AI governance, shadow AI, vendor risk —
in plain English.

The protocol agents use to discover, authenticate to, and invoke one another. Became a Linux Foundation standard in 2025. Defines both the wire protocol and the Agent Card descriptor format. The “universal translator” layer of the agent stack — relevant for any organization using multi-agent frameworks (CrewAI, AutoGen, LangGraph, ADK).

SanctumShield finding type. Triggered when a customer indicates use of multi-agent frameworks (ADK, CrewAI, AutoGen, LangGraph) without an A2A discovery boundary policy in their AUP. Cites EU AI Act Article 13 (transparency for high-risk AI systems) and SOC 2 CC7.2 (monitoring of system operation).

Colorado SB 26-189 carves a generative-AI or natural-language tool out of Covered ADMT status when it satisfies two conditions:

1. The tool is not contracted, marketed, configured, or intended for use in a consequential decision, AND
2. It is governed by an acceptable use policy that prohibits generated content from being used in a consequential decision.

The second condition is precisely the artifact SanctumShield produces. Generated AUP Section 16 (Consequential Decision Boundary and Scope Exemptions) codifies the prohibition in statute-anchored language and documents the exemption status for audit and underwriter review. Deploy the AUP, document the exclusion. The exemption is the strongest concrete governance hook in the current US state AI landscape because it ties product output directly to a statutorily-recognized compliance position — not a generic compliance gesture.

Validation performed by a second AI model — from a vendor different from the one producing the output being validated — prompted to argue against the primary model’s recommendation. Distinct from conversational pushback, which Randazzo et al. (2025) shows triggers persuasion escalation rather than correction. SanctumShield’s AUP clause PEV-001 prescribes adversarial validation as one of three acceptable validation methods (alongside independent recomputation and structured disconfirmation prompts) for outputs from consequential AI workflows. The vendor-diversity requirement matters: a Claude-validating-Claude or Gemini-validating-Gemini check is structurally subject to the same persuasion-bombing failure mode.

Part of the A2A standard. An agent’s “business card” — declares identity, capabilities, available tools, security schemes, and OAuth scopes. Cryptographically signed so another agent can verify what it’s talking to before making the first call. Discovery Poisoning attacks exploit agent cards that change between discovery and runtime.

Pillar two of Google’s Agent Platform — an Envoy-based data plane that intercepts every agent ingress and egress call and enforces policy at the wire. Performs deep parsing of JSON-RPC bodies (MCP and A2A traffic) so semantic policies can be enforced before the call leaves the perimeter.

The umbrella category Google formalized at Cloud Next '26 — covering AI agents, MCP servers, agent-to-agent (A2A) discovery chains, and shadow AI tools that don’t fit a traditional API gateway, SIEM, IAM, or GRC platform. The superset that subsumes the older “AI governance,” “shadow AI,” and “AI-SPM” framings.

Pillar three of Google’s Agent Platform — agents are first-class principals with their own identity class, distinct from human users and traditional service accounts. Built on SPIFFE / Managed Workload Identity. Internal agent calls operate under assumed-trust mTLS; external calls require zero- trust verification on every request.

SanctumShield finding type. Triggered when deployed agents authenticate using long-lived service account credentials, shared API keys, or embedded secrets, rather than the SPIFFE- based ephemeral, scoped, attestable identity Google’s Pillar Three architecture defines. Cites NIST AI RMF MANAGE-1.3 and NIST SP 800-63 adapted for non-human identities.

Pillar five of Google’s Agent Platform — uses OpenTelemetry GenAI conventions plus A2A trace headers to correlate every LLM prompt, A2A handoff, and tool call under a single Application ID. Required infrastructure for any audit that needs to reconstruct what an agent decided and why (relevant to EU AI Act Article 13 transparency obligations).

Pillar one of Google’s Agent Platform — the answer to “what agents do we actually have?” Eliminates Shadow AI by enforcing a separation between visibility (the full catalog) and access (the per-application least-privilege boundary an agent actually sees at runtime). Visibility does not equal access.

Anthropic-originated open standard (October 2025, open-sourced December 2025) for describing agent capabilities in a structured machine-readable format. Used alongside MCP and A2A to complete the modern agent component model: LLM + retrieval context + Agent Skills + MCP + A2A.

Pattern demonstrated publicly by Google at Cloud Next '26 (“Build AI Agents with Agents: Multi-Agent PR Roaster” and the ADK + Multi-Agent Patterns sessions). A coding agent is delegated a task end-to-end — scaffolding, code generation, evaluation, deployment, observability — with the human engineer reviewing the agent’s attestations and final artifact rather than the underlying code. Introduces a new governance question: where does the coder-agent get its policy and security guardrails from, and who owns the policy chain when the human reviewer never reads the code?

SanctumShield finding type. Triggered when a customer’s engineering organization has adopted coding agents (Cursor agents, Claude Code, Gemini CLI, Anthropic Antigravity, Google’s google-agents-cli, GitHub Copilot Workspace) without a documented policy answering: (1) where does the coder-agent get its policy and security context from, (2) who is the named human accountable for code the agent produced, (3) what change-management evidence is captured when an agent commits or deploys. Cites NIST AI RMF MANAGE-1.3 (post-deployment monitoring), SOC 2 CC8.1 (change management), and EU AI Act Article 14 (human oversight).

SSRF where the attacker doesn’t need to craft an HTTP request — they just need to convince an agent (via a prompt or consumed content) that it should fetch a URL. Internal cloud metadata endpoints (the AWS ECS task metadata service at 169.254.170.2 for example) are canonical targets.

A formal document describing which AI tools employees are allowed to use, on what data, for what purposes, and under what controls. A production-grade AUP contains approximately fourteen sections (scope, permitted use, prohibited use, data handling, vendor review, training data restrictions, incident reporting, sanctions, review cadence, and legal review), customized to the company’s industry, jurisdictions, and applicable frameworks, and signed by leadership. Cyber insurance renewals, SOC 2 audits, HIPAA reviews, and enterprise procurement cycles now routinely ask for the AUP as evidence.

Google’s reframing introduced at Cloud Next '26 — the AI application, not the individual agent or model, is what gets governed. Policies attach to the application boundary; cost attribution rolls up to the application; the kill-switch operates at the application level. A single agent cannot be governed in isolation.

SanctumShield finding type. Triggered when an organization governs agents individually rather than as bounded AI applications. Policy attached to hosts or containers cannot scale to multi-agent systems where the meaningful unit of governance is the application, not the agent. Cites NIST AI RMF MAP-4.1 and ISO 42001 Clause 9.

The organization-wide system of policies, roles, processes, risk and impact assessments, controls, monitoring, internal audit, and continual improvement that an organization operates to govern its use of AI. ISO/IEC 42001 specifies the requirements for an AIMS, in the same structure ISO/IEC 27001 uses for an information security management system: Clause 4 (context), 5 (leadership), 6 (planning and risk), 7 (support), 8 (operation), 9 (performance evaluation), and 10 (improvement). An AIMS is a continuing system an organization runs — not a single artifact — though it is built from and evidenced by artifacts such as an AI policy, a risk assessment, and an impact assessment.

Industry framing for security operations centers restructured around agent-led tier-1 detection, triage, and hunting — with humans focused on judgment calls, novel investigations, and policy decisions. The model assumes the governance-artifact layer (AUP, risk register, policy attestation) is solved elsewhere, which is the gap SanctumShield fills above the SOC tier.

A term we use on this site to distinguish a real AUP from a generic template. An AI-risk-ready-proof AUP cites the actual clauses of HIPAA §164.502(e), SOC 2 CC6.1, EU AI Act Article 5, NIST AI RMF GOVERN-1.4, and GDPR Article 28 in the specific sections those clauses govern; is customized to a specific company’s industry and jurisdictions; and can be handed to a regulator, a board, a SOC 2 auditor, or an enterprise procurement reviewer without edits.

The earlier framing for products like Wiz AI-SPM, Palo Alto AI Access Security, and Cisco AI Defense — focused on runtime protection of deployed AI workloads. Largely superseded in 2026 by the broader “Agent Governance” framing, which adds policy-artifact production and coverage of shadow AI on top of the runtime protection layer.

