In this episode

• NSA publishes first MCP threat model; critics flag the inversion-of-control gap it missed — The NSA released a 17-page Cybersecurity Information Sheet (CSI U/OO/6030316-26) on Model Context Protocol security earlier in May, recommending filtering proxies, DLP, sandboxing, and message integrity — and legitimizing 'agent firewalls' as a control category. Tanmay Deshpande's critique, published this week, argues the advisory misses the fundamental issue: in MCP, servers query client data and execute actions on behalf of clients (inverting traditional API trust flow), and bearer tokens without refresh/revocation plus optional protocol-level access control mean sandboxing won't save architectures with inverted trust assumptions.
• EU Commission's 160-page high-risk AI guidance explicitly rejects 'human-in-the-loop' and component-disaggregation as exemptions — The EU Commission published draft high-risk classification guidance on 19 May 2026 (feedback open through 23 June), coinciding with the May 7 omnibus deal that pushed Article 6(2) deadlines from August 2026 to December 2027. The guidance explicitly states that human-in-the-loop involvement does not exempt systems from high-risk classification, Article 6(3) derogations must be interpreted narrowly, and disaggregating agentic systems into components does not avoid duties where combined outputs materially influence employment, credit, or insurance decisions. Provider-stated 'intended purpose' across all marketing materials becomes binding.
• Uber Engineering details production zero-trust identity architecture for multi-hop agent chains — Uber published a production reference architecture for agent identity at scale: an Agent Registry feeding a Security Token Service that issues short-lived, single-hop scoped JWTs, mediated by an MCP Gateway. Every hop in user → agent → agent → tool chains gets a cryptographic token anchored to SPIRE workload identity, preserving the full actor chain for audit and authorization. References emerging standards work (IETF WIMSE, draft-klrc-aiagent-auth) and emphasizes SDK-integrated token exchange for secure-by-default DX.
• Microsoft open-sources RAMPART and Clarity: adversarial CI testing and audit-grade design records for agent deployments — Microsoft's AI Red Team released RAMPART (continuous adversarial testing for agents in CI/CD pipelines) and Clarity (structured design-review tool generating auditable decision records) on May 20, both open-sourced after internal use. The tools operationalize threat modeling at the CI level and produce the kind of artifacts ISO 42001, NIST AI RMF, and the EU AI Act explicitly require. Practitioner analysis identifies three predictable failure modes: missing threat models, Clarity treated as documentation rather than gates, and tools isolated from broader security pipelines.
• Apple publishes CoreCrypto with ML-KEM/ML-DSA source and full formal verification pipeline on GitHub — Apple released CoreCrypto source on GitHub including ML-KEM and ML-DSA implementations used across iPhone, Mac, and related platforms, alongside a formal-verification pipeline (Cryptol → SAW → Isabelle/HOL) that proves functional correctness from C and ARM64 assembly back to FIPS 203/204 specifications. The verification framework caught a missing range-check that could silently corrupt signatures — the kind of defect conventional testing routinely misses. OS 26 expanded PQC beyond iMessage to default-on TLS in URLSession, IKEv2 VPN, and device-to-device encryption.
• AmericanFortress proposes ZK-STARK soft-fork PQC for HD wallets, no chain migration required — AmericanFortress published a patent-pending post-quantum signature scheme for BIP32 hierarchical deterministic wallets that swaps Ed25519 for ZK-STARK proofs of master-seed ownership at spend-time. The scheme protects existing addresses via soft fork (no user migration required) and allows optional gradual migration to QBIP32 addresses. Signing proofs run in under 10 seconds on commodity hardware with 18–19ms verification; a split-proof architecture (derivation proof once, signing proof per transaction) handles the performance budget. A secp256k1-native Bitcoin construction is scheduled for Paris on June 2.
• MCP 2026-07-28 release candidate ships stateless protocol, formal extension governance, and hardened auth — The Model Context Protocol released a major revision (2026-07-28 RC) that removes session-level statefulness, enabling stateless HTTP deployment with header-based routing instead of session IDs. The release introduces formal extension governance, hardens OAuth/OIDC authorization, and adds first-class support for server-rendered UIs and long-running tasks. Stateless load balancing and caching become possible without sticky sessions.
