Wiki / Blog / Attacks and defence

AI Security in the First Half of 2026: The Breaches That Ended the Debate

H1 2026 AI security review: the breaches that turned theory into incident queues, why posture management is now essential, and the H2 outlook.

Tolga SEZER · Founder, Penaxtra 11 min read

ai-security-2026agentic-aimcp-securityprompt-injectionai-spm

AI Security in the First Half of 2026: The Breaches That Ended the Debate

For about two years I argued with peers about whether AI security was a real budget line or a slide we put in board decks to look current. That argument is over. It ended sometime this spring, and it did not end because of a research paper. It ended because the incident write-ups stopped reading like lab demos and started reading like the post-mortems we have all written at 3am.

OWASP's GenAI project put it plainly in their Q1 2026 round-up: the period from January through early April marked "a clear transition from theoretical risks to real-world exploitation." I have read that sentence a dozen times and it still understates it. The shift was not gradual. The model providers shipped agents that can act, companies wired those agents into email, cloud consoles, and customer data, and attackers did exactly what attackers always do when you hand them a new execution surface.

This is our read on the first six months, written for the people who have to decide where the next security dollar goes. No vendor names where we are not certain, sources at the bottom, and one bias declared up front: we build an AI security posture management platform, so when I tell you posture management stopped being optional, weigh it accordingly. I think the incidents make the case on their own.

The pattern moved up the stack

If you watched only the headlines, 2026 looked like a flood of unrelated AI breaches. Sit with the details and a single line shows up in almost all of them: the attack moved one layer higher than the defense.

Early prompt injection was a parlor trick. You typed something clever into a chatbot and it forgot its instructions. By Q1 the same idea had grown teeth through retrieval. Attackers stopped typing at the model and started planting instructions in the documents the model would later read, which is the difference between heckling a speaker and editing their notes the night before. By Q2 the center of gravity moved again, to the agents and the Model Context Protocol servers wiring those agents to real tools. And the most uncomfortable write-ups of the spring were the ones where a model drove most of the post-exploitation itself.

How the dominant AI attack pattern moved up the stack through the first half of 2026, from direct prompt injection to autonomous attack chains.
How the dominant AI attack pattern moved up the stack through the first half of 2026, from direct prompt injection to autonomous attack chains.

Simon Willison named the underlying shape of this back in June 2025 and the phrase stuck because it is exactly right: the lethal trifecta. Give an agent access to private data, expose it to untrusted content, and let it talk to the outside world, and you have built an exfiltration machine that needs no software exploit at all. Between January 7th and 15th this year, researchers disclosed the same trifecta pattern in four separate productivity tools inside nine days. When the same failure shows up in four products in one week, it is not four bugs. It is an architecture that everyone copied before anyone tested it.

The incidents that actually mattered

A few stand out, and they cluster into the three failure modes that defined the half. Everything below is as reported by the sources at the foot of this piece, chiefly OWASP's Q1 2026 round-up. Read each as a disclosed incident or a researcher demonstration, not as an adjudicated finding against any company.

Agents acting with too much authority. The case OWASP's round-up labels the Vertex AI "Double Agent" is the one I keep bringing up in meetings. As reported, an overprivileged agent abused default service-account permissions in a managed cloud platform to reach credentials and restricted internal artifacts. No exotic exploit in the telling, just an agent trusted with more than it should have been and talked into using it. Separately, researchers demonstrated an LLM-driven attack chain that reached full administrator rights in a test cloud account in roughly eight minutes by enumerating IAM and assuming a privileged role. That one was a demonstration rather than a customer breach, and the number still sticks: eight minutes is shorter than most on-call acknowledgement windows.

Supply chain, now with model-shaped holes. The same round-up describes the Mercor breach at the end of March as hitting through a compromised LiteLLM dependency at an AI data vendor, exposing proprietary training-data workflows and contractor information, reportedly serious enough that at least one major customer paused vendor work over it. Around the same window, a remote code execution flaw in Flowise (CVE-2025-59528) was reported as actively exploited across an estimated twelve to fifteen thousand exposed instances. The lesson is old and the surface is new: your AI stack is a dependency graph, and the graph is mostly other people's code now.

Prompt injection grown into real exfiltration. Researchers disclosed a technique in April, tracked as GrafanaGhost, that hid instructions in external content and coerced AI systems into shipping enterprise data out as URL parameters through legitimate rendering flows. And the one that should worry anyone running a CI pipeline is a matter of public record: CVE-2025-53773, a prompt injection in GitHub Copilot delivered through pull-request descriptions that was disclosed as reaching remote code execution, with a CVSS of 9.6. Hidden text in a PR, code execution on the other end.

Traditional penetration testing and cloud posture tools cover the infrastructure layer; the AI layer where 2026's incidents landed sits outside their scope.
Traditional penetration testing and cloud posture tools cover the infrastructure layer; the AI layer where 2026's incidents landed sits outside their scope.

I want to be careful not to blur separate events into one villain. These were different actors, different companies, different root causes, and I have kept them apart on purpose. What ties them together is not a campaign. It is a category of system that we all deployed faster than we secured.

Then there is MCP

The Model Context Protocol deserves its own paragraph because it became, very quickly, the most exposed new surface in enterprise software. In May, researchers reported an architectural flaw affecting on the order of 200,000 MCP servers that allowed arbitrary command execution, sitting under a supply chain with well over a hundred million package downloads. The Cloud Security Alliance and others tracked something like 30 MCP-related CVEs filed in 60 days. The default STDIO transport, the one most local setups use, runs operating-system commands without much in the way of validation.