A phishing technique in which the attacker’s landing page is a transparent reverse proxy to the legitimate identity provider login (Microsoft Entra ID, Google Workspace, Okta). The victim sees and authenticates against the real Microsoft login URL; the proxy captures the credential and the resulting session token in real time, then replays the legitimate authentication flow so the victim sees no failure. Because the victim only ever interacts with the genuine provider domain, traditional URL-based phishing detection does not fire. Authority: CrowdStrike, 2026 Global Threat Report (p44). Reference cases: ShinyHunters, IMPERIAL KITTEN (EvilGinx2 against Israeli Microsoft 365 users), COZY BEAR (OAuth 2.0 device-code flow abuse against U.S.-based NGOs).

Governance angle: a regulation-anchored AUP must require phishing-resistant MFA (FIDO2 / WebAuthn / passkeys) — not SMS, not push-notification approve, not TOTP — because every flow that issues a session token to the browser is replayable through an AiTM proxy. The AUP must also govern OAuth and Entra ID app-consent policies (limit which third-party apps users can consent to, require admin-mediated consent for sensitive scopes), conditional access bound to managed device or compliant network state, and continuous monitoring of impossible-travel and atypical token-issuance patterns. The Shadow AI overlap: many AiTM targets are Microsoft 365 + embedded AI features (Copilot, Purview AI), and stolen tokens grant attackers the same AI-powered access the legitimate user holds.

A category of products including Apigee, Kong, AWS API Gateway, and Mulesoft. Built for deterministic REST/HTTP API traffic. They parse HTTP headers and apply rate limits, authentication, and routing rules. Traditional API gateways look at the envelope (HTTP headers); agent governance requires looking at the letter inside (semantic intent within JSON-RPC bodies for MCP and A2A traffic). Legacy gateways cannot parse whether an agent is acting outside its permitted boundary, because that decision lives in the prompt-level semantics rather than the syntactic header layer.

A written agreement that a HIPAA-covered entity signs with any vendor (a “business associate”) that will handle Protected Health Information. The BAA spells out the vendor’s permitted uses, security obligations, and breach notification duties. For AI governance, any AI vendor that will process PHI needs a BAA. Most free-tier AI services will not sign one; paid enterprise tiers usually will.

A document or report that can be presented to a company’s board of directors without editing. Characterized by a clear headline, executive summary, risk score, business impact, and prioritized action plan — not raw logs, not control lists, not compliance checklists. “Board-ready” is a specific target audience (audit committee, general counsel, non-technical directors) with specific reading habits.

Google’s framing for how agents coexist with legacy enterprise systems. Each agent application typically exposes two interfaces: an AI-facing A2A/MCP interface for other agents, and a legacy-facing REST API for traditional services. Both interfaces need to be governed — that’s the basis for SanctumShield’s Dual-Interface Governance Gap finding.

Direct quote from Google’s Cloud Next '26 ADK session (“we expect you guys to build agents with building agents”). The framing positions agent construction itself as an agent task: a coding agent uses opinionated CLI skills to scaffold, code, evaluate, deploy, publish, and observe new agents. The full development lifecycle compresses from months to minutes, but the policy chain that governed the original human-developer workflow does not automatically transfer.

A vendor questionnaire specifically for cloud service providers, published by the Cloud Security Alliance. Roughly 300 questions covering 17 control domains. Often used alongside or in place of SIG Lite for SaaS vendor assessment. Shares the same structural limitations — self-reported, point-in-time, vendor-scoped.

California’s consumer data privacy law, substantially strengthened by the CPRA amendments in 2023. Establishes rights to know, delete, correct, and opt out of sale/sharing of personal information. CPRA adds a new category — “sensitive personal information” — and creates the California Privacy Protection Agency as the enforcement body.

Google’s expression language for writing policy conditions — example: api.getAttribute('mcp.tool.isOpenWorld', false) == false. Powerful and deterministic, but written for platform engineers — not the auditor-readable natural-language policy a CISO would sign and a regulator would expect.

A frontier-class general-purpose language model from Anthropic that represents a significant advance in defensive cybersecurity capability. Announced April 7, 2026 at red.anthropic.com and released as Claude Mythos Preview through Project Glasswing — Anthropic’s partner program for using Mythos to “help secure the world’s most critical software.” Anthropic positions Mythos as a general-purpose model that is “strikingly capable at computer security tasks”. Anthropic released it through a partner-trusted rollout that is intentionally not generally available; the program’s scope, criteria, and roadmap are still emerging.

What it does (Anthropic-reported, AISI-validated): identifies vulnerabilities, generates working exploits, and chains attack steps autonomously inside controlled environments. Anthropic’s own announcement reports Mythos finding a 27-year-old OpenBSD vulnerability and a 16-year-old FFmpeg flaw, plus ~300 vulnerabilities in Firefox where Claude Opus 4.6 found ~20. The UK AI Safety Institute’s independent April 2026 evaluation reported 73% success on expert-level Capture-the-Flag challenges and autonomous completion of full 32-step corporate-network attack chains in 3 of 10 runs, in test environments AISI noted were “weakly defended” without active defenders.

Who has access: ~50 organizations are on the Glasswing partner list — including founding partners Amazon Web Services, Anthropic, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks, plus other access-agreement organizations. CrowdStrike’s founding-member announcement frames the division of responsibility cleanly: “Anthropic builds the model. CrowdStrike secures AI where it executes.”

Why measured access: Anthropic states Mythos is “intentionally not being made generally available” because it “could potentially pose a cybersecurity threat if weaponized by bad actors to find bugs and exploit them rather than fix them” (TechCrunch, April 7, 2026). On May 5, 2026, Anthropic CEO Dario Amodei told CNBC the industry has a “six-to-twelve-month window to patch tens of thousands of software vulnerabilities” — an on-the-record framing of the urgency that motivates the Glasswing program.

Government engagement: per Wall Street Journal reporting (April 30, 2026), the White House and Anthropic have engaged on the scope and pace of expanding Glasswing access. The UK AISI has published its independent evaluation. India’s SEBI has convened a task force on frontier-model cyber implications for Indian financial institutions. This kind of public-private engagement is appropriate for capabilities at this level.

The broader 2026 frontier-AI ecosystem. Mythos sits within a fast-moving global ecosystem of capable models. The UK AISI separately reported OpenAI’s GPT-5.5 achieving comparable results on autonomous-attack benchmarks; DeepSeek R1 has been reported to perform competitively on bug-detection benchmarks; and an open-source reconstruction project named OpenMythos has attracted 10,000+ GitHub stars. The straightforward implication for governance teams: organizations should plan on the assumption that frontier-class capability will continue to emerge from multiple sources globally, and shape their governance posture accordingly.

Frontier defensive AI is a meaningful innovation. It does not replace governance. Mythos, GPT-5.5, the Wiz agentic-AI announcements at Google Cloud Next ’26, and the broader 2026 wave of frontier defensive tooling all give skilled security teams faster vulnerability discovery, better attack-path mapping, accelerated triage, and more comprehensive operational scoping. They are valuable contributions to the cybersecurity defender’s toolkit. They are not a substitute for the governance discipline that surrounds the toolkit. An AI agent can scope an audit, automate inventory discovery, and accelerate analysis. It cannot make the decisions, sign the policy, brief the board, or hold the accountability. Governance — what the organization permits, what it prohibits, what it audits, what it documents, and what it certifies to regulators, underwriters, and auditors — remains a uniquely CISO and executive responsibility under Due Care and Due Diligence standards. Automation supports that responsibility; it does not replace it.

Governance posture for the mid-market CISO (the SanctumShield POV): the work the CISO and executive team have to do is the same whether their organization is on the Glasswing partner list or not. Maintain a current AI tool registry. Publish a regulation-anchored AUP that addresses agent identity, MCP server trust verification, BYOD AI authentication, and non-human identity governance. Run a continuous Shadow AI risk audit on a cadence aligned with the new 10-hour Time-to-Exploit. Produce a third-party-validatable verification artifact every regulator, underwriter, and auditor can confirm. SanctumShield is built to make that governance discipline accessible — at $99/month, refreshed monthly — so the underserved mid-market can satisfy its compliance obligations and demonstrate Due Care and Due Diligence regardless of which frontier defensive tooling its operational SOC has access to. Anthropic and the Glasswing partners advance the leading edge; SanctumShield ensures the broader market can still meet the standard. The two efforts complement each other.

