May 2026 AI Security Report — 54 Organizations Hit, 601M+ Records Exposed

140 Incidents — May 2026

Click any incident to see the full analysis and RuntimeAI gap fix below. Left border colour = severity: ■ Critical ■ High ■ Medium

Incidents 1–47

Google

May 30

AtlasMenu

64K+May 30

OpenAI

May 29

Attackers Use LLM Agent for Post-Exploitatio…

May 29CVE-2026-39987

New Russia-Linked GREYVIBE Targets Ukraine w…

May 29

What 2,000 Exposed Vibe-Coded Apps Reveal Ab…

May 29

Malicious Sicoob NuGet Steals Banking Creden…

May 29

'The Com' Cyberattacks Support Violence &…

May 29

CISA

May 29

Charter

42M+May 29

MokN Raises $15 Million for Phish-Back Platf…

May 29

Gogs

May 29RCE

OpenAI

May 29

Google

May 29

Charter

49M+May 29

Box

May 29

Carnival

May 29

AI Threats, Data Breaches, and Supply Chain …

May 29

Gemini

May 28

npm Supply Chain

May 28

JFrog Research

May 28

GitHub

May 28

Cisco

May 28

Carnival Corporation

May 28

Charter Communications

42M+May 28

Omdia Research

May 28

Microsoft

May 28

Verizon DBIR 2026

May 28

Fortinet

May 28

Microsoft

May 28

box

May 28

As Global Powers Explore Humanoid Robots, Cy…

May 28

Agentic AI Isn't Risky; the Way Orgs Deploy …

May 28

Focus on Cyber Insurance

May 28

Nordic CISOs Handle Rising Cyber Threats Rem…

May 28

Gemini

May 28

Geordie Raises $30 Million for AI Security a…

May 28

Anthropic

May 28

Gemini

May 28

BTMOB Android malware service generates cust…

May 28

Hackers exploit FortiClient EMS flaw to push…

May 28CVE-2026-35616

AI Software Supply Chain Threats Escalate in…

May 28

Browser Threats Expand Across Enterprise Net…

May 28

Ransomware Negotiations Mirror Aggressive Sa…

May 28

Charter

5M+May 28

Kemper

269K+May 28

GitHub

May 27

Incidents 48–94

5 Steps to Managing Shadow AI Tools Without …

May 27

Google

May 27

Gitea

May 27CVE-2026-27771

FBI

May 27

Latin American Cybercriminals Hoover Up Gove…

58M+May 27

Mytheresa

84K+May 27

MFA Prompt Bombing

May 26

CERT-In Recommends 12-Hour Patching for Inte…

May 26

Iranian Hackers Deploy MiniFast and MiniJunk…

May 26

KnowledgeDeliver LMS Flaw Exploited to Deplo…

May 26CVE-2026-5426

GitHub

May 26

Ameriprise

503K+May 26

⚡ Weekly Recap

May 25

Lazarus Deploys RemotePE Memory-Only RAT Aga…

May 25

TrapDoor Supply Chain Attack Spreads Credent…

May 25

7-Eleven

185K+May 24

GitHub

May 23

GitHub

May 23

Anthropic

May 23

Laravel

May 23

First VPN Dismantled in Global Takedown Over…

May 22

Ghostwriter Targets Ukraine Government Entit…

May 22

GitHub

May 22

Verizon

May 22

TanStack

May 21

GitHub

May 21

Grafana

May 21

CISA

May 21

OpenClaw

May 21

SonicWall

May 21

LatAm Threat Actors

May 21

Enterprise AI Agents

May 21

Microsoft

May 21

Verizon DBIR 2026

May 21

ThreatsDay Bulletin

May 21

When Identity is the Attack Path

May 21

AI Agents Are Shifting Identity Security Bud…

May 21

Dragonica

126K+May 21

Windows93

46K+May 21

GitHub

May 20

Processes & Culture Top Reasons Behind D…

May 20

Verizon

May 19

Windows Zero-Day Barrage Continues After Pat…

May 19

GitHub

May 19

CTT

468K+May 19

Microsoft

May 18CVE-2026-42897

'Claw Chain' Vulnerabilities Threaten OpenCl…

May 18

Incidents 95–140

Fuel Tank Breaches Expand Scope of Iran's Cy…

May 18

The Boring Stuff Is Dangerous Now

May 18

ADDI

35M+May 18

