One story. Gone deep.

Last week, a security researcher pointed Shodan at the open web and found 900 AI assistants — not chatbots, full-blown agents with access to email, messaging apps, API keys, and shell execution — sitting wide open. No authentication. No monitoring.

The tool is an open-source AI assistant that's gone viral. People are buying dedicated hardware just to run it. And honestly? It's useful. Manages your inbox, responds to messages, runs code, books appointments.

But to do all of that, you hand it everything. Every credential. Every token. Every key. And hundreds of people left the front door unlocked.

It gets worse. A second researcher uploaded a poisoned plugin to the platform's public library. Faked 4,000 downloads. Developers from seven countries installed it within days. His payload was harmless — but he proved he could've exfiltrated SSH keys, AWS credentials, and entire codebases. The library had no code review. No moderation. Everything was trusted by default.

Most commentary frames this as a configuration problem. Lock your ports. Use passwords. Review plugins.

That's not wrong. But it misses the point.

This is a governance problem. And it's about to hit every organization.

AI agents need broad access to function. Read files. Execute commands. Send emails. Query databases. The value proposition requires punching holes through every security boundary we spent twenty years building. Sandboxing. Process isolation. Least privilege. AI agents violate all of it — by design.

One researcher put it perfectly: "The walls come down."

That's the feature. It's also the risk.

The mistake is deploying agents with an optimization mindset when we need a governance mindset.

Optimization asks: How do I make this faster with less friction?

Governance asks: What does this agent actually have access to? Who's watching it? What's the plan when it's compromised?

Three things worth doing now:

Audit access. Not what you think your agent can reach — what it actually can. Most people set it up, watched it work, and moved on. Go back and look.

Treat it like an employee. You wouldn't give a new hire admin access to everything on day one. Scope the access. Review what it's doing.

Plan for compromise. Not if — when. If your detection and response plan is "I don't have one," you've just found your biggest risk.

The companies that figure out AI agent governance early won't just be more secure. They'll be the ones still standing when the first major breach makes headlines.

At the pace things are moving, that headline isn't far away.

What else matters this week.

ServiceNow's AI Agent Can Be Hijacked With Just an Email Address

Researchers found a critical flaw in ServiceNow's Virtual Agent and Now Assist that let attackers impersonate any user — including admins — using nothing but a target's email. A hardcoded secret combined with weak account-linking logic bypassed MFA, SSO, everything. ServiceNow patched it, but the lesson lands hard: the AI features you deployed to increase efficiency just became your widest attack surface.
via Dark Reading

Fortinet Shuts Down SSO to Stop a Zero-Day

Fortinet disclosed a critical authentication bypass in FortiCloud SSO that's being actively exploited. The flaw lets anyone with a FortiCloud account authenticate to devices registered under other accounts. Fortinet's response was to effectively shut down SSO while they patch. If you run FortiOS, FortiManager, or FortiAnalyzer, check your vendor advisories today. Not tomorrow.
via Bleeping Computer

Your Antivirus Got Hacked. Again.

eScan antivirus pushed malware to its own customers through a compromised update server on January 20th. The attack lasted about an hour — long enough to deploy a multi-stage backdoor with C2 capabilities. The kicker? North Korean hackers exploited the exact same update mechanism in 2024. Same vendor. Same vulnerability. Different year. If your security tools can't secure themselves, what are they securing?
via Bleeping Computer

Not every signal needs action.

Ireland's €4 billion in uncollected GDPR fines. Sounds alarming. It isn't. The Irish Data Protection Commission has been sitting on enforcement for years. These fines are paper tigers — tied up in appeals, negotiations, and bureaucratic inertia. Unless you're a multinational with EU operations currently under investigation, this changes nothing about your Wednesday.

No answer. Just the question.

If your AI agent was compromised tomorrow, who would notice first — you or the attacker?

Michael Faas is a fractional CTO/CISO who helps growth-stage companies build governance frameworks for technology and security.