Gartner-recognized category for products that detect and respond to active threats in cloud environments — distinct from CSPM (which scans for misconfigurations) and CWPP (which protects workloads). Wiz Defend, CrowdStrike Falcon Cloud Security, Palo Alto Prisma Cloud Defender, and Sysdig all compete here. CDR addresses the runtime detection layer; SanctumShield addresses the governance-artifact layer above it.

A category dominated by Wiz, with competitors including Palo Alto Prisma Cloud, Orca Security, and Lacework. Protects cloud-native workloads at runtime. Wiz extended into Agent Governance with its Red / Blue / Green agent triad in early 2026. Excellent for engineering teams that need runtime protection of deployed AI agents — see /vs-wiz for the SanctumShield positioning relative to this category.

Reference architecture for agent-led development: a coder agent produces a change, a validator agent (often using the same or a peer LLM) evaluates it against tests and policy before submission to a human. The pair pattern reduces the rate of obviously bad code reaching humans, but does not address the underlying governance question — the validator is itself non-deterministic, and “who supervises the validator?” is a recursion problem (compare Evaluator Oversight Gap).

Examples in 2026: Cursor agents, Claude Code, Anthropic Antigravity, Gemini CLI, GitHub Copilot Workspace, Google’s google-agents-cli. Distinct from autocomplete-style assistants because the coding agent operates across the full development lifecycle and can run shell commands, install dependencies, deploy to production, and trigger CI/CD. The runtime IAM the coding agent holds at authoring time is typically broader than what the deployed code itself runs under — and the boundary between those scopes is rarely documented.

Colorado Senate Bill 24-205, signed into law 17 May 2024 with an original effective date of 1 February 2026 (later delayed to 30 June 2026), was repealed and replaced before it could take effect by Senate Bill 26-189, signed by Governor Polis 14 May 2026. The replacement is a fundamentally different regime: SB 24-205 was a risk-based framework with duties of care, risk management programs, and annual impact assessments (modeled on the EU AI Act). SB 26-189 drops that architecture and pivots to a disclosure-and-rights model focused on automated decision-making technology (ADMT) that materially influences a consequential decision. The terms “high-risk AI system” and “algorithmic discrimination” no longer appear in Colorado law. Effective 1 January 2027; applies to consequential decisions made on or after that date. Enforcement is exclusively by the Colorado Attorney General under the Colorado Consumer Protection Act, with penalties up to $20,000 per violation and a 60-day notice-and-cure period before action where cure is possible. SB 26-189 does not create a private right of action. Primary source: leg.colorado.gov/bills/sb26-189 (Bill Text, Fiscal Note, and seven signed/version PDFs published by the Colorado General Assembly). See also Covered ADMT, Consequential Decision, Covered Domain, and ADMT Scope Exemption below. The act remains the first comprehensive U.S. state AI regulation, applying to developers and deployers of covered ADMT used to materially influence a consequential decision in seven covered domains: education, employment, housing, financial or lending services, insurance, health-care services, and essential government services. Developer obligations include technical documentation describing intended uses, training data categories, known limitations, and instructions for appropriate use and human review (§ 6-1-1702), plus notification to deployers of material updates. Deployer obligations include clear and conspicuous consumer notice at the point of interaction (§ 6-1-1704) and a 30-day post-adverse-outcome disclosure to the affected consumer (§ 6-1-1704(3) — specific content pending AG rulemaking due by January 1, 2027). Consumers have rights to request personal data, correct factually incorrect data, and request meaningful human review (§ 6-1-1705). Both developers and deployers must retain compliance records for at least three years. SB 26-189 explicitly safe-harbors insurers and entities subject to Colorado § 10-3-1104.9 in the practice of insurance.

Classic security attack pattern that’s especially dangerous for agents. The attacker embeds instructions in content the agent will consume (a PDF, image with hidden text, email attachment, web page) that cause the agent to act on the attacker’s behalf using its own legitimate credentials, against a legitimate target. The agent is “confused” about whose instruction it’s following.

Defined in Colorado SB 26-189 as a decision relating to an individual’s access to, eligibility for, or compensation related to one of seven Covered Domains: education, employment, housing, financial or lending services, insurance, health-care services, or essential government services. The presence of a consequential decision is what triggers the Covered ADMT obligations. Decisions outside the seven covered domains do not trigger SB 26-189, even if they are made or influenced by an automated system. The structural relevance for SanctumShield customers: most generative-AI tools deployed under a SanctumShield-generated AUP are explicitly excluded from consequential decision use under AUP Section 16, which is the documented foundation of the SB 26-189 scope exemption.

A list of security controls against which an organization is evaluated as “in place” or “not in place.” Useful for SOC 2 audit preparation and compliance automation. Insufficient as a risk assessment, because knowing you have a control does not tell you whether the control is adequate for your actual risk exposure. A checklist proves a policy exists on paper; it does not generate the defensible, regulation-anchored compliance artifacts required to survive an audit or underwriter review.

The practice of validating an AI output by engaging the same AI in dialogue — asking “are you sure?”, requesting elaboration, pushing back with specific objections. Now documented as ineffective by Randazzo et al. (2025), because the AI responds with persuasion bombing rather than correction. Relying on conversational validation creates a false sense of security, effectively tricking human reviewers into approving flawed or biased AI outputs. SanctumShield’s AUP generator now classifies conversational validation as a deprecated control and prescribes adversarial second-model review, independent recomputation, or disconfirmation prompts instead. See Persuasion Bombing.

Under Colorado SB 26-189, an automated decision-making technology (ADMT) is any technology that processes personal data and uses computation to generate output — predictions, recommendations, classifications, rankings, scores, or other information — used to make, guide, or assist a decision, judgment, or determination concerning an individual. An ADMT becomes a Covered ADMT when it is used to materially influence a consequential decision. Covered ADMTs trigger SB 26-189’s developer documentation duties (§ 6-1-1702), deployer transparency obligations (§ 6-1-1704), consumer rights (§ 6-1-1705), and three-year recordkeeping retention for both developers and deployers. See Consequential Decision and Covered Domain for the trigger conditions, and ADMT Scope Exemption for the statutory carve-out that applies to most generative-AI and natural-language tools governed by a SanctumShield-generated AUP.

The seven domains named in Colorado SB 26-189 whose consequential decisions trigger Covered ADMT obligations: education, employment, housing, financial or lending services, insurance, health-care services, and essential government services. An ADMT used inside any of these domains to materially influence a decision becomes a Covered ADMT. Insurers receive a statutory safe harbor (Colorado § 10-3-1104.9 compliance is deemed compliant with Part 17 for the practice of insurance), so the live SanctumShield-relevant hooks for Colorado-domiciled carriers are non-insurance consequential decisions and employment- related ADMT use. See Consequential Decision and Covered ADMT.

A contractual or regulatory requirement that customer data remain within a specific geographic region (the EU, the US, Canada, etc.). For cloud services this usually means pinning storage and sometimes compute to specific regions. GDPR Chapter V imposes restrictions on transfers of personal data outside the EU. Data residency is a frequent friction point with AI services because model inference often happens in a different region than model training.

A specific prompt pattern that requires an AI to articulate the strongest counter-argument against its own recommendation before the output is accepted by a human reviewer. The structured form defeats the natural tendency of LLMs to default to agreement and credibility-projection. One of the three prescribed validation methods under SanctumShield AUP clause PEV-001. Used in concert with adversarial validation, not as a replacement.

A specific case of the Rugpull Effect, called out by Google engineers at Cloud Next '26 BRK2-015. The first connection to an MCP server or A2A target returns a clean list of tools. The agent inherits trust. Subsequent calls return attacker- modified tools — but the agent doesn’t re-verify, and keeps using the poisoned discovery results.

A category of security tools that inspect outbound content (email, file transfer, web traffic) for sensitive data patterns (credit cards, Social Security numbers, classified labels) and block or flag violations. Struggles with AI because modern AI traffic is encrypted HTTPS and the “sensitive data” is indistinguishable from any other text payload. Traditional DLP sees api.openai.com and stops there.

