Weekly signal

This week crystallized three practical realities for data privacy and security in agentic AI: (1) attackers are now using LLM-driven agents to perform post‑exploit reconnaissance and fast data exfiltration; (2) major agent platforms are shipping perimeter-preserving execution features and urgent runtime fixes; and (3) governance frameworks are pushing identity-first controls for non‑human identities (NHIs) because credential/secret sprawl is the primary privacy risk. These developments compress detection and remediation timelines from days to hours and change where defenders must place controls and logs.

What changed

1. First clear in‑the‑wild LLM‑agent post‑exploit: Sysdig published a forensic timeline showing an attacker exploited a Marimo RCE (CVE‑2026‑39987) and then handed post‑compromise actions to an LLM agent that enumerated credentials, retrieved an SSH key via cloud APIs, and dumped an internal Postgres DB in under an hour — the bastion‑phase database exfiltration finished in under two minutes. The report highlights machine‑shaped command output, planning comments embedded in the session, and distributed egress via Cloudflare Workers as indicators of agent‑driven behavior.

2. Platform operator moves to reduce blast radius: Anthropic’s late‑May Managed Agents updates (self‑hosted sandboxes, MCP tunnels, and a string of runtime fixes) let enterprises run tool execution and private MCP connectors inside customer infrastructure or constrained tunnels — a concrete mitigation pattern for keeping sensitive data out of third‑party execution environments. The same release notes also fixed permission bypasses and tightened sandbox allowlists.

3. Governance momentum on Non‑Human Identities (NHI): Cloud Security Alliance published operational guidance on NHI governance, documenting persistent credential sprawl, short rotation windows, and the need for lifecycle, owner assignment, and zero standing privilege for agent credentials. The paper maps controls, detection gaps, and recommended IAM/privilege approaches for agent populations.

What to do with it

1. Patch + assume compromise: If you run Marimo or similar notebook runtimes, upgrade to the patched versions immediately and rotate any cloud credentials reachable from those processes — assume a one‑hour pivot device for internet‑reachable instances. Monitor audit trails for machine‑formatted outputs and rapid, multi‑IP egress patterns.

2. Move execution inward for sensitive workloads: Pilot self‑hosted sandboxes or outbound‑only MCP tunnels (or equivalent provider features) for any agent that will touch PII, regulated data, or production secrets; enforce sandbox allowlists and per‑call access approval. Validate that the agent platform enforces read‑only mounts and immutable audit logs.

3. Treat agents as first‑class identities: Inventory NHIs (agents, MCP tokens, SDK service accounts), assign owners, enforce short‑lived credentials and just‑in‑time (JIT) access, and bake rotation/retirement into CI/CD. Apply the CSA control checklist as an operational baseline.

Sources: Sysdig forensic blog; Anthropic Managed Agents / release notes; Cloud Security Alliance NHI whitepaper.