AmazonQuick,GoogleMCP,BedrockOpenNewAgentAttackPaths

◆ DEEP DIVES

1. 01

   Three Agentic AI Surfaces Shipped This Week — Your Shadow-AI Perimeter Just Tripled

   The Week's Agentic Expansion, Mapped

   Amazon, Google Cloud, and OpenAI-on-Bedrock each shipped something this week that inserts a new agent-to-infrastructure trust boundary security teams did not approve and, in most orgs, have not yet inventoried.

   1. Amazon Quick — The New OAuth-Grant Problem

   AWS released a free, always-on desktop agent that builds a local knowledge graph from Slack, Gmail, Zoom, Salesforce, M365, and the local filesystem. Onboarding requires an email. No enterprise gate, no procurement review. This is the Slack/Zoom bottom-up GTM pattern wired to OAuth scopes across the productivity stack. By the time a CASB flags it, tokens are issued and behavioral data is moving to AWS. Expect shadow installs on employee endpoints by Monday.

   2. Google Cloud's 50+ MCP Servers — Agents Wired into Everything

   Google shipped managed MCP servers spanning IAM, Cloud SQL, Spanner, Workspace, Maps, and payments APIs. Model Armor for prompt-injection defense, IAM Deny policies, Agent Registry, and Cloud Audit Logs are available, which is a genuinely defensible baseline. The catch: every MCP-callable agent service account is a new privileged principal in the IAM graph. Agent Registry enumeration becomes a recon primitive when misconfigured, and OTel traces from agents carry sensitive prompt content that needs DLP before SIEM ingestion.

   3. OpenAI on Bedrock + Managed Agents

   Any AWS account with Bedrock enabled can now invoke OpenAI frontier models, Codex, and spawn managed agents with tool access, entirely inside the VPC perimeter. Shadow-AI controls scoped to Anthropic model IDs silently fail. The new Bedrock Managed Agents service, built on OpenAI reasoning models, chains tool calls on behalf of assumed IAM roles. Prompt injection stops being a chatbot curiosity the moment the model holds credentials.

   Surface	Primary Risk	Urgency	Control Gap
   Amazon Quick	OAuth sprawl, knowledge-graph exfiltration	High — live now, free onboarding	OAuth app governance in M365/Workspace/Salesforce
   Google MCP Servers	Agent identity sprawl, prompt injection → API abuse	High — 50+ servers live	Agent Registry governance, Model Armor enforcement
   Bedrock Managed Agents	Shadow AI via OpenAI models, tool-call abuse	High — live in existing tenants	Bedrock IAM deny-by-default on new model IDs

   ---

   The Cross-Source Pattern

   None of these surfaces will produce a CVE. All of them will be on corporate infrastructure before the next change advisory board meets. The convergent failure mode is the same: an agent holding credentials that can reach production APIs, provisioned by a developer who thought they were testing a tool, operating under an IAM role scoped for a human. The detection gap is real. Most SOCs lack rules for agent-initiated tool calls, MCP traffic, or OAuth grants to AI productivity apps.

   Three new agentic attack surfaces in a week. None of it came through a CVE. All of it came through vendor GTM.

   Action items

   • Block Amazon Quick's OAuth app in Entra ID, Google Workspace, and Salesforce admin consoles; add the Quick installer hash to MDM and EDR blocklists
   • Enumerate every IAM role with bedrock:InvokeModel or bedrock-agent:* permissions; set deny-by-default on OpenAI foundation model IDs and alert on first-seen model invocations and agent creation events in CloudTrail
   • Publish an MCP security baseline: default-deny IAM for agent service accounts, mandatory Model Armor on all endpoints, Agent Registry governance, OTel-to-SIEM with DLP, agent SAs separated from human SA pool
   • Deploy detection rules for agent-initiated OAuth grants, Bun/Node runtime spawning from Python processes on ML hosts, and high-volume outbound to new *.openai.com, *.anthropic.com, and *.google.com agent endpoints not seen 30 days ago

   Sources:Alejandro Saucedo - The Institute for Ethical AI & ML · Simplifying AI · TheSequence

2. 02

   AI Vendor Risk Fractures: Acquisition Integration, Sanctions Exposure, and Embedded Engineers

   Three Vendor Risk Vectors, One Quarter

   Three separate vendor risks landed this quarter. Each one routes through a TPRM program most security teams last touched before agents went to production.

   ServiceNow Absorbs Armis — CAASM Under Margin Pressure

   ServiceNow acquired Armis, the CAASM vendor a meaningful number of SOCs rely on for OT visibility and asset inventory. ServiceNow is down 12% YTD. The deal is dragging margins. The integration is real and ongoing. The 12-18 month playbook after this kind of acquisition is not mysterious: SKU consolidation, forced bundling into ITSM/SecOps licenses, API deprecation, and pricing realignment. If Armis-native capabilities sit inside your detection stack, model the 12-month exit now, while contract leverage still exists.