The European Union’s Digital Operational Resilience Act, in force since 17 January 2025. Applies to financial entities operating in the EU — banks, investment firms, insurers, payment institutions, crypto-asset service providers — and to their critical third-party ICT providers. Requires comprehensive ICT risk management, third-party ICT risk oversight (including AI tools and AI service providers), incident reporting, digital operational resilience testing, and information sharing on cyber threats. AI tools used in financial services are explicitly in scope as ICT third parties. Sits alongside the EU AI Act and creates overlapping obligations for high-risk AI in financial services. Financial-services customers using SanctumShield satisfy DORA’s third-party AI inventory and risk assessment requirements through the AI tools registry and Executive Risk Report.

A contract required by GDPR Article 28 between a data controller (the customer) and a data processor (the vendor) that spells out the subject matter, duration, nature, purpose, data types, and obligations of the processing. Analogous to a HIPAA BAA but for GDPR-governed personal data. Most serious B2B SaaS vendors publish a standard DPA and will sign customer DPAs on request.

SanctumShield finding type rooted in Google’s Brownfield Integration pattern. Triggered when a deployed agent application exposes both an A2A/MCP interface and a legacy REST API but security controls have only been documented for one face. API security gaps (auth, authz, rate limiting, input validation) commonly remain on the legacy side. Cites NIST AI RMF MAP-4.1 and OWASP API Security Top 10 (2023).

The cybersecurity-and-legal standard requiring an organization to act as a reasonable, prudent person would in implementing safeguards proportional to the risk. For Shadow AI, an organization meeting Due Care can show a published AI Acceptable Use Policy, a documented risk assessment of the AI in use, identified controls with assigned ownership, and board-level acknowledgment of AI risk. Failing Due Care exposes the organization to negligence findings in regulator inquiries, cyber-insurance claims disputes, breach litigation, and SOC 2 exception findings — and the CISO is the person the record names.

The companion standard to Due Care: not just whether reasonable safeguards were put in place at one point in time, but whether the organization continuously monitors, re-assesses, and updates those safeguards as the risk surface changes. For Shadow AI, Due Diligence means re-running the audit as new AI providers, embedded SaaS AI features, and autonomous agents enter the environment, and refreshing the AUP and risk assessment when regulations change. SanctumShield’s monthly registry refresh and $99/month subscription model are designed to make Due Diligence structurally feasible for organizations of 50–2,000 employees — so the CISO is not forced to choose between a $50K Big 4 snapshot and no evidence trail at all.

Security agents that run on endpoint devices, monitor process and network behavior, and detect suspicious activity. CrowdStrike Falcon, SentinelOne, and Microsoft Defender for Endpoint are leading examples. EDR agents can see some shadow AI (desktop apps, browser extensions) but miss most of it (browser-based SaaS accessed through normal web traffic).

The control standard required by EU AI Act Article 14, Colorado SB 24-205, NIST AI RMF’s GOVERN function, and ISO/IEC 42001 Clause 8.3. The regulations assume that a human reviewing AI output is itself an effective control. Randazzo et al. (2025) has invalidated that assumption for conversational review. SanctumShield’s position: “effective” requires controls beyond conversational pushback — namely adversarial validation, independent recomputation, or disconfirmation prompts, codified in generated AUP clauses PEV-001 through PEV-005. See Persuasion Bombing and Theatrical Oversight.

SanctumShield finding type. Triggered when an organization has deployed agents without any consistent gateway, proxy, or sidecar mediating outbound tool calls and A2A traffic — meaning no single point at which egress policy can be enforced or observed. Cites NIST AI RMF MAP-4.1 and NIST SP 800-207 (Zero Trust Architecture).

The three rhetorical modes Aristotle named in Rhetoric: ethos (credibility appeals — apologizing, correcting, effort transparency, hedging, deflecting), logos (logical appeals — agreeing and counter-arguing, comparing, data-insight overlays, problem-solution structuring), and pathos (emotional appeals — affirming, energizing, inclusivity language, mirroring, visioning). Randazzo et al. (2025) used this taxonomy to classify 14 specific persuasion tactics observed in GPT-4 outputs to validation challenges. The taxonomy is the foundation of SanctumShield’s research vocabulary; the tactics themselves are detectable in transcript analysis.

Adopted in 2024, phased into force through 2026. Classifies AI systems into four risk tiers: unacceptable (prohibited), high-risk (subject to extensive obligations), limited-risk (transparency obligations), and minimal-risk. Article 5 prohibits specific practices (social scoring, biometric inference in public spaces, dark-pattern manipulation). High-risk AI systems face conformity assessment, technical documentation, and post-market monitoring obligations.

Google’s framing for the gap between demo-stage agent deployments (one agent, isolated) and production-stage deployments (a hundred agents in one application interacting via A2A and MCP). Quote: “Productizing multi-agent systems is 100× harder. Massive Shadow AI sprawl.” The case for explicit governance over informal policy.

A social-engineering lure that mimics the “verify you’re human” CAPTCHA challenge users see across the modern web. The malicious version then instructs the victim to paste an attacker-supplied PowerShell, shell, or Run-dialog command into their own terminal as part of the purported verification — bypassing every browser-based security control because the malicious payload never crossed the network as content; it crossed as user-typed text. Authority: CrowdStrike, 2026 Global Threat Report (p12). CrowdStrike observed a 563% increase in incidents using fake CAPTCHA lures in 2025 compared to 2024 — the steepest growth curve of any social-engineering pattern in the report.

Governance angle: every regulation-anchored AUP must mandate Shadow-AI-aware security awareness training that explicitly covers ClickFix and fake-CAPTCHA patterns. Every Shadow AI risk assessment must enumerate which corporate-data-touching endpoints (managed laptops, BYOD devices, virtual desktops) permit user-typed-shell-execution and what compensating controls exist. The relationship to Shadow AI: AI-translated and AI-localized lures (CrowdStrike documents RENAISSANCE SPIDER’s use of AI to translate ClickFix lures into Ukrainian) make these campaigns more credible at scale and more language-targeted than manual translation could ever produce.

A category describing the most capable AI systems — models that can reason across complex tasks, analyze software, identify vulnerabilities, accelerate exploit development, and support increasingly sophisticated security workflows. Anthropic’s Claude Mythos and OpenAI’s GPT-5.5 are the canonical 2026 examples; CrowdStrike cites both in Five Steps for Frontier AI Security Readiness (p3). Frontier-AI deployment in cybersecurity is one of the most important defensive innovations of 2026 — alongside Google Cloud Next ’26’s announcements pairing Wiz’s agentic AI with operational automation, and Cisco / Palo Alto / CrowdStrike’s complementary frontier-model partnerships — representing a careful, measured industry effort to keep leading-edge capability on the side of defenders.

Cited by CrowdStrike in the context of an observed Time-to-Exploit (TTE) collapse from 2.3 years (2018) to 23.2 days (2024) to 10 hours (2025), based on 3,531 CVE-exploit pairs. The defensive innovations are real and welcome — and they do not reduce the governance work surrounding them. Frontier defensive AI gives skilled analysts faster vulnerability discovery, better attack-path mapping, and accelerated triage; it does not replace executive decision-making, policy ownership, board acknowledgment, or the regulation-anchored governance artifact that regulators, underwriters, and auditors require. See the Claude Mythos entry below for the full primary-source detail and the SanctumShield governance posture that pairs with these innovations.

The European Union’s comprehensive data protection law. Applies to any organization processing personal data of EU residents, regardless of where the organization is located. Key clauses for AI governance: Article 28 (processor obligations and sub-processor governance), Article 35 (Data Protection Impact Assessments for high-risk processing), and Article 22 (rights regarding automated decision-making).

AI systems trained on large datasets that generate new content in response to a prompt — the category that includes ChatGPT, Claude, Gemini, Copilot, Midjourney, DALL·E, Suno, and everything built on top of them. Distinct from the earlier generation of AI which was primarily predictive (fraud detection, recommendation, classification).

Google’s flagship SecOps platform combining SIEM (Chronicle), SOAR (Siemplify), and threat intelligence (Mandiant) under one Gemini-powered analyst experience. Sold both standalone and bundled with Google Cloud. Sets the reference architecture for the “AI-first SOC” category several other vendors (Microsoft Sentinel, Splunk, Cortex XSIAM) are now retrofitting toward.

