AI agent threat model: 7 attack surfaces to map before go-live
An agent that acts in your system has an attack surface no classic pentest covers. The 7 surfaces to map before shipping to production.
Articles · AI Security · DevSecOps · ISO 27001 · CRA · EU AI Act · NIS2
Field analyses and operational deep dives.
Articles on AI security, DevSecOps, ISO 27001 certification and EU regulation (CRA, AI Act, NIS2, DORA). Continuously updated, written from the field.
Indirect prompt injection via tool output: the underrated vector
Tool outputs that an agent consumes can carry hidden instructions. The risk goes beyond RAG documents. Anatomy and working defenses.
AI agent confinement: sandbox, capabilities, kill-switch
Three technical layers to limit what an agent can do when it goes off the rails. Concrete architecture, not theory.
Multi-agent collusion: when your agents coordinate against you
Multi-agent systems introduce a risk absent from single-agent: malicious-instruction propagation between agents. Defensive architecture.
Coding agents: scoping Git and CI permissions before go-live
Claude Code, Cursor agents, Devin and friends touch your repo, your CI, your tokens. How to scope before an agent ships a catastrophic push.
MCP: auditing the security of your Model Context Protocol servers
MCP became the de-facto standard in 2026 to wire tools to LLMs. Each MCP server is foreign code in your chain. Practical audit checklist.
AI agent tools: the risk matrix to fill in
Giving an agent access to 12 tools means creating 12 error vectors. The matrix that separates acceptable from prohibited.
AI agents and secrets: runtime injection, not storage
An agent with access to a plaintext secrets file is one more secret in the wild. Right posture: runtime injection via broker.
Memory poisoning: contaminating an AI agent's long-term memory
An agent's persistent memory is reloaded every session. Compromise it once, every future conversation is compromised.
AI agent audit log: what to record so an incident is reproducible
Without structured audit log, an agent incident can't be investigated. The 12 fields to record per tool call.
Red-teaming an AI agent: 5 practical scenarios before go-live
An agent not adversarially tested before prod will be tested by an attacker after. Five concrete scenarios.
Autonomous AI agents and compliance: AI Act, ISO 42001, NIS2 deliverables
An autonomous agent acting in the IS often falls under AI Act, ISO 42001, NIS2. What to document now to avoid finding out in audit.
AI agents and hallucination: when the false becomes an irreversible action
A hallucination in a chatbot is annoying. A hallucination in an agent that acts is an incident. How to reduce impact.
AI agent delegation: defensive architecture patterns
An agent orchestrating others multiplies attack paths. Four delegation patterns and their defensive properties.
Browser-controlling AI agents: sandbox and web permissions to enforce
Agents driving a browser open a wide attack surface. Concrete defensive posture in 6 points.
When an AI agent calls another LLM: the transitive jailbreak risk
An agent that calls another inherits the second's jailbreak vulnerabilities. Mechanics and isolation patterns between LLMs.
Cost runaway: bounding an AI agent that goes off-budget
A looping agent, a hallucinated retry, or a manipulated agent can consume 1000x more than expected. Mechanics and guardrails.
Backdoors in fine-tuned sub-agents: AI model supply chain
Fine-tuning on a contaminated dataset can plant a trigger backdoor invisible to classic testing. Mechanics and defenses.
AI agents + cloud functions: the minimum IAM posture to enforce
An agent invoking Lambdas, Cloud Run, Azure Functions inherits attached IAM. The minimum scoping to apply.
Compromised AI agent: 0-72h incident response runbook
When an agent drifts, the 0-72h response determines final impact. The concrete runbook in 4 phases.
SOC 2 Type II: the audit your enterprise clients require
SOC 2 Type II is the de facto standard for B2B SaaS selling to enterprise clients in the United States. Here is what it really is, what it covers (and doesn't), and how to obtain it in 9-12 months — alone or paired with ISO 27001.
Securing RAG systems in production: ingestion, indexing, multi-tenancy
A RAG (Retrieval Augmented Generation) in production combines an LLM with an external knowledge base. Three specific attack families: index poisoning, cross-tenant leakage, indirect prompt injection via retrieved documents. Here is the defensive pipeline.
EU Cyber Resilience Act roadmap: 09/2026 and 12/2027 milestones
The Cyber Resilience Act is probably the most impactful European regulation for software publishers in 2026-2027. Its scope is broad: any product with digital elements placed on the European market. Sanctions on arrival are severe: no CE marking = no market placement, including updates of products already deployed.
EU AI Act high-risk systems: application August 2, 2026
On August 2, 2026, the EU AI Act enters its most structuring phase: high-risk system obligations defined in Annex III. Here is the operational roadmap for providers and deployers, with the 7 mandatory technical pillars in production.
NIS2 compliance for French and European companies in 2026
The NIS2 Directive (EU 2022/2555) has been transposed in France in 2025. Companies in 18 strategic sectors must achieve compliance before October 2026. Here is the operational guide for European SMBs and scale-ups.
ISO 27001 for B2B SaaS: 12-month roadmap
For a B2B SaaS targeting enterprise clients in Europe, ISO 27001 has become a de facto entry requirement. Here is the realistic 12-month roadmap, the budget envelope, and the articulation with SOC 2 Type II for those who also want to address the US market.
Fractional CISO vs hiring an in-house CISO: when does each make sense?
When does a fractional CISO make economic and operational sense vs hiring an in-house CISO full-time? The decision is rarely obvious — and the wrong choice costs more than the salary differential.
DevSecOps in CI/CD: quality gates that actually block
DevSecOps in CI/CD = automated security at every commit/build/release, without blocking the product roadmap. Here is the operational stack and the four blocking quality gates that should never be optional in 2026.
Threat modeling LLM: prompt injection, jailbreak, agent hijacking
An LLM in production faces 5 attack families absent from traditional pentesting. Here is the structured methodology to identify, prioritize and mitigate them, aligned OWASP LLM Top 10 and NIST AI RMF Generative Profile.