Zara

May 14

TrustFall Convention

May 14RCE

100

The Gentlemen RaaS

May 14

101

Claude Code MCP

May 14

102

OpenLoop Health

May 14

103

NVIDIA NemoClaw

May 14

104

Foxconn

May 14

105

Identity-Security Teams

May 14

106

Hugging Face

May 14

107

FinServ

May 14

108

Abrigo

711K+May 14

109

CanadaLife

238K+May 13

110

CushmanWakefield

310K+May 12

111

Zara

197K+May 08

112

Palo Alto Networks PAN-OS

May 07RCE

113

Canvas / Instructure

275M+May 07

114

Windows Defender Zero-Day CVE-2026-33825

May 07CVE-2026-33825+1

115

Gemini CLI

May 07RCE

116

Enterprise AI Agent Inventory Gap

May 07

117

1 Million+ Exposed AI Endpoints

May 07

118

LiteLLM

May 07

119

AI Agents Expanding Identity Attack Paths

May 07

120

DPRK AI-Generated npm Malware

May 07

121

DAEMON Tools Supply Chain Attack

May 07

122

MuddyWater (Iran)

May 07

123

Backup Destruction as Primary Ransomware Tac…

May 07

124

WatchGuard Firebox

May 07

125

Woflow

448K+May 07

126

LegionProxy

10K+May 06

127

Vimeo

119K+May 05

128

RebornGaming

126May 04

129

MarcusMillichap

2M+May 03

130

SAP npm Packages

May 02

131

ClickUp

May 02

132

Microsoft SharePoint

May 02CVE-2026-32201RCE

133

Medtronic

May 02

134

ADT

55M+May 02

135

Itron

May 02

136

Roblox

May 02

137

Comcast

30M+May 02

138

Amtrak

May 02

139

ZenBusiness

5M+May 02

140

Aman

216K+May 01

CVE & RCE

CVEs (8)

CVE-2026-39987Attackers Use LLM Agent for Po…

CVE-2026-35616Hackers exploit FortiClient EM…

CVE-2026-27771Gitea

CVE-2026-5426KnowledgeDeliver LMS Flaw Expl…

CVE-2026-42897Microsoft

CVE-2026-33825Windows Defender Zero-Day CVE-

CVE-2026-32202Windows Defender Zero-Day CVE-

CVE-2026-32201Microsoft SharePoint

RCE (5)

RCEGogsMay 29

RCETrustFall ConventionMay 14

RCEPalo Alto Networks PAN-OSMay 07

RCEGemini CLIMay 07

RCEMicrosoft SharePointMay 02

Stack & Vendors

Vendors (6) — click to see breach

FortinetNGFW

1×Fortinet

CrowdStrikeEDR

1×Google

Palo Alto NetworksNGFW

1×Palo Alto Networks PAN-O

Microsoft DefenderEDR

1×Windows Defender Zero-Da

WizCSPM

1×SAP npm Packages

OktaIAM

1×ADT

Perimeter Categories

NGFW 2EDR 2CSPM 1IAM 1

The Pattern

This month’s incidents demonstrate a consistent pattern across all sectors: AI is now both the attack vector and the target. Enterprises with mature security stacks were breached through gaps those stacks were never designed to cover.

The 140 incidents collected this month span 54 named organizations, 601M+ records exposed, and 6 distinct security vendors present at time of breach. The pattern is not one of vendor failure — it is one of category gap.

What Would Have Stopped This — Full Capability Stack

Not “better security.” Nineteen specific capabilities across three platforms. Each addresses a gap that no vendor in this month’s breach stacks was built to cover — because AI agents didn’t exist when those vendors were designed.

RuntimeAI — AI Governance & Control Plane Enterprise AI agent governance — identity, policy, firewall, detection, response, compliance.

🔍

Shadow AI Visibility

AI Discovery

incidents this month · 17%

“You can’t govern what you can’t see.”

Continuously scans cloud, IDE, endpoint, and network to inventory every AI agent — registered or rogue. Classifies and risk-scores shadow AI automatically. One-click to import into governance.

