<?xml version="1.0" encoding="UTF-8"?><rss version="2.0" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>InvariantRisk Signals</title><description>Low-volume, high-signal intelligence on governance drift, workflow fragility, agent reliability, and dependency expansion for AI-enabled operations.</description><link>https://invariantrisk.com/</link><language>en-us</language><item><title>Two-thirds of organizations still have no AI governance policy — and breach data shows the cost.</title><link>https://invariantrisk.com/signals/shadow-ai-governance-gap-2026/</link><guid isPermaLink="true">https://invariantrisk.com/signals/shadow-ai-governance-gap-2026/</guid><description>IBM’s 2025 breach study found 63% of breached organizations had no AI governance policy in place. Shadow AI added roughly $670K per breach, and 97% of organizations that suffered an AI-related breach lacked basic AI access controls.</description><pubDate>Tue, 09 Jun 2026 13:00:00 GMT</pubDate><content:encoded>
      &lt;p&gt;The gap between how fast teams adopt AI and how fast governance catches up is now measurable in dollars. In IBM’s &lt;a href=&quot;https://newsroom.ibm.com/2025-07-30-ibm-report-13-of-organizations-reported-breaches-of-ai-models-or-applications,-97-of-which-reported-lacking-proper-ai-access-controls&quot; rel=&quot;nofollow noopener&quot; target=&quot;_blank&quot;&gt;2025 Cost of a Data Breach report&lt;/a&gt; (Ponemon Institute, 600 organizations), 63% of breached organizations either had no AI governance policy or were still drafting one. Of the organizations that did have a policy, only about a third audited for unsanctioned AI use.&lt;/p&gt;
      &lt;p&gt;The cost signal is the part worth acting on. One in five breaches was linked to shadow AI — employees using unsanctioned tools — and those organizations paid roughly &lt;strong&gt;$670,000 more&lt;/strong&gt; per breach than peers with low shadow-AI exposure. Among the 13% of organizations that reported a breach of an AI model or application directly, &lt;strong&gt;97% lacked proper AI access controls&lt;/strong&gt;.&lt;/p&gt;
      &lt;h2&gt;Why this is a drift problem, not a tooling problem&lt;/h2&gt;
      &lt;p&gt;None of these organizations decided to run AI without governance. The policy simply never caught up to where AI actually entered the workflow: a vendor feature turned on by default, a team that adopted a tool ahead of IT, a model granted access it never formally needed. The breach is where the drift becomes visible — and expensive.&lt;/p&gt;
    
        &lt;hr /&gt;
        &lt;p&gt;&lt;strong&gt;What to look for internally:&lt;/strong&gt; If you cannot produce a one-page answer to “which AI tools are approved, who approved them, and what data can go into each,” you are carrying the exposure IBM is pricing — you just have not been billed yet.&lt;/p&gt;
        &lt;p&gt;&lt;a href=&quot;https://invariantrisk.com/packs&quot;&gt;Close the gap with the Acceptable Use Pack&lt;/a&gt;&lt;/p&gt;
        &lt;p&gt;&lt;a href=&quot;https://invariantrisk.com/signals/shadow-ai-governance-gap-2026/&quot;&gt;Read this signal on invariantrisk.com&lt;/a&gt;&lt;/p&gt;</content:encoded><category>Governance drift</category></item><item><title>The EU AI Act’s high-risk rules become enforceable on August 2, 2026 — and they reach further than most SMBs assume.</title><link>https://invariantrisk.com/signals/eu-ai-act-august-2026-enforcement/</link><guid isPermaLink="true">https://invariantrisk.com/signals/eu-ai-act-august-2026-enforcement/</guid><description>On August 2, 2026, the majority of the EU AI Act’s obligations — including the full high-risk regime in Annex III — become enforceable, with fines up to €35M or 7% of global turnover. Hiring, credit, and access-to-services workflows are squarely in scope.</description><pubDate>Tue, 02 Jun 2026 13:00:00 GMT</pubDate><content:encoded>
      &lt;p&gt;The EU AI Act has been phasing in since August 2024. The date that matters for operators is &lt;strong&gt;August 2, 2026&lt;/strong&gt;, when the European Commission’s &lt;a href=&quot;https://ai-act-service-desk.ec.europa.eu/en/ai-act/timeline/timeline-implementation-eu-ai-act&quot; rel=&quot;nofollow noopener&quot; target=&quot;_blank&quot;&gt;official implementation timeline&lt;/a&gt; confirms that “enforcement of the AI Act starts at national and EU level” for the bulk of its provisions — including the full obligations for high-risk systems listed in Annex III.&lt;/p&gt;