OpenAI’s frontier general-purpose model, named alongside Claude Mythos in CrowdStrike’s Five Steps for Frontier AI Security Readiness (p3) as an early example of frontier capability reshaping security workflows. A UK AI Safety Institute evaluation reported GPT-5.5 achieving comparable results to Mythos on autonomous cyber-attack simulation benchmarks. CrowdStrike also references “GPT-5.4-Cyber” as an OpenAI security-focused frontier variant. The straightforward observation: frontier-class capability is advancing across multiple model families and providers globally. From a governance posture standpoint, organizations should plan on the assumption that capable models will continue to emerge from many sources — and shape their AUP, AI tool registry, agent identity governance, and continuous re-audit cadence accordingly. The specific tooling a SOC has access to changes the operational defense; it does not change the governance artifacts the CISO and executive team are accountable for.

A category of products including OneTrust, Vanta, Drata, Secureframe, and Tugboat Logic. Tracks whether security controls exist (yes/no) for SOC 2, ISO 27001, HIPAA, and similar frameworks. Not generative — doesn’t produce an AI Acceptable Use Policy, an Executive Risk Report, or a verifiable audit artifact. The SOC 2 auditor will ask about AI governance; the GRC dashboard will show a checkbox, not an answer.

The US federal law governing the privacy and security of Protected Health Information (PHI). Under the Privacy Rule and Security Rule, covered entities and business associates must implement administrative, physical, and technical safeguards. For AI governance, the critical clauses are §164.502(e) (business associate agreements with sub-processors) and §164.312 (technical safeguards for ePHI).

The control pattern of requiring a human review or approval step in an AI-driven workflow, named explicitly in EU AI Act Article 14, Colorado SB 24-205, and NIST AI RMF, and implicit in HIPAA administrative safeguards and ISO/IEC 42001. Note (2026): per Randazzo et al. (HBS Working Paper 26-021, July 2025), human-in-the-loop alone is insufficient as a control when the “loop” involves the same AI being challenged conversationally — the AI responds with persuasion escalation rather than correction. SanctumShield recommends supplementing HITL with adversarial validation, independent recomputation, or disconfirmation prompts — codified in generated AUP clauses PEV-001 through PEV-005. See Persuasion Bombing, Adversarial Validation, and Effective Human Oversight.

A category of products including Okta, Auth0, Microsoft Entra (Azure AD), and Ping Identity. Built around two identity classes: human users (long-lived, MFA-protected) and service accounts (long-lived credentials for non-interactive workloads). Doesn’t fit agents — agents need ephemeral, scoped, cryptographically attested identities. Hence the new agentic identity primitive (Agent Identity / SPIFFE).

Wiz Red Agent’s documented severity approach: severity is based on what was actually compromised (PII extracted, credentials retrieved, system files accessed) — not on the attack technique used. SanctumShield’s Executive Risk Report adopts the same principle: findings are ranked by regulator/auditor visibility, not CVSS score.

An attack pattern in which an adversary plants malicious instructions inside external content — a webpage, a shared document, an email body, a customer support ticket, a code-review comment, a public GitHub README — that an AI agent later retrieves and processes as part of a legitimate user task. The agent executes the hidden instruction while appearing to process the “clean” user request, bypassing direct guardrails because the malicious payload never appears in the user’s prompt. Distinct from direct prompt injection (where the attacker is the user). Indirect injection is the failure mode that makes Shadow AI and autonomous-agent deployments specifically dangerous: every tool an agent invokes, every document it ingests, every search result it consumes is a potential injection surface. Listed in OWASP LLM Top 10 as LLM01 (Prompt Injection); referenced in MITRE ATLAS adversarial techniques. The generated AUP covers indirect prompt-injection awareness under Section 9.3 (Prompt Injection Awareness) and Section 14 (Deployed Agent Policy).

The structural reason agent governance can’t use the traditional security-testing playbook of enumerating inputs. Every prompt is novel; no two user interactions are identical. Defense requires classifier-based controls (Model Armor, Responsible AI filters, LLM-as-a-judge) rather than rule-based ones, and a policy layer that operates on intent, not syntax.

A certifiable international standard published by the International Organization for Standardization that defines an Information Security Management System (ISMS) — a structured approach to managing security risks through policies, risk assessments, and continuous improvement. The 2022 revision includes new Annex A controls relevant to cloud and AI services.

The foundational ISO/IEC vocabulary standard for artificial intelligence. It establishes standardized definitions for core AI concepts — including bias, hallucination, explainability, transparency, robustness, and fairness — so that management-system, risk, and impact-assessment standards share a consistent vocabulary. ISO/IEC 22989 is the terminological base the rest of the ISO/IEC 42001 family builds on; auditors and implementers reference it so that terms used in governance documentation carry their standardized meaning rather than a colloquial one.

Published by ISO and IEC in 2023, ISO/IEC 23894 provides guidance on managing risk specific to the development and use of artificial intelligence. It adapts the general risk-management framework of ISO 31000 to AI-specific concerns — data quality, model behavior, autonomy, opacity, and the potential for unintended outcomes. It is guidance rather than a certifiable management-system standard: organizations use it to structure the AI risk assessment and treatment that ISO/IEC 42001 Clause 6 requires. Commonly cited alongside the NIST AI RMF as a methodological basis for documented AI risk identification, analysis, and treatment.

The first international management system standard for artificial intelligence, published by ISO and IEC in December 2023. Establishes requirements for an organization’s AI governance program in the same way ISO/IEC 27001 establishes requirements for an information security management system. Requires an AI policy aligned with organizational context, defined roles, AI risk assessment and treatment, controls covering the AI lifecycle (planning, development, deployment, operation, retirement), supplier management, monitoring, internal audit, and continual improvement. Crosswalks formally to NIST AI RMF; organizations adopting NIST RMF are simultaneously building toward ISO 42001 certification. Increasingly seen in enterprise procurement questionnaires from Fortune 500 buyers and large healthcare systems.

The annex of ISO/IEC 42001 listing reference controls and implementation guidance for an AI management system — the AI-specific analogue of ISO/IEC 27001 Annex A. An organization selects and justifies which controls apply (a Statement of Applicability), then implements and evidences them. Annex A spans areas such as AI policy, internal organization and roles, resources and data for AI systems, the AI system life cycle, third-party and customer relationships, and information for interested parties. “Mapping to ISO 42001” refers in practice to implementing and evidencing these controls.

An ISO/IEC standard providing guidance on conducting AI system impact assessments — the structured analysis of how an AI system may affect individuals, groups, and society. It addresses when an impact assessment should be performed, what it should document, and how it integrates with an organization’s broader AI management system. It operationalizes the impact-assessment obligations referenced in ISO/IEC 42001 Clause 6 and Clause 8.5, and parallels the fundamental-rights and data-protection impact assessments contemplated under the EU AI Act and GDPR.

An ISO/IEC standard specifying the requirements for bodies that audit and certify AI management systems against ISO/IEC 42001. It is the accreditation-layer standard: it governs the competence, impartiality, and process requirements a certification body must meet to issue a valid ISO/IEC 42001 certificate. Relevant to buyers evaluating an ISO 42001 credential — the weight of a certificate depends on whether the issuing body conforms to ISO/IEC 42006 and is accredited by a recognized national accreditation authority.

A related distinction buyers should hold precisely: organizational ISO 42001 certification (a conformity assessment of an organization’s management system, performed by a body conforming to ISO/IEC 42006) is not the same as an individual training credential. A continuing-professional-development (CPD) accreditation attests only that a training course qualifies for CPD credit — it does not make the training provider an accredited certification body, and a course-completion certificate held by a person is not an organizational ISO 42001 certificate.

A neural network with tens to hundreds of billions of parameters, trained on very large text corpora, capable of producing and reasoning over natural language. Examples: GPT-4, Claude 4, Gemini 3, Llama 3, Mistral Large. Every AI tool that writes or talks or codes is built on top of one or more LLMs.