⚠️ The gap it fills Wiz and Orca scan cloud misconfiguration. They don’t discover AI agents installed by developers or injected via compromised vendors. Your unknown agents are your biggest risk.

Cloud scanner (AWS/Azure/GCP Lambda, Bedrock, SageMaker)
IDE scanner (VS Code, Cursor, MCP servers)
Endpoint scanner on developer laptops
Shadow AI Inbox with auto-severity classification
One-click shadow AI → governed agent pipeline

🧽

AI Agent PKI

Agent Identity Fabric

incidents this month · 47%

“No credential. No access. No breach.”

Provisions every AI agent with a SPIFFE/X.509 cryptographic identity. Short-lived certs, auto-rotating. TPM 2.0 hardware attestation. Agent DNS blocks unknown agents at the network layer.

⚠️ The gap it fills Okta and Azure AD were built for human identity. They have no concept of non-human agents operating at machine speed with no user present to respond to an MFA prompt.

SPIFFE X.509 SVID with RSA-2048, auto-rotating
TPM 2.0 hardware attestation + PCR drift detection
Zero-touch bootstrap for new agents
Agent DNS: NXDOMAIN for unknown agents
Blueprint-based permission inheritance

⚙️

Policy Engine

AI Control Plane

incidents this month · 58%

“Stop it before it executes. Not after.”

OPA/Rego policy engine with sub-1ms evaluation and fail-closed enforcement. Natural language to Rego compiler. Merkle-chain audit proves policies were never tampered with.

⚠️ The gap it fills Splunk and QRadar alert on what already happened — 73 days after the breach in the average case. The AI Control Plane enforces policy before the action executes, not after the damage is done.

OPA/Rego engine, sub-1ms, fail-closed
NL-to-Rego compiler: write policy in plain English
Merkle-chain tamper-evident audit trail
Multi-tenant RBAC + Separation of Duties
Cross-site policy cascade for distributed fleets

🔥

Bidirectional DLP

AI Firewall

incidents this month · 67%

“Inspect every token in, every token out.”

Bidirectional DLP scanning at <5ms latency. Prompt injection detected and stripped on input. PII, PHI, credentials caught on output. Behavioral risk score (0–100) triggers auto-suspend.

⚠️ The gap it fills Palo Alto NGFW and Zscaler see LLM traffic as an encrypted blob. They cannot inspect prompts, detect injection inside a conversation, or catch data leaking in an AI response.

Bidirectional DLP: input (prompt injection) + output (data leakage)
ML behavioral baselines per agent with adaptive thresholds
Risk score 0–100 triggers auto-suspend or rate-limit
No-code guardrail builder for business users
Data Proxy: field-level masking before agent sees data

🔗

MCP Gateway

AI Integration Fabric

incidents this month · 44%

“Every tool call. Governed.”

Multi-tenant governed gateway for all agent-to-tool communication. 500+ pre-built integrations. 3-level kill switch (agent / tool / platform-wide) propagating in <100ms. OWASP MCP03 sanitization on every call.

⚠️ The gap it fills No existing vendor governs at the MCP protocol layer. Raw MCP deployments have zero security, zero multi-tenancy, and zero audit trail. This is the fastest-growing unguarded attack surface in enterprise AI.

3-level kill switch: per-agent, per-tool, platform-wide — all <100ms
500+ pre-built integrations with auto-discovery
BYOM overlay: wrap existing MCPs without code changes
Circuit breaker + health monitoring per connection
Full OWASP MCP03 input/output sanitization + DLP

🧠

Anomaly Detection

Agent Behavioral Intel

incidents this month · 40%

“Catch drift before it becomes a breach.”

30-day rolling behavioral baselines per agent across frequency, pattern, volume, and temporal dimensions. LSTM sequence modeler detects multi-step attack chains. HRIS integration auto-suspends agents when their owner is terminated.

⚠️ The gap it fills CrowdStrike and SentinelOne detect known malware signatures for human endpoints. They have no baseline for an AI agent that begins exfiltrating data through an API it was legitimately authorized to call.