• Microsoft Research's Vega: mobile-grade ZK selective disclosure for credentials and AI-agent delegation — Microsoft Research published Vega, a zero-knowledge proof system enabling selective disclosure from credentials — proving age without revealing a driver's license, for example — with 92ms proof generation, 108KB proof size, no trusted setup, and mobile-class performance. Target use cases include EU digital identity wallets, AI agents acting on behalf of humans, and on-chain verification.
• Tigera publishes five-pillar accountability framework; finds most enterprises at Level 0–1 maturity — Tigera released a maturity framework distinguishing observability (what happened) from accountability (what was permitted, by whose authority), built on five pillars: end-to-end distributed tracing across agent hops, authorization provenance traceable to specific policy, cryptographic identity with human ownership, declarative attribute-based policy at scale, and visual dashboards for oversight. The 5-level model places most enterprises at Level 0 ('Blind') or Level 1 — no verified identities, no policy enforcement, no end-to-end auditability.
• FCA pivots to evidence-based AI supervision; joint statement with Bank of England raises the bar for frontier deployments — The FCA reopened its AI Input Zone on May 15 to collect practical evidence of good and poor AI practices across banking, insurance, and markets, alongside a joint statement with the Bank of England and HM Treasury on frontier AI and cyber resilience. The supervisory shift expands 'the AI system' to include model, deployment context, governance, human-in-the-loop, evaluation, and controls — not just model accuracy — and signals that the UK will judge firms against an elevated threat model with audit-ready evidence rather than principles-based attestations.
• Trump postpones 'FDA for AI' EO after Zuckerberg/Musk/Sacks calls; full draft leaks — President Trump postponed signing an AI executive order hours before the May 22 ceremony after calls from Mark Zuckerberg, Elon Musk, and David Sacks. POLITICO obtained the seven-page draft: a voluntary 90-day pre-launch review process for frontier models, with NSA and CISA leading classified evaluations rather than a civilian regulator. The order explicitly forbade mandatory licensing but included one mandatory provision — CFAA enforcement against end-users who misuse AI — while keeping company compliance voluntary.
• Foundation raises $6.4M to ship hardware that authorizes AI-agent actions in real time — Boston-based Foundation closed a $6.4M Series A led by Fulgur Ventures to extend its Bitcoin self-custody hardware into AI-agent authorization, identity, and MFA. The company launched Passport Prime ($349) running KeyOS — a Rust-based microkernel OS — and opened the KeyOS developer platform with an app store targeted for end of Q2 2026. The thesis: high-stakes agent actions (moving funds, accessing credentials) need a trusted display and isolated hardware checkpoint outside the software environment where the agent runs.
• THORChain ADR028 vote opens: absorb $10.7M GG20 exploit through POL, no new RUNE minted — THORChain node operators are voting on ADR028, the recovery plan for the May 15 GG20 threshold-signature exploit by a newly churned node operator. The proposal absorbs losses through Protocol-Owned Liquidity first, then distributes the remaining shortfall to synth holders — explicitly without minting new RUNE or selling existing holdings. The plan commits to GG20 patching, slower security-focused release cycles, tighter node-onboarding requirements, and a white-hat bounty, while maintaining protocol neutrality (declining to censor the attacker's future swaps).
• Sui ships protocol-level gasless stablecoin transfers on mainnet for seven tokens — Sui activated protocol-level gasless transfers on May 20 for seven stablecoins (USDC, USDsui, suiUSDe, USDY, FDUSD, AUSD, USDB) via a new Address Balances system, with fee-paying transactions retaining priority to prevent network degradation. Users no longer need SUI tokens to move stablecoins. Fireblocks integration signals institutional-grade recognition, and Sui reports cumulative stablecoin volume of roughly $1T since August 2025.

Read the full briefing with sources →

Generated with AI from public sources — verify before acting on anything important.