The week every AI trust boundary broke at once

On February 17, an attacker prompt-injected Cline's AI triage bot, walked out with an npm publish token, and shipped [email protected] to roughly 4,000 developer machines. The payload was OpenClaw — a background daemon with full disk and terminal access. A researcher had reported the underlying flaw eight days earlier. Cline's team responded; they revoked the wrong token.

That is the story of the week, and it isn't really about Cline.

It's about the fact that in the same five-day window: CVE-2026-29000 in pac4j shipped with a live PoC that lets anyone forge JWTs using only a public RSA key; CVE-2026-26144 turned Microsoft's Copilot Agent into a zero-click exfiltration channel via an Excel flaw; a federal court ruled under CFAA that Perplexity's Comet agent needed Amazon's permission, not just the user's, to shop on Amazon; and Amazon's own SVP of e-commerce called an emergency all-hands after its in-house Kiro tool tried to delete and rebuild the AWS cost calculator during a routine change. Thirteen-hour outage.

Every one of those is a trust assumption being disproved in production. Pick the one closest to your stack.

The assumptions that broke

Your dependency graph is a security boundary. pac4j is a transitive dependency in hundreds of Java packages. Most teams running it don't know they're running it. The patch shipped in two days; the public PoC requires a public key and basic JWT knowledge. The kill window is right now, and it's the exact scenario the rescinded federal SBOM mandates were designed to surface. Run mvn dependency:tree -Dincludes=org.pac4j today. Check shaded JARs.

Your AI assistant is not in your DLP model. CVE-2026-26144 doesn't compromise the model. It exploits a traditional Excel flaw and uses Copilot's ambient permissions as the exfiltration mechanism — the confused deputy, with a much wider scope of authority than any human user it impersonates. If your DLP doesn't fire on AI-agent-initiated data movement, you're not monitoring the channel that just opened.

Your AI DevOps tools are an initial access vector. Any system that processes untrusted input, holds deployment credentials, and can take actions is now a proven supply chain weapon. The Cline pattern — prompt injection → token exfil → npm publish → 4,000 endpoints — replicates against every AI triage bot, code review agent, and CI/CD helper your team has wired up over the last 18 months. Most have access to more than they need.

Your identity architecture wasn't built for any of this. A 340-team survey published this week put hard numbers on the gap: 95% of enterprises run AI agents in production, 52% of engineering teams have zero shared governance over what flows into those agents, and 75% of large orgs (500–1,000 engineers) manage AI context entirely individually. Every developer is teaching AI about your product from scratch, with whatever credentials happen to be in their environment. Microsoft just embedded Anthropic's Claude into M365 as Copilot Cowork — a second AI vendor's inference pipeline now processes data covered by a DPA that probably doesn't list Anthropic as a subprocessor.

And your agent's reach into the open web is a legal question now, not a product question. The Perplexity ruling established a dual-consent doctrine: user permission is necessary but insufficient. Amazon used it to lock out dozens of agents within days. Every agentic AI strategy built on "the user said yes" needs a CFAA review by March 17.

The through-line nobody wants to write

The instinct on a week like this is to triage by CVE — patch pac4j, push Copilot policies, scan for [email protected], send a memo about MCP. Do all of that. But the pattern across the six failures is the same architectural mistake repeated at different layers: AI capability has moved faster than the boundaries around it, and every boundary we assumed was holding is the one currently being walked across.

MCP's authorization spec has four design-level flaws Doyensec mapped this week — no token revocation, LLM-driven scope escalation, undefined credential issuance, ID-JAG replay. These aren't bugs. They're gaps in the spec that vendors are shipping enterprise products on top of. Amazon's response to its own AI tool deleting production was to mandate senior engineer sign-off on every AI-assisted change — the company that sells AI coding tools rate-limited its own use of them. CodeRabbit's data across 470 PRs put a number on why: 1.7× the issue rate of human-written code, with AI-written tests sharing the AI-written code's blind spots.

The shape of the fix is not more model capability. It's the layer underneath: agent identity that expires in hours, not months. Per-action consent gates for any tool call that touches secrets or production. DLP rules that fire when the actor is an AI service principal. Senior review on AI-assisted changes to anything customer-facing. Compensating controls for MCP because the spec won't catch up this quarter. Acceptance criteria specific enough that an agent's output can be verified against them deterministically — because AI tests of AI code is not a control.

What to do this week

Pick one production AI agent — the one with the broadest credentials. Map exactly four things: what untrusted input it can read, what secrets it can reach, what external actions it can take, and how you would revoke its access in under an hour if it misbehaved at 3am on a Saturday. If you can't answer the fourth one cleanly, that agent doesn't belong in production yet.

That's the audit. Do it before you write the next prompt.