Rolling 30-day baseline: frequency, pattern, volume, temporal
LSTM sequence modeler for multi-step attack patterns
Composite risk score from 6 signals
HRIS integration: auto-suspend on employee termination (<30s)
Adaptive OPA thresholds by agent role + risk profile

🔴

Emergency Response

Kill Switch

incidents this month · 6%

“Stop any AI agent, anywhere, in under 100ms.”

Three graduated kill levels: per-agent, per-tool, platform-wide. All propagate via NATS JetStream in <100ms. Captures last 100 actions as forensic state. Quarantine mode preserves evidence for investigation.

⚠️ The gap it fills No competitor offers this. When an AI agent goes rogue — or when a breach is detected — you need a hard stop. Every second it keeps running is more data exfiltrated, more damage compounding.

L1/L2/L3 kill: per-agent, per-tool, platform — all <100ms via NATS
Forensic state capture: last 100 actions, memory snapshot, credentials
Quarantine mode: isolate for investigation, preserve evidence
Escalation chains: auto-response → SOC alert → human required → kill
Reprieve mechanism: 24-hour lease for controlled investigation post-kill

🚨

Incident Response

AI Respond

Universal

covers all incidents — audit + governance layer

“Autonomous incident response. AI-native.”

Five-phase automated playbook: DETECT → QUARANTINE → INVESTIGATE → REMEDIATE → VERIFY. Auto-classifies incidents (true positive / false positive / inconclusive). Blast radius containment automatically quarantines agents that interacted with compromised agent.

⚠️ The gap it fills Splunk SOAR and Palo Alto XSOAR orchestrate traditional security events. They cannot terminate an AI agent, rotate its credentials, update its behavioral model, or quarantine the agents it spoke with — because they were built before AI agents existed.

5-phase automated playbook from detection to verification
Auto-classification against 200+ known AI attack patterns
Blast radius containment: quarantine all interacting agents
True positive: terminate + revoke + rotate + update models
False positive feedback loop continuously improves detection

👥

Agent Lifecycle

AI Ops Center

incidents this month · 1%

“Mission control for autonomous AI operations.”

65+ page operational dashboard. Access review campaigns. ‘The Reaper’ auto-decommissions agents when their human owner is terminated. Vault Broker injects credentials with 5-minute TTL — never stored in agent memory.

⚠️ The gap it fills ServiceNow manages human IT requests on ticket-based cycles. AI agents are deployed, modified, and compromised in minutes. You need lifecycle governance that operates at agent speed, not ticket speed.

Access review campaigns with auto-apply decisions
‘The Reaper’: HRIS webhook auto-revokes terminated employees’ agents (<30s)
Vault Broker: just-in-time 5-min TTL credential injection, never persisted
Per-tenant budget caps with 4-tier alerts (50/75/90/100%)
Unified health, credential lifecycle, budget, SLA dashboard

🌐

LLM Routing

LLM Broker

Universal

covers all incidents — audit + governance layer

“Route every LLM call to the right model, at the right cost, with automatic failover.”

Unified API routing LLM requests to the optimal provider based on cost, latency, and compliance. Semantic caching reduces redundant calls 15–30%. Automatic failover in <100ms. Budget enforcement with hard limits.

⚠️ The gap it fills Portkey does basic routing at $30K/year. It has no DLP scanning, no compliance-based routing (data residency), no semantic caching, and no budget enforcement. It routes traffic — it doesn’t govern it.

Multi-provider routing: OpenAI, Anthropic, Bedrock, Azure, GCP, custom
Cost/latency/compliance-based routing policies
Automatic failover <100ms; per-provider circuit breaker
Semantic caching: 0.80–0.95 similarity threshold, 15–30% cache hits
Budget enforcement per-agent + cost anomaly detection

🤖

MLOps

ML Intelligence Hub

incidents this month · 17%

“Model registry, feature store, edge inference — one platform.”

Formal model lifecycle (draft/staging/production/archived). Feature Store with online (<5ms) and offline serving. Hybrid scoring engine routes inference between edge (<1ms quantized) and cloud. Drift-triggered auto-retraining.

⚠️ The gap it fills MLflow + Feast + custom inference each solve one piece. ML Intelligence Hub is the piece nobody built: unified lifecycle + edge inference routing + drift-triggered retraining + 7-dimension cost attribution — all integrated.

