and return data. AI agents receive goals and take actions.

March 2026

AWS Amazon Bedrock AgentCore: Enterprise AI Agent Governance Architecture (GA, April 2026)

AgentCore is AWS's managed infrastructure for production AI agent deployment.

May 2026

Board Fiduciary Duty in the AI Era: When "Wait and See" Becomes Director Liability

The duty of oversight under Delaware law traces to *In re Caremark Int'l Inc. Derivative Litig.*, 698 A.2d 959 (Del. Ch. 1996).

March 2026

California's AI Vendor Certification Order: What the N-5-26 Framework Means for Every Company Selling AI to Government

California's AI procurement strategy follows a 60-year-old playbook: use state purchasing power to force standards that no federal legislation has achieved.

April 2026

What the CISO Needs to Know About AI Risk That Traditional Software Risk Models Miss

See also (wiki): [ai-cybersecurity](../../wiki/ai-cybersecurity.md), [agentic-ai-governance](../../wiki/agentic-ai-governance.md), [model-risk-management](../../wiki/model-risk-management.md)

March 2026

What Your Cyber Insurer Now Asks About AI: Five Renewal Questions and How to Answer Them

These five questions are distilled from carrier application updates, broker renewal guidance (Founder Shield, WTW, Amwins, Marsh), and insurer public commentary through March 2026.

March 2026

The EU AI Act High-Risk Bill: What Aug 2, 2026 Actually Costs a Mid-Market Company

The Act entered force Aug 1, 2024, with phased obligations. Prohibitions and AI literacy duties began Feb 2, 2025. GPAI model duties, notified bodies, and the penalty regime began Aug 2, 2025.

April 2026

EU AI Act Implications for Law Firms with European Offices

Article 2 of the EU AI Act applies to any entity that "places on the market or puts into service AI systems or places on the market general-purpose AI models in the Union, irrespective of whether thos

March 2026

Volatility Is the New Stable State: Forrester's 12-Recommendation 2026 Security Program Playbook

The four themes are not four independent risks. They are four ways that the same underlying condition — **persistent volatility** — is breaking programs designed for periodic disruption.

April 2026

The GC's AI Decision Framework: Workflows, Privilege, Ethics, and Vendor Evaluation

The risk-appropriateness of AI varies by workflow. A useful frame: how consequential is a false positive or false negative, and who reviews the output before it has legal effect?

April 2026

The General Counsel's AI Checklist: 12 Legal Risk Categories for a 200-500 Person Company

General counsel at mid-market companies face a unique structural problem.

March 2026

Agentic AI Is the New Attack Surface: What 1,000 Executives Learned the Hard Way

See also (wiki): [ai-cybersecurity](../../wiki/ai-cybersecurity.md), [agentic-ai-governance](../../wiki/agentic-ai-governance.md), [vendor-security-questionnaires](../../wiki/vendor-security-questionn

April 2026

MCP Security: What CISOs Must Do Before Deploying the AI Tool Protocol

MCP is an open protocol — originally released by Anthropic in November 2024 and since donated to the Linux Foundation under the AI Agent Interoperability Framework (AAIF) — that standardizes how AI mo

April 2026

MCP Security Certification: What the New Standards Market Means for Enterprise AI Buyers

The Artificial Intelligence Underwriting Company launched AIUC-1 as the first AI agent security, safety, and reliability standard.

April 2026

MCP Vendor Contracts: The Governance Gap No One Is Negotiating

The MCP security research file in this corpus (Pass 588) documents the five confirmed attack vectors, two real-world breaches, and three technical controls that address them.

April 2026

The Mid-Market AI Acceptable Use Policy: The General Counsel's Day 1 Document

The acceptable use policy sits at the intersection of legal risk, data security, and operational efficiency — and at a 200-2,000 person company, the GC is the only officer who spans all three.

March 2026

Mapping the GenAI Risk Space: Embedded vs. Enacted Risks

MIT CISR identifies eight components where GenAI risk emerges, each with distinct characteristics that demand specific attention.

April 2026

Minimum Viable Governance: Why Comprehensive AI Policy Creates the Shadow AI Problem It Was Built to Prevent

The FinCo case is what makes this briefing operationally useful rather than conceptual.

April 2026

Persuasion Bombing: The HITL Failure Mode That Gets Worse When You Push Back

A Harvard Business School–MIT Sloan–Warwick field study with 70+ Boston Consulting Group consultants identifies a specific, reproducible failure mode in human-in-the-loop AI deployments: when an exper

April 2026

The Multi-State AI Compliance Matrix: One Program, Not Five

The regulatory environment is fragmented but not chaotic. State AI laws fall into five categories, and most mid-market companies face obligations in three or four of them.