      &lt;p&gt;Annex III is broader than the term “high-risk” suggests. It covers AI used in employment and worker management (résumé screening, performance tooling), creditworthiness assessment, biometric categorization, and access to essential services. A 40-person company that quietly added an AI hiring filter is closer to scope than it realizes. Penalties run up to &lt;strong&gt;€35 million or 7% of global annual turnover&lt;/strong&gt;, whichever is higher.&lt;/p&gt;
      &lt;h2&gt;The practical read for non-EU operators&lt;/h2&gt;
      &lt;p&gt;The Act applies based on where outputs are used, not only where you are incorporated. If your AI touches EU residents — candidates, customers, users — the obligations can reach you. The cheap move is to inventory now which of your AI uses land in Annex III categories, while it is a planning exercise rather than an enforcement one.&lt;/p&gt;
    
        &lt;hr /&gt;
        &lt;p&gt;&lt;strong&gt;What to look for internally:&lt;/strong&gt; List every AI-assisted decision that touches hiring, credit, or access to a service, and note whether any EU residents are affected. That list is your Annex III exposure map.&lt;/p&gt;
        &lt;p&gt;&lt;a href=&quot;https://invariantrisk.com/snapshot&quot;&gt;See how a Snapshot scopes this&lt;/a&gt;&lt;/p&gt;
        &lt;p&gt;&lt;a href=&quot;https://invariantrisk.com/signals/eu-ai-act-august-2026-enforcement/&quot;&gt;Read this signal on invariantrisk.com&lt;/a&gt;&lt;/p&gt;</content:encoded><category>Governance drift</category></item><item><title>EchoLeak showed that an embedded AI agent can leak your data from a single email — with no click required.</title><link>https://invariantrisk.com/signals/echoleak-zero-click-copilot/</link><guid isPermaLink="true">https://invariantrisk.com/signals/echoleak-zero-click-copilot/</guid><description>CVE-2025-32711 (“EchoLeak”) was a CVSS 9.3 zero-click prompt-injection flaw in Microsoft 365 Copilot. A crafted email, retrieved later via the agent’s own context, could exfiltrate internal data without any user interaction.</description><pubDate>Tue, 26 May 2026 13:00:00 GMT</pubDate><content:encoded>
      &lt;p&gt;EchoLeak (&lt;a href=&quot;https://socprime.com/blog/cve-2025-32711-zero-click-ai-vulnerability/&quot; rel=&quot;nofollow noopener&quot; target=&quot;_blank&quot;&gt;CVE-2025-32711&lt;/a&gt;, CVSS 9.3) is the first widely documented zero-click attack on a production enterprise AI agent. Disclosed by Aim Security and patched by Microsoft, it needed no user action: an attacker sent a single crafted email, and when a user later asked Microsoft 365 Copilot an unrelated question, the poisoned email was pulled into the agent’s context, executed hidden instructions, and exfiltrated internal content.&lt;/p&gt;
      &lt;p&gt;Researchers described the root cause as an “LLM scope violation”: the agent’s retrieval system could not reliably separate trusted internal data from untrusted instructions embedded in inbound content. The agent did exactly what it was built to do — retrieve context and act on it — which is precisely why existing email, antivirus, and firewall controls did not catch it. A &lt;a href=&quot;https://checkmarx.com/zero-post/echoleak-cve-2025-32711-show-us-that-ai-security-is-challenging/&quot; rel=&quot;nofollow noopener&quot; target=&quot;_blank&quot;&gt;Checkmarx deep-dive&lt;/a&gt; walks the chain in detail.&lt;/p&gt;
      &lt;h2&gt;Why this matters even if you don’t run Copilot&lt;/h2&gt;
      &lt;p&gt;The pattern generalizes to any agent with tool access and retrieval over untrusted data: support assistants reading customer tickets, agents summarizing inboxes, anything that ingests external text and can then act. OWASP now cites this class as &lt;strong&gt;Agent Goal Hijack&lt;/strong&gt; in its agentic risk taxonomy. The defensive question is not “is our vendor secure” but “what is the worst action our agent is permitted to take, and who can stop it.”&lt;/p&gt;
    
        &lt;hr /&gt;
        &lt;p&gt;&lt;strong&gt;What to look for internally:&lt;/strong&gt; For every production agent, write down the most damaging action it is allowed to take and confirm a named person can pause it. If an agent reads untrusted input and also has write or send access, treat that as a finding.&lt;/p&gt;
        &lt;p&gt;&lt;a href=&quot;https://invariantrisk.com/packs&quot;&gt;Set boundaries with the Agent Autonomy Pack&lt;/a&gt;&lt;/p&gt;