Model Registry: versioning, rollback, lineage, lifecycle management
Hybrid Scoring: edge <1ms quantized vs cloud full-precision auto-routing
Feature Store: online <5ms + offline point-in-time with freshness monitoring
Drift Engine integration: auto-retraining on data/concept drift
7-dimension cost attribution: agent/model/team/customer/feature/time/provider

💰

FinOps

AI Cost Intelligence

Universal

covers all incidents — audit + governance layer

“A cost spike is a security signal. Treat it like one.”

7-dimension real-time cost attribution: agent, provider, model, team, customer, feature, time. Wasm token counter in-proxy at 50–100 microseconds. Budget hard limits stop agents before they overspend. Runaway agent detection.

⚠️ The gap it fills Kubecost knows GPU-hours. AI Cost Intelligence knows “Agent-47 spent $142 on Claude Sonnet for fraud detection on Tuesday.” Runaway cost is runaway behavior — and only one product treats them as the same signal.

Wasm token counter in proxy: 50–100 microsecond overhead
Live model pricing catalog: 200+ models, 15+ providers, updated every 15min
Budget hard limits: block requests when agent exhausts budget
Cost anomaly detection: ML-based spending spike alerts
Chargeback engine: per-customer invoices + per-team internal allocation

📋

Continuous Compliance

AI Compliance Hub

140

incidents this month · 100%

“Audit evidence as a byproduct of governance.”

Continuous compliance across 13+ frameworks — SOC 2, FedRAMP, ISO 27001/42001, EU AI Act, HIPAA, PCI-DSS, NIST AI RMF. Evidence auto-generated from RuntimeAI telemetry. Open Audit Marketplace connects enterprises with certified audit firms.

⚠️ The gap it fills Vanta collects attestations from cloud infrastructure. It has no understanding of AI agent behavior, no EU AI Act or ISO 42001 mappings, and no way to generate evidence from an AI governance layer — because none of its customers had one.

13+ frameworks: SOC 2, FedRAMP, ISO 27001/42001, EU AI Act, HIPAA, PCI-DSS, NIST AI RMF
Evidence auto-generated from platform telemetry (audit trails, Merkle chain, access reviews)
Gap tracking with SLA-based remediation assignment
Audit Marketplace: open to any qualified audit firm; time-limited scoped access
Blockchain-anchored compliance certificates with tamper-evidence verification

🏪

Agent Procurement

Agent Marketplace

incidents this month · 17%

“Only certified agents enter your environment.”

Three-sided platform: Builders publish, Enterprises deploy, Trust layer certifies. AAIC certification includes third-party behavioral audit. Risk scoring weights permission scope, data access, integration breadth, update frequency, and builder reputation.

⚠️ The gap it fills Your developers are installing AI agents from GitHub, npm, and PyPI with no security review. The AI agent supply chain attack surface is the same as software supply chain — and it’s moving five times faster.

6-step publishing wizard with compliance gating
AAIC certification: third-party behavioral audit by registered firms
Risk scoring: permission scope (30%), data access (25%), integration (20%), frequency (10%), reputation (10%)
Shadow AI Import: discover unmanaged agents and bring into governance
Stripe Connect billing: free/per-seat/per-action/outcome-based; 20% platform fee

Agentic Enablement Platform (AEP) Agentic-era security primitives — NHI identity, fraud detection, memory governance, agent commerce.

🔑

Non-Human Identity

NHI Security Platform

incidents this month · 39%

“Every non-human identity — issued, governed, and revoked with the same rigor as human identity.”

Centralized governance for every non-human identity: service accounts, API keys, OAuth tokens, machine certs, cloud IAM roles, AI agents. Bot-CA issues short-lived X.509 SPIFFE certs. O(1) hash-based revocation — not cascading policy lookups.

⚠️ The gap it fills Oasis Security ($190K/year) solves NHI credentialing but not for AI agents specifically. It lacks TPM hardware attestation, has no AI-agent behavioral monitoring, and doesn’t integrate with agent governance platforms.