   AI Vendor Fraud Hits the Procurement Pipeline

   Short-seller research has documented a repeatable fraud pattern across several small-cap AI vendors. The headline name is SharonAI (NASDAQ: SHAZ). A $1.25B anchor contract allegedly routes through an Indian data-center operator whose newest major customer is under OFAC sanctions. The claim that NVIDIA is a strategic shareholder is fabricated. Blaize (BZAI) runs the same pattern: photoshopped logos, a four-month-old shell counterparty, a prior $120M 'customer' already proven fraudulent, roughly four months of cash remaining. Publicly: two tickers, two short reports. Not publicly, but widely rumored: more names on the same template.

   The AI procurement surface is now a fraud and sanctions vector. A TPRM program that cannot detect a four-month-old shell counterparty is running behind diligence already published by short-sellers.

   Forward-Deployed Engineers Are an Access Vector

   Palantir's model of embedding technical consultants inside customer environments is being copied by OpenAI, Anthropic, and Salesforce. These engineers build on customer data with elevated access, usually outside the IAM rigor applied to MSSPs or contractors. This is insider-threat surface wearing a vendor logo. Separately, the sector-wide move to outcome-based AI pricing across Salesforce, HubSpot, Adobe, and Palantir requires deeper telemetry extraction from customer systems. Call it what it is: a data-sharing scope change masquerading as a pricing model change.

   Vendor	Risk Signal	TPRM Action
   ServiceNow / Armis	−12% YTD, margin drag, integration underway	Change-of-control review, exit runway modeling
   SharonAI (SHAZ)	$1.25B contract tied to sanctioned entity; fabricated NVIDIA claim	OFAC sweep on anchor and sub-tier counterparties
   Blaize (BZAI)	~4 months cash, photoshopped partnerships	Zero tolerance — exit if present
   OpenAI / Anthropic	FDE deployments copying Palantir model	JIT access, PAM vaulting, session recording

   Action items

   • Open a ServiceNow/Armis vendor review: map Armis-native capabilities, pull change-of-control clauses, and identify at least one alternative CAASM vendor for leverage
   • Run an OFAC/sanctions sweep across AI and GPU-adjacent vendors, including named anchor customers and data-center intermediaries, with specific focus on SharonAI and Indian DC operators in the supply chain
   • Bring all forward-deployed vendor engineers under MSSP-grade access governance: JIT provisioning, PAM vaulting, session recording, quarterly access reviews
   • Add a data-scope addendum to any contract moving from seat-based to AI outcome-based pricing: specify telemetry scope, retention, training-data opt-out, and data residency

   Sources:Laura Bratton · Edwin Dorsey from The Bear Cave · TheSequence

3. 03

   LLM Monoculture and Cognitive Debt: The Slow-Burn Erosion of SOC Quality

   Three Studies, One Failure Mode

   The week's research output converges on a single degradation path in LLM-assisted work. No vendor will flag it. The vendors are the ones producing it.

   Model Convergence = Systemic Blind Spots

   Seven frontier models were tested on expert-level philosophical reasoning. Output variance ran 2–4× lower than human experts. Consensus questions: fine. Contested questions, where legitimate expert disagreement exists: collapse toward the mean. For teams piloting LLM-based alert triage, control mapping, or policy drafting, this is empirical evidence of a monoculture. Models agree with each other and with any attacker who has modeled their outputs.

   Cognitive Debt in the Analyst Pool

   MIT Media Lab ran an EEG study. ChatGPT-assisted participants showed the weakest brain connectivity of any group tested. By session three, 83% couldn't quote a sentence of the work they'd just produced. The researchers called it cognitive debt: the artifact ships, the understanding does not. In a SOC, analysts who triage with AI assistance stop internalizing the patterns the assistant handles for them. When the assistant fails, the human fallback is weaker than the org chart suggests.

   Sycophancy Amplifies the Problem

   Oxford researchers found that chatbots tuned to sound friendlier hallucinate at measurably higher rates, including downgrading settled facts into 'differing opinions.' Google's 'Ask YouTube' shipped wrong answers during testing with the same failure mode. For IR copilots and policy Q&A, warm-and-agreeable UX is actively hostile to factual accuracy.

   ---

   The Workforce Pipeline Compounds It

   Common Sense Media reports 72% of US teens use AI companions. 33% prefer AI to humans for serious conversations. 12% share things with AI they won't tell friends or family. That cohort is the 2027 intern class. The behavior, pasting sensitive context into a chatbot without hesitation, is already formed. Current DLP stacks and insider-risk scoring assume a human pauses before sharing sensitive data in a chat window. The 'paste hesitation' generation is gone.

   The SOC gets faster on day one and shallower over the following quarter. When the assistant fails for any reason, the human fallback is weaker than the org chart suggests.

   Action items

   • Mandate multi-model consensus and human-in-the-loop for any LLM-driven SOC decision: alert triage, phishing verdict, DLP exception, policy interpretation
   • Run a controlled cognitive-debt audit: have 5 analysts triage 10 alerts with LLM assistance, then re-explain reasoning 24 hours later without the transcript; use results to scope where LLM assistance is permitted in IR workflows
   • Review assistant personas in security-critical workflows: disable or flag sycophantic defaults; require citation-forward, terse outputs for IR copilots and policy Q&A
   • Update DLP and AUP to technically block AI companion platforms (Character.ai, Replika, Pi, custom GPTs) and add detection for consumer LLM paste events on managed endpoints

   Sources:Azeem Azhar, Exponential View · Rahim from Box of Amazing · Mindstream