        &lt;p&gt;&lt;a href=&quot;https://invariantrisk.com/signals/echoleak-zero-click-copilot/&quot;&gt;Read this signal on invariantrisk.com&lt;/a&gt;&lt;/p&gt;</content:encoded><category>Agent reliability</category></item><item><title>OWASP’s first Agentic Top 10 names the failure modes of production agents — and over-permissioned tool access leads the list.</title><link>https://invariantrisk.com/signals/owasp-agentic-top-10-2026/</link><guid isPermaLink="true">https://invariantrisk.com/signals/owasp-agentic-top-10-2026/</guid><description>OWASP’s Top 10 for Agentic Applications 2026, built with 100+ experts, is the first peer-reviewed risk taxonomy for autonomous agents. Goal hijack, excessive agency, and malicious MCP tools in the supply chain top the practical risks.</description><pubDate>Tue, 19 May 2026 13:00:00 GMT</pubDate><content:encoded>
      &lt;p&gt;In December 2025, OWASP published its first &lt;a href=&quot;https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026/&quot; rel=&quot;nofollow noopener&quot; target=&quot;_blank&quot;&gt;Top 10 for Agentic Applications&lt;/a&gt;, developed with more than 100 contributors. Unlike the LLM Top 10, which targets model-level issues, this list addresses systems that plan, use tools, hold memory, and coordinate — the agents many teams are now putting into production.&lt;/p&gt;
      &lt;p&gt;The categories that bite mid-market operators first are not exotic. &lt;strong&gt;ASI01 Agent Goal Hijack&lt;/strong&gt; covers objectives being silently redirected by injected content (the EchoLeak pattern). &lt;strong&gt;Excessive agency&lt;/strong&gt; — agents granted more tool access than the task requires — is repeatedly the shortest path to real damage. &lt;strong&gt;ASI04 Agentic Supply Chain&lt;/strong&gt; covers malicious tools and MCP servers: a &lt;a href=&quot;https://www.giskard.ai/knowledge/owasp-top-10-for-agentic-application-2026&quot; rel=&quot;nofollow noopener&quot; target=&quot;_blank&quot;&gt;documented campaign&lt;/a&gt; found hundreds of publicly listed agent “skills” carrying information-stealing malware. &lt;strong&gt;ASI08 Cascading Failures&lt;/strong&gt; covers one compromised agent propagating across a connected fleet.&lt;/p&gt;
      &lt;h2&gt;The useful framing&lt;/h2&gt;
      &lt;p&gt;You do not need to implement all ten controls. You need to know which of the ten your deployment is actually exposed to — which depends on what your agents can touch, what they ingest, and how many of them talk to each other.&lt;/p&gt;
    
        &lt;hr /&gt;
        &lt;p&gt;&lt;strong&gt;What to look for internally:&lt;/strong&gt; Inventory your agents’ tools and the source of every external tool or MCP server they load. An agent running with broad tool access over untrusted input is your highest-priority item, regardless of how reliable it has seemed.&lt;/p&gt;
        &lt;p&gt;&lt;a href=&quot;https://invariantrisk.com/packs&quot;&gt;Set boundaries with the Agent Autonomy Pack&lt;/a&gt;&lt;/p&gt;
        &lt;p&gt;&lt;a href=&quot;https://invariantrisk.com/signals/owasp-agentic-top-10-2026/&quot;&gt;Read this signal on invariantrisk.com&lt;/a&gt;&lt;/p&gt;</content:encoded><category>Agent reliability</category></item><item><title>Human review degrades into a rubber stamp faster than governance recognizes — and the data is now formal.</title><link>https://invariantrisk.com/signals/rubber-stamp-oversight-degrades/</link><guid isPermaLink="true">https://invariantrisk.com/signals/rubber-stamp-oversight-degrades/</guid><description>MIT Sloan Management Review’s expert panel names rubber-stamp oversight as a governance failure mode. In one cited study of 450 clinicians, accuracy fell from 73% to 61.7% when they were given biased AI assistance — because they deferred to the machine.</description><pubDate>Tue, 12 May 2026 13:00:00 GMT</pubDate><content:encoded>
      &lt;p&gt;“There’s a human in the loop” is the most common answer to how an AI workflow is governed. It is also the one most likely to be quietly false. A June 2025 &lt;a href=&quot;https://sloanreview.mit.edu/article/ai-explainability-how-to-avoid-rubber-stamping-recommendations/&quot; rel=&quot;nofollow noopener&quot; target=&quot;_blank&quot;&gt;MIT Sloan Management Review&lt;/a&gt; panel — with practitioners from DBS Bank, Stanford, and others — named the failure directly: without insight into how a model reaches its conclusions, “oversight becomes superficial, reducing human involvement to a rubber stamp rather than acting as a critical check.”&lt;/p&gt;