Centralized NHI Registry: auto-discovery across AWS/Azure/GCP/on-prem
Credential posture: rotation schedules, expiry, over-privilege, unused credential detection
NHI Drift Detection: per-NHI behavioral baseline + scope creep detection
Bot-CA: short-lived X.509 certs (1–24hr TTL), auto-rotating, instant OCSP revocation
O(1) hash-based revocation: per-NHI, per-tenant, or global — no cascading policy lookup

🛡️

AI Fraud Detection

Fraud Shields

incidents this month · 16%

“Valid credential. Wrong behavior. Caught.”

Two-layer defense: Identity Fraud Shield models valid-credential-wrong-behavior (the hallmark of compromised AI credentials). Activity Fraud Shield detects multi-step attack sequences within authenticated sessions. Both integrate directly with Kill Switch for automatic response.

⚠️ The gap it fills Generic UEBA tools applied to AI agents generate massive false-positive rates because they were trained on human behavior. Fraud Shields are AI-native: LSTM sequence modeling of API chains, not user session patterns.

Per-agent behavioral baseline: frequency, resource access, API sequences, timing
Real-time deviation scoring against baseline (0–100)
LSTM sequence modeler: multi-step attack chain detection (recon→escalation→exfil)
Session-level anomaly: full context analysis, not individual events
Kill Switch integration: auto-suspension on high-confidence fraud with forensic package

🧠

Agent Memory Security

Memory Vault

incidents this month · 29%

“Control what your agents remember — and what they forget.”

Governs agent memory as a first-class security object. Policy-based filtering of sensitive content at write time. Memory poisoning attack detection. TTL-based automatic purge with audit trail. GDPR right-to-erasure support.

⚠️ The gap it fills No vendor addresses agent memory governance. AI agent memories accumulate without access controls, expiry policies, or audit trails. A memory poisoning attack can corrupt an agent’s behavior without touching a single API key.

Policy-based memory write filtering (PII, PHI, secrets blocked at write)
PII Shield integration: redact/block before persistence
Memory expiry + TTL: auto-purge with full audit trail
Memory poisoning prevention: adversarial injection detection
Retrieval authorization: every memory read policy-enforced and logged

💳

Agent Finance Controls

Commerce Rails

incidents this month · 6%

“Give AI agents a wallet — with guardrails.”

Financial infrastructure for agent-initiated transactions. Per-agent virtual cards with spend limits. Vendor registry (agents can only transact with allowlisted merchants). Approval gates for high-value transactions. Every transaction in immutable ledger.

⚠️ The gap it fills No financial controls exist for AI agents today. Agents authorized to make purchases can spend without limit, with any vendor, at any time. One prompt injection or runaway loop away from significant financial exposure.

Agent virtual cards: per-agent card numbers + CVVs, hard spend limits
Vendor registry: allowlisted merchants only, no ad-hoc transactions
Approval gates: high-value + out-of-policy → human approval before execution
Per-agent, per-transaction, per-vendor, per-period limits
Agent-to-agent settlement ledger: feeds into FinOps dashboards

PQData — Post-Quantum Security NIST-standardized post-quantum cryptography for secrets, signatures, and audit records.

🔒

Post-Quantum Cryptography

PQData Platform

incidents this month · 30%

“Quantum-safe by design — before quantum breaks classical crypto.”

Full post-quantum data security suite using NIST-standardized algorithms: ML-KEM-768 for encryption, ML-DSA-87 for signatures. QuantumVault for PQC-encrypted secrets. PQ Sign for long-validity quantum-safe audit records. Hybrid X25519 + ML-KEM-768 key exchange for TLS 1.3.

⚠️ The gap it fills Every classical encryption scheme used by CrowdStrike, Okta, and Palo Alto today is vulnerable to Shor’s algorithm on a sufficiently powerful quantum computer. “Harvest now, decrypt later” attacks are already underway. The clock is running.

QuantumVault: ML-KEM-768 PQC-encrypted secrets with full key lifecycle
PQ Sign: ML-DSA-87 (Dilithium) signatures for audit records + agent attestations
Hybrid key exchange: X25519 + ML-KEM-768 for TLS 1.3 — secure against both
PQ CryptoGuard: CBOM scanner identifies all classical crypto in use; quantum-readiness score
FedRAMP/CMMC/CNSA 2.0 compliance evidence from PQC infrastructure layer

Get the Monthly Breach Report

Every month: all breaches, all vendor stacks, the gap analysis. No fluff — just the intelligence your security team needs.