If you read one thing into that, read this: MCP did to agent tooling what early web frameworks did to SQL. It made a powerful capability trivially easy to wire up and trivially easy to wire up wrong, and the defaults were unsafe. We are going to be cleaning this up for years.

Why posture management stopped being optional

Here is the part that should change how you budget. Almost every incident above landed on a layer your current tools do not inspect.

Your penetration test looks at the network, the web app, and the auth flows. Your cloud posture tool checks IAM, encryption, and exposed storage. Both can come back clean while an agent quietly hands one customer's data to another, because the model's behavior is not in either tool's field of view. A green dashboard on the infrastructure tells you nothing about whether the assistant in front of it can be talked out of its guardrails.

That gap is the entire argument for AI security posture management. Not as a product category to chase, but as a practical answer to a practical question: who is testing the model layer, on a schedule, the way we already test everything else? Gartner expects something like 40 percent of enterprise applications to lean on task-optimizing AI agents by the end of this year. You cannot secure that surface with an annual engagement and a hope that the foundation model did not change behavior in last week's update. It did change. They always do.

What posture management buys you is continuity and evidence. Continuous adversarial testing against your live endpoints catches the regression the week it appears instead of at the next audit. Control-mapped findings give your auditor and your board the same artifact instead of a screenshot and a verbal assurance. This is the work Penaxtra was built to do, and it is the work I would want done whether or not we were the ones doing it. The honest pitch is not "buy our thing." It is "stop leaving the model layer untested, because the people attacking it have clearly stopped waiting."

What we are watching in the second half

Forecasting is where security writing usually goes to embarrass itself, so treat this as a planning aid, not a prophecy. Based on how the first half moved, here is where we are pointing our own research for H2.

Six attack classes the Penaxtra Research Team expects to define the second half of 2026, from autonomous attack chains to multi-agent confused-deputy abuse.
Six attack classes the Penaxtra Research Team expects to define the second half of 2026, from autonomous attack chains to multi-agent confused-deputy abuse.

The autonomous attack chain is the headline risk. The spring gave us the first credible cases of a model running most of the kill chain on its own, and the economics of that are brutal for defenders, because the marginal cost of the next attack approaches zero. Expect more of it, and expect it faster than eight minutes.

MCP supply chain weaponization is the slow-motion one. With hundreds of thousands of exposed servers and a registry culture that copies first and audits never, someone is going to publish a poisoned tool that looks helpful and ships quietly inside a popular agent. Tool descriptions are executable instructions to a model, and almost nobody reviews them like code.

Agent identity abuse will keep climbing, because the service accounts behind agents are turning into the most powerful and least watched credentials in the building. Memory and context poisoning will mature from session-scoped tricks into persistent injection that survives a restart. Deepfake-assisted social engineering will start targeting the human approval steps inside AI workflows, the "are you sure" that a tired engineer clicks through. And in multi-agent setups, expect confused-deputy attacks, where one agent is tricked into spending another agent's trust.

None of these need a new science. They are the first-half patterns with more automation and less friction.

Where this leaves a security leader

If I had to compress the half into advice a peer could act on Monday: inventory your AI surface honestly, because you have more of it than your CMDB thinks. Test the model and agent layer on a schedule, not once a year. Treat MCP tools and model dependencies as code that runs with your privileges, because they do. And get the evidence into a form your auditor accepts before the regulation forces you to, because that is coming too.

The debate about whether AI security is real ended this spring. The only open question now is whether your posture catches up before your incident does.

---

*Researched and written by Tolga SEZER, Founder of Penaxtra, with the Penaxtra Research Team. We track AI security incidents to inform our probe library and our customers' threat models. This piece is a pattern analysis built from public reporting, not a vendor incident log; we have kept distinct incidents distinct and linked our sources below so you can read the primary material yourself.*

Sources

  • OWASP GenAI Security Project, Exploit Round-up Report Q1 2026: https://genai.owasp.org/2026/04/14/owasp-genai-exploit-round-up-report-q1-2026/
  • Simon Willison, "The lethal trifecta for AI agents" (June 2025): https://simonwillison.net/2025/Jun/16/the-lethal-trifecta/
  • Cloud Security Alliance, research note on the MCP security crisis (May 2026): https://labs.cloudsecurityalliance.org/research/csa-research-note-mcp-security-crisis-20260504-csa-styled/
  • Cycode, "Top AI Security Vulnerabilities to Watch out for in 2026": https://cycode.com/blog/ai-security-vulnerabilities/
  • TechRepublic, "Indirect Prompt Injection Is Now a Real-World AI Security Threat": https://www.techrepublic.com/article/news-ai-agents-prompt-injection-data-security/

Continue in the wiki

Attacks and defence · 8 min The Q1 2026 GenAI Exploit Round-up: Eight Incidents, One CVE A read-through of the quarter's eight notable GenAI security incidents, why only one of them carried a CVE, and what that gap means for how you track AI risk. Attacks and defence · 10 min Frontier Agents Cut Both Ways - Opus 4.8, Dynamic Workflows, and the First In-the-Wild LLM-Agent Intrusion The week frontier models learned to run a thousand parallel subagents is the same week someone pointed one at a network and dumped a database in under an hour. Notes for anyone shipping agents to production. Attacks and defence · 13 min MCP Tool Poisoning - How the Attack Works and How to Stop It MCP tool poisoning explained: line jumping, rug pulls, and the malicious tool descriptions that hijack AI agents, with byte-level payloads and the seven runtime controls that actually held.

All articles Request architecture review