A new category of malware observed mid-2025 onward: rather than hard-coding reconnaissance and exploitation logic, the malware embeds prompts that call a hosted or local LLM at runtime to generate the commands needed for the next attack stage. Authority: CrowdStrike, 2026 Global Threat Report (p17–18 + p33). Reference cases: LAMEHUG (FANCY BEAR, mid-2025) — first known instance of an LLM (Qwen2.5-Coder-32B-Instruct via Hugging Face API) embedded in malware to perform reconnaissance and document collection; the npm Nx attack (Aug 2025) — used victims’ own Claude and Gemini CLI tools to generate credential-theft commands; ShaiHulud — a self-propagating npm worm that compromised 690 packages by Nov 2025. Implication: static detection and traditional endpoint controls cannot inspect prompts that have not yet produced output; governance of LLM CLI access on developer and BYOD endpoints becomes a Layer 1 + Layer 3 control.

A new threat pattern observed in 2025: adversaries publish a malicious clone of a legitimate Model Context Protocol (MCP) server, impersonating its name and interface so AI agents configured to use the legitimate server unknowingly route data through the adversary instead. Authority: CrowdStrike, 2026 Global Threat Report (p19). The reference case: in Q3 2025 a malicious server named postmark-mcp impersonated a legitimate MCP server maintained by Postmark, forwarding users’ emails to a threat-actor-controlled address. Combined with the existing MCP Server Trust Chain Risk, this completes the agentic-AI supply-chain compromise pattern: identity, registry, and trust verification of every MCP server an agent connects to becomes a non-negotiable governance control.

An intrusion in which no malicious binary is dropped or executed on the endpoint — the adversary uses valid credentials, OAuth grants, AiTM-stolen session tokens, native administrative tooling (PowerShell, Quick Assist, RMM agents, cloud CLIs), and trusted SaaS integrations to achieve objectives. Authority: CrowdStrike, 2026 Global Threat Report (p9 + p11). 82% of CrowdStrike’s 2025 detections were malware-free, up from 51% in 2020 — a five-year secular trend confirming that endpoint-binary-centric detection is no longer where intrusions live.

Governance angle (the load-bearing point): malware-free intrusions move through exactly the surface SanctumShield audits — Layer 2 (embedded SaaS AI, OAuth-granted AI integrations), Layer 3 (BYOD AI authentication, unmanaged-device OAuth flows), and Layer 4 (autonomous AI agents acting on company data). Every regulation-anchored AUP must therefore cover non-human identity governance (service accounts, OAuth applications, agent identities, API keys), with documented inventory, owner, scope, and review cadence. Every Shadow AI risk assessment must enumerate which AI-touching SaaS integrations have which OAuth scopes, which non-human identities exist, and which of them have access exceeding least-privilege requirements. The 82% statistic is the empirical evidence that legacy endpoint-centric controls cannot be the primary governance instrument for the AI era.

Mandiant (acquired by Google in 2022) is the threat intelligence backbone of Google Security Operations. Provides finished intelligence on active threat actors, indicators of compromise, and tactics/techniques/procedures, plus an elite incident response practice that runs major-breach engagements. The ground truth several Google SecOps agents reference for attribution and context.

The standard agents use to access external tools, data sources, and APIs in a uniform way — the “data access” layer of the agent stack. Complementary to A2A. Used by Cursor, Claude Desktop, Zed, Gemini CLI, Warp, and an expanding ecosystem of IDE plugins. MCP servers are now first-class inventory objects that need to be governed.

The Model Context Protocol (MCP) defines three roles in any agent session. The MCP Host is the runtime environment that executes the agent — Claude Desktop, Cursor, VS Code with an MCP plugin, or a custom agent runtime. The MCP Client is the component inside the Host that initiates a session to a Server to discover tools and call them on the user’s behalf. The MCP Server exposes a set of tools, prompts, and resources the agent can invoke (filesystem access, Slack messaging, database queries, etc.). Governance attaches at the boundary between these three: which Hosts may run agents against which Servers; which Clients may auto-discover and auto-call new tools without human review; what permissions the Server has been granted to act on enterprise data; whether the Host runtime enforces a tool allowlist. Section 14 of the generated AUP (Deployed Agent Policy) codifies the Host-Client-Server governance boundary. See Malicious MCP Server for the supply-chain attack pattern and /agent-governance for the broader category framing.

SanctumShield finding type. Triggered when a customer indicates use of MCP-enabled tools (Cursor, Claude Desktop, Zed, Gemini CLI, Warp) without an MCP server allowlist, without a re-validation cadence, and without policy on dynamic discovery. References the Discovery Poisoning attack pattern publicly documented at Cloud Next '26.

Per Google’s 2026 keynote at Cloud Next '26, mean-time-to-exploit is now −7 days — meaning attackers exploit vulnerabilities on average a week before public CVE disclosure. Combined with a 22-second threat-actor handoff, this architecturally invalidates governance frameworks that operate on weeks- or months-long cycles. SanctumShield cites this stat for the urgency of pre-positioned governance.

Governance failure where the agent gets “better” at the metric it’s given while the business gets worse off. The case for explicit Evaluation governance — including the recursive question “who supervises the evaluator?” in multi-agent systems where one agent grades another’s output.

Adversarial Threat Landscape for Artificial-Intelligence Systems — the MITRE-maintained companion to ATT&CK, cataloging tactics and techniques specific to attacks on machine learning and AI systems (model evasion, prompt injection, model extraction, training-data poisoning, adversarial examples, supply-chain compromise of model artifacts). Authority: atlas.mitre.org. The most defensible reference framework for describing agentic-AI threat techniques in the same vocabulary security teams already use for traditional ATT&CK mappings.

The MITRE Corporation’s globally-adopted knowledge base of adversary tactics and techniques observed in real-world cyber intrusions. The reference framework SOC analysts, threat hunters, red teams, and security vendors use to describe attacker behavior in a common vocabulary. Authority: attack.mitre.org. SanctumShield references ATT&CK techniques where finding descriptions can be mapped to a known adversary behavior so SOC and IR teams reading the audit recognize the threat vocabulary.

Google’s prompt-injection-and-jailbreak (PIJB) classifier, injected by the Agent Gateway as part of Pillar Four. Works alongside Responsible AI classifiers and LLM-as-a-judge anomaly detection to defend against agent-targeted attacks. SanctumShield doesn’t replace this — we govern the policies and artifacts above it.

The National Association of Insurance Commissioners’ Model Bulletin on the Use of Artificial Intelligence Systems by Insurers, adopted December 2023 and now incorporated by 25+ U.S. state insurance regulators. Sets expectations for insurers’ governance of AI used in underwriting, claims, marketing, and fraud detection. Insurers must develop, implement, and maintain a written AI Systems Program (AIS Program) commensurate with the risk and use of AI. The program must address governance, risk management, third-party AI tool oversight, testing, monitoring, and consumer protection. Examiners will request the AIS Program documentation during regulatory examinations. Insurers using SanctumShield generate the foundational documents the AIS Program requires — a regulation-anchored AUP, AI tool inventory, and risk assessment of current AI exposure.

The U.S. National Institute of Standards and Technology’s AI Risk Management Framework Generative AI Profile (NIST AI 600-1, July 2024) — the federal-authority extension of the NIST AI RMF (AI 100-1) addressing risks unique to generative AI: confabulation, dangerous or violent recommendations, data privacy, environmental impacts, harmful bias, human-AI configuration risks, information integrity, information security, intellectual property, obscene/degrading/abusive content, value chain and component integration. Authority: NIST.AI.600-1 (PDF). Referenced by FTC, CFPB, FDA, SEC, and EEOC enforcement guidance; provides the affirmative-defense pathway for Colorado AI Act ‘reasonable care’ alongside ISO/IEC 42001.

A voluntary framework published by the US National Institute of Standards and Technology for managing AI risks across the lifecycle. Structured around four functions: GOVERN (GOVERN-1.4 covers AI acceptable use policies), MAP, MEASURE, and MANAGE. Supplemented by the Generative AI Profile published in 2024. Often referenced by US federal agencies and contractors, and increasingly by SOC 2 auditors as the expected standard for AI risk management.

SanctumShield finding type. Triggered when an organization operates agents on AWS Bedrock, Azure OpenAI Service, Anthropic API direct, self-hosted Ollama / vLLM, or sovereign / air- gapped environments — none of which Google’s Zero-Touch Onboarding can auto-register. SanctumShield’s discovery is the registry these customers will actually have.