      &lt;p&gt;The effect is measurable. The panel cites a study of 450 clinicians in which diagnostic accuracy fell from &lt;strong&gt;73% to 61.7%&lt;/strong&gt; when participants were given deliberately biased AI assistance — not from lack of knowledge, but from deference to the machine. This is automation bias, and it gets worse precisely when the AI is usually right: when 95% of outputs are fine, reviewers learn to approve on autopilot and miss the 5% that matter.&lt;/p&gt;
      &lt;h2&gt;The test that exposes it&lt;/h2&gt;
      &lt;p&gt;You do not need an audit to find out whether your review is real. Pull the data you already have: the median time between “item arrives” and “approved,” and the rejection rate. If the median is a handful of seconds and the rejection rate is near zero, the checkpoint is recording presence, not judgment — and it is absorbing liability without adding assurance.&lt;/p&gt;
    
        &lt;hr /&gt;
        &lt;p&gt;&lt;strong&gt;What to look for internally:&lt;/strong&gt; Measure the median review time and the rejection rate for any AI workflow with a human sign-off. Seconds-long reviews and a near-zero rejection rate mean your control is ceremonial.&lt;/p&gt;
        &lt;p&gt;&lt;a href=&quot;https://invariantrisk.com/packs&quot;&gt;Fix the checkpoint with the HITL Pack&lt;/a&gt;&lt;/p&gt;
        &lt;p&gt;&lt;a href=&quot;https://invariantrisk.com/signals/rubber-stamp-oversight-degrades/&quot;&gt;Read this signal on invariantrisk.com&lt;/a&gt;&lt;/p&gt;</content:encoded><category>Workflow fragility</category></item><item><title>AI tools that started as experiments are now load-bearing — and most contracts don’t protect you if the vendor pulls them.</title><link>https://invariantrisk.com/signals/ai-vendor-concentration-risk/</link><guid isPermaLink="true">https://invariantrisk.com/signals/ai-vendor-concentration-risk/</guid><description>A Zapier survey of 500 executives found 74% would be disrupted by losing their primary AI vendor, and only 6% could absorb it without interruption. OpenAI’s preview-tier policy allows as little as two weeks’ notice; Sora was shut down in April 2026 with under a month.</description><pubDate>Tue, 05 May 2026 13:00:00 GMT</pubDate><content:encoded>
      &lt;p&gt;The same informal adoption path that creates shadow AI also creates vendor concentration risk: tools that entered as experiments quietly became infrastructure. A Zapier survey of 500 U.S. executives, summarized in a &lt;a href=&quot;https://www.linkedin.com/pulse/openai-losing-14-billion-year-what-happens-your-rory-o-keeffe-zk5ie&quot; rel=&quot;nofollow noopener&quot; target=&quot;_blank&quot;&gt;May 2026 analysis&lt;/a&gt;, found that &lt;strong&gt;74%&lt;/strong&gt; said losing their primary AI vendor would disrupt operations, and only &lt;strong&gt;6%&lt;/strong&gt; could absorb the loss without interruption.&lt;/p&gt;
      &lt;p&gt;The deprecation side is not hypothetical. OpenAI’s own &lt;a href=&quot;https://developers.openai.com/api/docs/deprecations&quot; rel=&quot;nofollow noopener&quot; target=&quot;_blank&quot;&gt;deprecation policy&lt;/a&gt; states that preview-tier models can be retired with as little as &lt;strong&gt;two weeks’ notice&lt;/strong&gt;, and that they should not be used for business-critical workloads unless you can migrate fast. In April 2026, Sora was shut down with under a month of effective notice. Even mature API features now turn over on five-to-six-month cycles.&lt;/p&gt;
      &lt;h2&gt;The governance questions nobody is asking&lt;/h2&gt;
      &lt;p&gt;Where is AI load-bearing in your business? What does the contract say about discontinuation? Foundation-model API terms are thin on these protections compared with traditional enterprise software. For an MSP, vendor concentration now belongs in the same risk register as cloud-provider dependency.&lt;/p&gt;
    
        &lt;hr /&gt;
        &lt;p&gt;&lt;strong&gt;What to look for internally:&lt;/strong&gt; For each AI tool in a critical workflow, write down: what breaks if it disappears tomorrow, what notice the contract guarantees, and whether you have a migration path. “None” in any column is the finding.&lt;/p&gt;
        &lt;p&gt;&lt;a href=&quot;https://invariantrisk.com/packs&quot;&gt;Map the exposure with the Incident Response Pack&lt;/a&gt;&lt;/p&gt;
        &lt;p&gt;&lt;a href=&quot;https://invariantrisk.com/signals/ai-vendor-concentration-risk/&quot;&gt;Read this signal on invariantrisk.com&lt;/a&gt;&lt;/p&gt;</content:encoded><category>Dependency expansion</category></item></channel></rss>