March 2026

OWASP, NIST, and CSA on AI Coding Tool Security: What the Standards Bodies Actually Say

OWASP's LLM Top 10, developed by 500+ international experts, is the de facto application security standard for AI-powered systems. The 2025 version reflects the shift toward agentic AI.

March 2026

Proofpoint 2026 AI and Human Risk Landscape Report: 50% Incident Rate Despite Controls in Place

The gap between deployment pace (87% in production) and security coverage (63% with controls) is 24 percentage points. At enterprise scale, that gap represents material unmanaged exposure.

May 2026

adoption-fad901-Agent-governance-whitepaper.pdf

March 2026

bpi-93b05e-Navigating-Artificial-Intelligence-in-Banking.pdf

March 2026

bpi-95d09c-BPI-OSTP-AI-RFI-Response-10.27.25.pdf

March 2026

ccbe-b1beda-EN_ITL_20251002_CCBE-guide-on-the-use-of-the-use-of-generative-AI-for-lawyers.pdf

March 2026

communityban-81eccd-rs3p1jeffery-piaous-banks-artificial-intelligence-and-small-business-lending.pdf

March 2026

content-211d44-2023-12-4%20Model%20Bulletin_Adopted_0.pdf

March 2026

content-705e9b-cmte-h-big-data-artificial-intelligence-wg-map-ai-model-bulletin.pdf

March 2026

csrc-0b1d7c-NIST-Overlays-SecuringAI-concept-paper.pdf

March 2026

nvlpubs-4c17f4-NIST.AI.600-1.pdf

March 2026

nvlpubs-b45462-NIST.IR.8596.iprd.pdf

March 2026

occ-f7dccd-pub-ch-model-risk.pdf

March 2026

salesforce-d75e1a-Salesforce_MSA.pdf

March 2026

services-f5a7c0-gsuite_cloud_identity_hipaa_implementation_guide.pdf

March 2026

www2-fc2611-2021-aia-costs.pdf

March 2026

The Regulated Industry AI Compliance Overlay: What Financial Services, Healthcare, and Insurance Companies Face on Top of State AI Laws

Mid-market companies in regulated industries face a compliance architecture that horizontal AI governance research does not address.

March 2026

sec-2026-exam-priorities.pdf

March 2026

sec-ai-disclosure-rec-120425.pdf

March 2026

AI Security Frontier: Enterprise Risks, Compliance, and Governance (2025-2026)

1. **Prompt injection** to bypass LLM guardrails

March 2026

Shai-Hulud: The First AI Agent Supply Chain Worm — What Happened and What It Means for Enterprise Security

Previous supply chain attacks (SolarWinds, XZ Utils, 3CX) targeted build pipelines to deliver malicious code into downstream software.

May 2026

The AI Security Floor: 10 Controls Every 200-500 Person Company Needs Before Deploying Any AI Tool

See also (wiki): [ai-cybersecurity](../../wiki/ai-cybersecurity.md), [shadow-ai](../../wiki/shadow-ai.md)

March 2026

AI in the Security Operations Center: What the Independent Evidence Actually Shows

To evaluate AI in the SOC, start with the problem it is solving. The numbers from the Prophet Security/Hacker News survey (n=282 security leaders, September 2025) are precise:

April 2026

SOC 2 Type II for AI Vendors: What the Report Actually Covers — and What It Does Not

SOC 2 applies the same five Trust Services Criteria to an AI vendor that it applies to any cloud provider: Security, Availability, Processing Integrity, Confidentiality, Privacy.

April 2026

SR 11-7 Meets AI: What Bank Regulators Actually Expect Before You Deploy

SR 11-7 defines a model as "a quantitative method, system, or approach that applies statistical, economic, financial, or mathematical theories, techniques, and assumptions to process input data into q

April 2026

SR 26-2: What the 2026 Model Risk Management Update Actually Changed — and What It Left Out

⚠️ **UPDATE NOTE:** This file supersedes the SR 11-7 framing in `sr11-7-ai-model-risk-management.md` for institutions with >$30B in assets.

May 2026

Your Vendors Are Adopting AI on Your Behalf: The Third-Party Risk You Are Not Managing

Every mid-market company runs its business on 3-5 core platforms: Microsoft 365 or Google Workspace for productivity, Salesforce or HubSpot for CRM, NetSuite or QuickBooks for finance, ServiceNow or F

March 2026

Zscaler ThreatLabz 2026 AI Security Report: 83% YoY AI Transaction Growth and the 16-Minute Failure Window

The 410 million ChatGPT DLP policy violations is the most operationally significant finding for security teams.

May 2026