Cloud Security Alliance

New research shows rapid AI adoption is outpacing governance, with unintended AI agent behavior becoming common across enterprises    SEATTLE – April 16, 2026 – A new study conducted by the Cloud Security Alliance (CSA), the world’s leading not-for-profit organization committed to AI, cloud, and Zero Trust cybersecurity education, found that the risk posed by AI agent scope violations is no longer theoretical but increasingly common. Commissioned by Zenity, the leading security…

“The AI Vulnerability Storm: Building a Mythos-Ready Security Program” delivers a risk register, 11 priority actions, and board briefing framework built by 60+ contributors and reviewed by 250+ CISOs in a single weekend April 14, 2026. SANS Institute and the Cloud Security Alliance (CSA), alongside [un]prompted and the OWASP GenAI Security Project, today released “The AI Vulnerability Storm: Building a Mythos-Ready Security Program,” a free strategy briefing that gives CISOs and security…

If you ask most security teams who has access to their customer data, they can usually give you a clear answer. They can point to OAuth scopes, user permissions, API keys, and audit logs to back it up. However, if you ask which AI agents are exchanging that same data across tools like Salesforce, Slack, Google Drive, and Microsoft Teams, the answer is far less clear. These agent-to-agent trust relationships form when a chain executes and disappear when it completes. Individual API calls …

This is the sixth blog in a seven-part series on identity security as AI security. TL;DR: AI agents retrieve data using the permissions of whoever they authenticate as (checked), but output to shared workspaces where recipients have mixed permissions (not checked). For example, a CFO’s agent in a Slack channel can expose executive compensation to junior analysts. Four critical vulnerabilities (CVSS 9.3-9.4) hit Anthropic, Microsoft, ServiceNow, and Salesfo…

  The Importance of Securing Cloud Architecture: Safeguarding Data and Ensuring Business Continuity You may think migrating to cloud computing is just a trend, but this isn’t the case. It’s actually a necessity for organizations who want to stay competitive (and who wouldn’t?) As businesses embrace cloud services, it’s Chief Information Security Officers (CISOs) job to ensure that this transition doesn’t impact security. It’s undeniable that the cloud offers sig…

I don’t really know who coined it, but for the past six months or so we’ve been tossing around the term “Vulnpocalypse.” We use it to describe the inflection point where LLMs are able to discover zero day vulnerabilities, and create zero day exploits, faster than we can patch. It’s the core asymmetry that drove me to write my Core Collapse blog post. Our very own CISO in Residence (and CEO of Knostic), Gadi Evron, was one of the first to change my thinking about this based on a LinkedIn …

The rapid proliferation of SaaS platforms, compounded by the emergence of Agentic AI, has created a critical visibility and control gap within the enterprise for SaaS. While the Cloud Controls Matrix (CCM) effectively addresses vendor-side security, a definitive void remains regarding the customer’s responsibility in SaaS security configurations. To bridge this gap, the industry must move toward a unified standard. The SaaS Security Configuration Framework (SSCF), established through CSA…

For a lot of organizations, AI has become the answer to almost every security question. Need faster detection? Add AI. Need better prioritization? Add AI. Need help managing an exploding volume of files, messages, logs, and documents? Definitely add AI. But CSA’s new survey report, commissioned by Thales, offers a more grounded takeaway. AI can help improve security, but only if the fundamentals are already in place. For unstructured data security, the real story is not simply that A…

You can do a lot of honest work in CCM and CAIQ and still end up with one frustrating outcome: nobody outside your audit circle ever sees it. Meanwhile, a competitor with thinner controls looks “more credible” because their proof is easier to find, easier to understand, and easier to reference in a slide deck, a questionnaire, or a procurement email. Credibility isn’t only what you’ve built. It’s what you can show – in a format that someone else can cite without doing extra work. If yo…

  TL; DR Unify AI and cloud exposures into a clear and manageable security view — before your board asks why your organization is moving so fast without AI and cloud security guardrails. Key takeaways Protect business value by prioritizing attack paths over vulnerability lists. Use governance frameworks as guardrails that enable AI and cloud adoption. Consolidate your cybersecurity tool stack to eliminate blind spots between siloed security tools and teams.   Manual s…

