Agent security bypasses in practice & Governance gaps for enterprise agents - AI News (Apr 22, 2026)

We’ll start with a theme that keeps coming up in 2026: AI agents widen the attack surface. Zenity Labs has been publishing a steady run of security research focused on agentic systems and agent browsers. The big takeaway across the archive is that “safety layers” can be more fragile than they look—especially when attackers learn how those defenses were trained and then push models into failure modes that bypass guardrails. Several posts under a “PerplexedBrowser” banner also describe alleged attack paths in Perplexity’s Comet agent browser, including scenarios where agent behavior could expose local files or even lead to downstream account or password-vault compromise. Why this matters: when an agent can browse, read, click, and hand off tasks, you’re no longer just defending an app—you’re defending a workflow. And workflows touch everything.

That security reality lines up with a new Cloud Security Alliance survey, published with Zenity, that essentially says: enterprises are already running agents at scale, but governance hasn’t caught up. Respondents report lots of day-to-day agent usage, multiple agentic platforms inside the same organization, and a familiar problem: “shadow AI,” where unsanctioned agents exist without clear owners. The report also points to permission overreach—agents doing more than they’re supposed to—and slow detection, with many organizations saying it can take hours to even recognize and respond to issues. The significance is straightforward: agent security isn’t just model safety. It’s identity, permissions, logging, and rapid containment—because agents can move laterally across systems fast.

Now, a related development that blends productivity with new risk: OpenAI has introduced an opt-in research preview for Codex called “Chronicle.” The idea is to reduce repetitive prompting by letting Codex build “memories” from recent on-screen context. In practice, it captures screen images, summarizes what it sees into local memory files, and uses those to keep your tooling and project context straight across sessions. It’s an interesting UX direction—but it comes with sharp edges. Screen context can accidentally ingest sensitive data, and it also increases exposure to prompt-injection from whatever happens to be on screen, including untrusted web content. Even with sandboxing claims, this is the kind of feature that will make security teams ask: what permissions did we just grant, and what’s the blast radius if something goes wrong?

Google is also pushing agent-like workflows in the terminal. Gemini CLI now supports “subagents,” meaning you can split coding work across multiple specialized agents in one session, each with its own instructions and separated context. The benefit is speed and clarity: one agent can work on tests while another updates docs, without one long conversation thread turning into a tangled mess. The broader implication is that “AI coding” is shifting from a single chatbot into a small coordinating team—making governance, provenance, and review even more important, because parallel work can compound mistakes just as easily as it compounds productivity.

Staying with agents—but moving from software to workplace surveillance—Meta is rolling out an internal AI training program for U.S.-based employees and contingent workers that records mouse movement, clicks, keystrokes, and some screen context. Internal reporting says many employees objected, and Meta leadership responded that there’s no opt-out on company laptops. Meta frames the initiative as training data for computer-using agents—teaching models the mundane, real-world patterns that still trip them up, like navigating menus and using shortcuts. Why it matters: this is one of the clearest examples yet of the industry’s next data hunger—behavioral data, not just text and images. It also raises a precedent-setting question: how much monitoring will companies normalize in the name of training internal agents, and what happens when those practices collide with stricter labor and privacy regimes outside the U.S.?

On the research side, the Allen Institute for AI is proposing a pragmatic way to keep improving models without repeatedly paying the full post-training bill. Their method, called BAR—short for Branch, Adapt, Route—lets teams train separate domain “experts,” like for math, coding, tool use, or safety, and then merge them into a single mixture-of-experts system. The goal is to add new skills without wiping out old ones, a problem you’ll often hear described as catastrophic forgetting. The interesting part here isn’t a magic new model—it’s an operational strategy: upgrades become modular. If this holds up in wider use, open models could evolve more like software components, where you swap in better experts instead of rebuilding everything from scratch.

DeepMind also shared a notable insight in vision-language pretraining with TIPSv2: smaller distilled models can sometimes show better fine-grained alignment between text and specific image regions than the larger “teacher” models. That surprising result pushed the team to adjust how supervision is applied during training, aiming to strengthen patch-level grounding—the kind of capability you need for dense tasks like segmentation and detailed visual understanding. Why it matters: better alignment means more reliable “point to this, describe that” behavior. And that’s foundational for agents that must act in the physical world or in complex visual interfaces, where global captions aren’t enough.

Speaking of acting in the physical world, Z Lab researchers introduced FlashDrive, a framework aimed at making reasoning-heavy vision-language-action driving models fast enough for real-time use. The headline is latency: their work focuses on cutting end-to-end delay across the whole inference pipeline so decisions arrive quickly enough for safe autonomous driving scenarios. The significance here is that the industry has been flirting with “reasoning-first” autonomy—models that explain and plan, not just react—but those benefits don’t matter if the car can’t respond in time. FlashDrive is another sign that optimization is becoming as decisive as raw model capability.

On multimodal capability, the Qwen team published research on an “omnimodal” model designed to handle text, vision, audio, and video with very long inputs. Beyond benchmark claims, the notable direction is tighter audio-visual grounding—things like more structured, time-aware captions and richer understanding of what’s happening when. They also describe an emergent behavior they call “audio-visual vibe coding,” essentially generating code from audio-visual instructions. Why it matters: multimodal is steadily turning into a practical interface layer. The more reliably a model can connect what it sees and hears to actions—like writing software or operating tools—the closer we get to agents that feel less like chat and more like collaborators.

Now to the infrastructure race, because the story behind the story is still compute. Anthropic and Amazon have expanded their agreement for large-scale AWS capacity, leaning heavily on Amazon’s custom AI chips. The message from Anthropic is clear: demand is rising fast enough that reliability and performance are strained, and they want capacity they can count on. In parallel, Epoch AI reports that OpenAI’s massive Stargate data-center effort is visibly underway at multiple U.S. sites, with planned power capacity on a scale that starts to resemble municipal electricity demand rather than a typical tech project. These buildouts aren’t just about who has the best model—they’re about who can actually run the best model, at scale, without running out of power, chips, or grid connections.

That cost pressure is also hitting developer tools. Leaked internal documents indicate Microsoft may make significant changes to GitHub Copilot pricing and access, shifting toward token-based usage billing that more directly tracks compute. The underlying reason is familiar: serving AI at scale is expensive, and the era of aggressively subsidized usage appears to be fading. For developers, this could mean tighter limits, fewer premium model options in cheaper tiers, and a renewed push to measure ROI rather than assuming AI assistance is a flat-cost utility.

Finally, a reminder that AI’s social impact isn’t limited to the workplace or the data center. WIRED profiled a case where an AI-generated influencer persona—crafted to target U.S. political identity and engagement incentives—was used to attract followers and monetize them through subscriptions and merchandise. The account blended rage-bait politics with sexualized imagery, exploiting lax enforcement and the fact that engagement-driven algorithms don’t particularly care whether a persona is real. Why this matters: synthetic identity fraud is getting cheaper, more persuasive, and more scalable. And when it’s paired with political content, it doesn’t just scam individuals—it can distort public discourse at volume.

Before we wrap, a quick productivity note: Anthropic’s Claude is adding “live artifacts,” like dashboards and trackers that can stay connected to your apps and files and refresh with up-to-date information. This is part of a broader shift from one-off AI responses to persistent outputs—tools you reopen and rely on. It’s compelling, but it also reinforces today’s theme: as AI gets more connected to your data and systems, the stakes for permissions, auditing, and secure integrations rise with it.