The unmanaged proliferation of non-human credentials inside an enterprise — API keys, service accounts, OAuth tokens, SPIFFE identities, ephemeral agent credentials, CI/CD tokens, webhook secrets, and the credentials granted to autonomous AI agents (Claude Agent SDK, OpenAI Agents SDK, Google Agent Platform, custom Copilot Studio agents, etc.). Because these identities bypass traditional human Multi-Factor Authentication (MFA), they are the primary vector for the malware-free intrusions CrowdStrike’s 2026 Global Threat Report names as 82% of all 2025 detections (up from 51% in 2020). The term “NHI Sprawl” is now appearing on cyber insurance underwriting questionnaires — underwriters increasingly ask applicants to enumerate non-human identities, scope their permissions, and demonstrate rotation cadence. SanctumShield’s generated AUP covers NHI governance across Section 7 (AI Agent and Agentic Workflow Policy) and Section 14 (Deployed Agent Policy), including the Agent Identity Registration (§14.2) and Agent Identity and Credentials (§14.5) clauses that codify ephemeral-scoped credential requirements.

SanctumShield finding type. Triggered when agents are deployed without OpenTelemetry GenAI instrumentation, A2A trace headers, or a plan for producing trace records when an auditor or regulator asks. Cites EU AI Act Article 13 (transparency for high-risk AI systems), SOC 2 CC7.2, and NIST AI RMF MEASURE-2.8.

The governance philosophy SanctumShield is built on. Instead of asking an employee or a vendor what AI tools are in use, we match observed network traffic (firewall, proxy, or DNS logs) against a 71-domain AI endpoint registry. Evidence rather than promise. Applies to both internal shadow AI (your employees) and external vendor exposure (their employees).

The Open Worldwide Application Security Project’s Top 10 for Large Language Model Applications, plus the OWASP Agentic Security Initiative (ASI) covering autonomous agent risks. Industry-consensus taxonomy of AI-specific risks: prompt injection (LLM01), insecure output handling, training-data poisoning, model denial of service, supply chain vulnerabilities, sensitive information disclosure, insecure plugin design, excessive agency, overreliance, model theft, and agent-specific risks (excessive autonomy, identity spoofing, multi-agent orchestration risks). Authority: genai.owasp.org/llm-top-10. The reference cited most frequently across cyber-insurance questionnaires, vendor security reviews, and AI-SPM product roadmaps in 2026.

The pattern documented by Randazzo, Joshi, Kellogg, Lifshitz, Dell’Acqua, and Lakhani (Harvard Business School Working Paper 26-021, July 2025) in which a large language model responds to human pushback — “are you sure?”, “please reconsider” — not by correcting its output, but by intensifying its persuasive rhetoric. The study identifies 14 specific tactics across three rhetorical modes (ethos / logos / pathos), validated against 968 persuasive responses across 4,339 prompts in a field study with 70+ BCG consultants. The finding has been covered by MIT Sloan Management Review (Feb 2026) and Harvard Business Review (March 2026), and it directly challenges the assumption underlying every regulation that prescribes “effective human oversight” — EU AI Act Article 14, Colorado SB 24-205, NIST AI RMF, ISO/IEC 42001 Clause 8.3. SanctumShield is the first AI governance product to name persuasion bombing, cite the research in the generated AUP, and prescribe specific controls (see Adversarial Validation and Disconfirmation Prompt) that compensate for it.

A planned 0–100 score that quantifies how heavily an organization’s AI interactions exhibit the 14 persuasion tactics documented in Randazzo et al. (2025), measured against the paper’s reported benchmarks (968 persuasive responses across 4,339 prompts). The PEI is on the SanctumShield active roadmap — the underlying clause library (PEV-001 through PEV-005) is shipping in the generated AUP today; the scoring tool that quantifies exposure across customer transcripts is the next major release. Methodology page will publish at production launch.

Pillar four of Google’s Agent Platform — sits in two layers. The bottom is traditional IAM with CEL (Common Expression Language) conditions, written by platform engineers. The top is “Business Policies” — natural-language rules like “do not share customer PII with third-party tools” that the platform compiles into enforcement.

Any claim about a security control that is valid as of a specific moment and that ages the instant that moment passes. SIG responses, SOC 2 Type I reports, ISO certifications, and most trust center pages are point-in-time attestations. The alternative is continuous evidence — logs, monitoring, real-time signals — which is what modern AI governance actually requires.

A document that identifies threats, assesses likelihood and impact, proposes mitigations, and produces an overall risk posture. Distinct from a control checklist, which only records whether a control exists — a risk assessment actually reasons about the consequences. The SanctumShield Executive Risk Report is a customized, targeted AI risk assessment: five regulation-anchored findings with business impact analysis and a prioritized 90-day action plan.

Attack pattern specific to MCP and A2A discovery. A tool or agent registers with valid behavior and gets trusted; then after the trust relationship is established, swaps its behavior to malicious. The registry has no continuous validation that tool behavior matches the declared contract. Mitigated by re-validation cadence and an MCP server allowlist in the AUP.

A category coined by Gartner for platforms that combine SD-WAN, secure web gateway, cloud access security broker (CASB), zero trust network access, and firewall-as-a-service into a single cloud-delivered offering. Vendors include Zscaler, Netskope, Palo Alto Prisma, and Cloudflare. SASE deployments give the buyer network-layer visibility which can detect AI endpoint traffic — but at enterprise prices and complexity.

Any claim a vendor makes about their own security controls without independent verification. SIG responses, CAIQ responses, trust center pages, and vendor security whitepapers are all forms of self-attestation. Self-attestation is the foundation of the modern vendor risk paradigm, and also its biggest structural weakness — vendors have strong incentives to present the cleanest possible picture.

SanctumShield finding type. Triggered when a customer’s AI governance policies live only at the IAM/CEL level (written for engineers) or as informal documents (no enforcement layer) — without a natural-language, auditor-readable policy surface that maps to enforceable controls. Cites EU AI Act Article 14 (human oversight) and SOC 2 CC5.3.

Any generative AI tool that an employee uses in their work without the knowledge or approval of IT, security, or procurement. The phenomenon is defined by invisibility, not intent — employees are usually trying to be productive, not malicious. The canonical data points: 80%+ of enterprise AI tools are currently unmanaged (Zluri, State of AI in the Workplace 2025), and roughly 59% of employees admit to hiding their AI tool usage from IT (Cybernews 2025 AI Workplace Survey).

A category of products including Splunk, Microsoft Sentinel, Google Chronicle, Elastic SIEM, IBM QRadar, and Sumo Logic. Records events for incident detection and forensic correlation. Useful for SOC operations but doesn’t produce the regulation-anchored governance artifact a board, auditor, or cyber insurance underwriter needs to evaluate AI exposure.

The Standard Information Gathering (SIG) questionnaire is the most widely-used third-party risk assessment in industry, published and maintained by the Shared Assessments membership organization (sharedassessments.org). SIG is delivered as a structured library of curated questions a vendor self-attests against, covering 21 risk domains: Access Control, Application Management, Artificial Intelligence, Asset and Information Management, Cloud Services, Compliance Management, Cybersecurity Incident Management, Endpoint Security, Enterprise Risk Management, ESG, Human Resources Security, Information Assurance, IT Operations Management, Network Security, Nth-Party Management, Operational Resilience, Physical and Environmental Security, Privacy Management, Server Security, Supply Chain Risk Management, and Threat Management. Each question maps to security controls across NIST CSF 2.0, NIST SP 800-53, NIST SP 800-161r1, NIST AI 100-1, HIPAA, DORA, NIS2, GDPR, ISO 27001, ISO 27002, SOC 2, PCI DSS, CMMC, FedRAMP, CCPA, and 30+ additional frameworks. SIG ships in three editions: SIG Lite (preliminary assessment), SIG Core (full assessment for vendors handling sensitive or regulated data), and SIG Detail (deep-dive supplement). SIG is a strong baseline for third-party vendor risk management within a sanctioned vendor program. Structurally, it is a vendor self-attestation framework — it cannot detect shadow AI or the AI tools an organization’s own employees use outside the sanctioned vendor list. See SIG Lite, SIG Core, and /beyond-sig for the structural gaps SIG cannot close for Shadow AI governance.