Something unusual happened at RSAC 2026. Not unusual in the “new product launch” sense. Unusual in the “everyone independently said the same thing without coordinating” sense. Microsoft’s Vasu Jakkal: “Zero Trust must extend to AI.” Cisco’s Jeetu Patel: “Move from access control to action control. Authorize every single action.” CrowdStrike’s George Kurtz: the biggest governance gap in enterprise technology is around AI. Splunk’s John Morgan called for “an agentic trust and governance …

Enterprise organizations are dealing with an unprecedented volume of increasingly dense and complex data. SecOps teams must determine the best way to collect, organize, and use that data so they can identify, prioritize, and respond to threats efficiently and effectively. The lack of data management solutions that are both scalable and cost-effective often leads to a trade-off between visibility, latency, and costs. To optimize data architecture for SecOps, organizations need to re-think…

The Cloud Security Alliance (CSA) created the Security, Trust, Assurance, and Risk (STAR) program in August of 2011 to improve transparency and security within cloud computing. This program was built upon the Cloud Controls Matrix (CCM), a selection of cloud controls designed to secure cloud service providers and customers, and is mapped to major standards like ISO 27001. Furthering their mission, CSA STAR became a public registry for cloud providers to submit self-assessments and has co…

  AI Alone Is Not Enough The market is flooded with AI-powered security tools. Most share the same limitation: they were trained on public datasets, known attacks, and textbook patterns. They detect what they have seen before. But modern malware does not repeat itself. APT groups like APT36, Seedworm, and Lazarus do not reuse old payloads. They generate new variants for each target. An AI trained only on yesterday’s attacks will always be one step behind. During the developmen…

Despite growing awareness of unstructured data risks, many organizations lag in scalable security as cloud, AI, and automation deployments accelerate SEATTLE – March 31, 2026 – The Rise in Unstructured Data and AI Security Risks, a new survey report from the Cloud Security Alliance (CSA), the world’s leading not-for-profit organization committed to AI, cloud, and Zero Trust cybersecurity education, has revealed that traditional security and governance practices are straining to keep pace…

Recognition underscores the growing need for trusted AI security expertise as organizations accelerate adoption and seek to responsibly secure AI at scale SEATTLE — March 30, 2026 — The Cloud Security Alliance (CSA), the world’s leading not-for-profit organization committed to AI, cloud, and Zero Trust cybersecurity education, today announced that its Trusted AI Safety Expert (TAISE)—the world’s first comprehensive, research-backed AI safety certification program—has been named Best Profe…

Cloud breaches rarely begin with advanced exploits or unknown vulnerabilities. Most start with something far more ordinary: a misconfiguration. A recent real-world incident illustrates how quickly a single exposed credential can compromise an entire cloud environment. Attackers discovered AWS access keys stored in a publicly accessible S3 bucket and escalated their way to full administrative control of an AWS account in under ten minutes. The takeaway is uncomfortable but clear: in clou…

Written by Sunil Gentyala, Lead Cybersecurity and AI Security Consultant at HCLTech.   Cloud PQC Migration Priority Matrix: Urgency vs Implementation Complexity for 11 cloud security components. Upper-left quadrant (DO FIRST) items are actionable within current quarter using available tooling. Cloud PQC Migration Priority Matrix: Urgency vs Implementation Complexity for 11 cloud security migration components. Upper-left quadrant items (TLS at ALB/NLB, Cloud KMS key wrappi…

Agentic AI is redefining identity security. While 91% of organizations are deploying autonomous agents, nearly half lack formal oversight. To bridge this gap, enterprises must integrate agents into existing identity frameworks, applying the same rigorous standards used for humans. This checklist provides a unified strategy to move from shadow AI to a secure, enterprise-scale architecture by focusing on two pillars: 1. Secure production-ready AI agents: Move from AI pilot to secure produ…

We find ourselves staring into an abyss of our own construction, and the vertiginous depth of our collective negligence ought to give every security practitioner pause. Fourteen months ago, Anthropic unveiled the Model Context Protocol as the connective tissue between large language models and external systems. Nobody anticipated the celerity with which MCP would insinuate itself into enterprise infrastructure. Today it functions as the circulatory apparatus for agentic AI, concatenating …