The comprehensive edition of the SIG (Standard Information Gathering questionnaire) — approximately 810 questions organized into four subjects, covering the same 21 risk domains as SIG Lite at full depth. Designed to assess third parties that store or maintain sensitive, regulated information. Takes weeks for a vendor to complete and weeks more for the requesting organization to review. SIG Core also includes extensive coverage of legal requirements and best practices for protecting personal information. Used by enterprise organizations for high-criticality vendors where a Lite assessment is insufficient. See SIG above for the broader context and /beyond-sig for why SIG Core, like Lite, structurally cannot close the Shadow AI governance gap.

The preliminary edition of the SIG (Standard Information Gathering questionnaire) — approximately 133 questions providing a high-level view of a vendor’s internal information control systems. Used when the vendor has a low degree of profiled risk or as a first-pass screen before SIG Core. Covers access controls, encryption, incident response, and compliance at a basic level of due diligence. See also /beyond-sig for why SIG Lite structurally cannot catch shadow AI.

An independent audit framework published by the AICPA that attests to a service organization’s controls against five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Type I attests to design of controls at a point in time; Type II attests to operating effectiveness over a period (typically 6–12 months). For AI governance, CC6.1 (logical access controls) and CC7.2 (system operations and monitoring) are the most frequently cited.

SPIFFE (Secure Production Identity Framework For Everyone) is the open standard underlying Google’s Agentic Identity. Provides short-lived, scoped, cryptographically attestable identity for each agent instance. Most mid-market organizations have never deployed SPIFFE — the platform burden is the reason SanctumShield’s Agent Identity Model Gap finding exists.

A third party that a vendor engages to help deliver its service, and which in the course of doing so processes customer data. Under GDPR Article 28 and HIPAA §164.502(e), customers generally have the right to a list of sub-processors, advance notice of changes, and the ability to object. For SanctumShield, our sub-processors include Google (Gemini inference), Stripe (payment processing), Resend (transactional email), Vercel (hosting), and Cloudflare (DNS/SSL). See /trust for the full list.

Review processes whose existence satisfies the literal text of a regulation (a human reviewed the output) but which do not actually catch errors at any measurable rate. The contrast SanctumShield draws between theatrical oversight and effective human oversight is what differentiates compliant-on-paper from defensible-in-practice — and it is the differentiation auditors, underwriters, and plaintiff’s counsel will sharpen as the 2026 cohort of AI litigation matures.

Per the same Google/Wiz Cloud Next '26 keynote, threat- actor handoff has compressed to 22 seconds — the median time between an initial breach (e.g., credential theft) and a secondary actor monetizing that access. The argument: governance frameworks must be in place before the alert fires, because there is no time to stand them up afterward.

The time interval between a vulnerability’s public disclosure and the first observed exploitation by an adversary. Authority: CrowdStrike, Five Steps for Frontier AI Security Readiness (p4 Zero Day Clock chart, based on 3,531 CVE-exploit pairs sourced from CISA KEV, VulnCheck KEV, and exploit-database records). Mean TTE collapsed from 2.3 years in 2018, to 10.8 months in 2021, to 23.2 days in 2024, to 10 hours in 2025 — a structural shift driven by frontier AI accelerating both vulnerability discovery and exploit development.

Governance angle: Due Diligence — the continuous-verification standard — has a numerator (audit cadence) and a denominator (rate of change in the threat surface). When the denominator is now measured in hours, no point-in-time audit can satisfy the standard. A Big 4 advisory engagement that produces a 6-month snapshot is structurally stale within hours of any new CVE disclosure that touches the customer’s AI surface. SanctumShield’s monthly registry refresh, monthly regulatory-clause refresh, and $99/month subscription model are designed for exactly this reality — a continuous re-audit cadence priced and operated for organizations without the budget or platform-engineering team to run their own continuous-validation program.

Cross-cutting severity designation in SanctumShield’s Executive Risk Report (adopted from Wiz’s seven-category risk taxonomy). When three or more findings — each individually Low or Medium — combine into an aggregate that is exploitable (e.g., one vendor + one undocumented model + one PII data class + no AUP), the report flags the composite explicitly in a red callout box. Note (2026): conversational validation as the sole control for high-risk workflows is now classified as a TOXIC_COMBINATION under SanctumShield’s severity model — see Persuasion Bombing and Conversational Validation below.

The single most important property of any AI tool for a governance program. If a vendor trains its models on the inputs you submit (your prompts, your attached documents, your code, your customer data), then anything you send can be absorbed into the model and may surface in responses to other users. Paid API tiers of most major vendors (Google Gemini, OpenAI, Anthropic) commit contractually to not training on paid-API inputs. Free-tier web chat interfaces almost always retain the right to train. A serious AI governance program enforces paid-tier use for any corporate data.

SanctumShield finding type. Triggered when no-code platforms like Gemini Enterprise custom agents, Microsoft Copilot Studio, Salesforce Agentforce, or ServiceNow Agentic AI allow non-technical users to create and deploy agents without security review, policy assignment, or executive approval. Cites NIST AI RMF GOVERN-1.2 and SOC 2 CC1.3. Catches the product-led-growth sprawl pattern.

A planned section of the SanctumShield Executive Risk Report that, once the Persuasion Exposure Index is live, will score the organization’s actual ability to catch AI errors — based on prescribed validation methods implemented, training completion, high-risk workflow protection, and (when transcript ingestion is enabled) measured persuasion-bombing exposure. Distinct from policy-on-paper assessments. The clause library (PEV-001 through PEV-005) is shipping today; the live score renders once the customer has run a PEI scan.

The process a company uses to decide which vendors are safe to do business with and to monitor them over time. Traditionally built around periodic questionnaires (SIG, CAIQ), point-in-time attestations (SOC 2 reports, ISO certifications), and external security ratings (BitSight, SecurityScorecard). Sometimes called Third-Party Risk Management (TPRM). The category structurally assumes the company already knows which vendors exist — which is why it fails for shadow AI.

SanctumShield finding type. Triggered when a customer has catalogued AI tools or vendors but has not enforced per-application least-privileged access (which agent or application is authorized to call which tool). Anchors to Google’s own Pillar One principle: visibility does not equal access. Cites NIST AI RMF MANAGE-1.3 and CIS Controls v8.1 IG-1.

The defensive arm of the Wiz trio. Forensic detective that investigates suspicious activities by correlating runtime signals, cloud telemetry, and identity context. Produces explainable verdicts on the full impact of a threat or breach. Competes in the incident-response and triage layer (Mandiant, CrowdStrike Falcon).

The Cloud Detection and Response (CDR) layer of the Wiz platform — ingests runtime signals from cloud workloads, correlates them against the broader Wiz security graph, and flags active threats. Listed at roughly +$18,000/year for 300 GB of logs per month on top of the Essential or Advanced tier; priced and architected for organizations that already operate a SOC. See /vs-wiz for the full pricing breakdown.

The remediation arm of the Wiz trio. Analyzes the root cause of a high-risk issue, identifies the correct code owner via CODEOWNERS / git blame / IdP integration, and generates tailored remediation — typically as a pull request in the owning team’s repository. Integrates into agentic IDEs via a /wiz remediate slash command.

The offensive arm of the Wiz AI-SPM trio. AI-powered pen-tester that maps API attack surfaces, analyzes application logic, and conducts safe automated exploitation to validate that vulnerabilities are actually reachable. Severity is calibrated by actual business impact (PII extracted, credentials accessed) rather than by attack technique.

Optional runtime sensor add-on that supplements Wiz’s agentless cloud connector with on-workload telemetry — process events, network flows, file integrity. Listed at roughly +$28,000/year for 100 sensors on a 12-month commit. Required for several Wiz Defend detections; not included in the base Essential or Advanced tier.

An architectural principle that treats every request — from inside or outside the corporate network — as untrusted until authenticated and authorized. Replaces the traditional “castle and moat” model with continuous verification. Canonical authority: NIST SP 800-207 — Zero Trust Architecture (Aug 2020), the U.S. federal reference for ZTA tenets, logical components, and deployment models. Earlier popularized by Google’s BeyondCorp papers. Relevant to AI governance because shadow AI exploits the implicit trust the old model gave to any traffic originating inside the corporate network — and because non-human agent identities are a Zero-Trust problem the existing IAM stack was not designed for.