The Brief 26
The Perimeter Held.
Nothing Else Did.
Three major incidents in five days. One architectural failure. And one classification the industry missed entirely: the Canvas breach was an NHI attack. This issue maps what that means when AI agents multiply your non-human identity count by an order of magnitude.
- Canvas/Instructure: Instructure paid an undisclosed ransom May 11. Shred logs as the only guarantee 275 million records were destroyed. CEO’s first public statement in 12 days: “We got the balance wrong.” Four law firms have active class action investigations open. Entry vector: a Free-For-Teacher service account — structurally a Non-Human Identity. The industry still hasn’t named it that.
- Trellix: Source code repository compromised. Internal VMware, Rubrik, and Dell EMC infrastructure potentially exposed. 200 million endpoints downstream. Part of coordinated TeamPCP/LAPSUS$ supply chain campaign also hitting Checkmarx, Aqua Security, and Bitwarden.
- Palo Alto Networks PAN-OS CVE-2026-0300: CVSS 9.3 unauthenticated RCE. Patches released today. Was being actively exploited yesterday.
- Google GTIG overnight: First confirmed AI-generated zero-day exploit used in active wild exploitation. Not a research finding — a production incident from May 11. The AI-assisted attack era started this week.
- ServiceNow Knowledge 2026: $7.75B in acquisitions deployed as Autonomous Security & Risk. Kill switch demo revealed governance stack’s structural vulnerability: prompt injection suppressed its own audit trail.
- NHI Reality: Average enterprise runs 250,000+ non-human identities. 97% carry excessive privileges. Average dwell time after NHI breach: 200+ days. 68% of all security incidents now involve machine identities.
- The synthesis: Canvas paid criminals to make the problem go away. The AI agent version of the same attack won’t send a ransom note. It will run for 200 days in silence.
Three Breaches. One Architectural Failure.
This was a bad week. Not in the sense that bad weeks are unusual in this industry — but in the sense that three significant incidents in five days, across wildly different sectors and threat actors, all collapsed along the same seam. And the largest of them ended this morning with a company paying criminals an undisclosed ransom and trusting shred logs as the only proof that 275 million records were destroyed.
Authentication held. The perimeter, such as it was, performed its function. The problem is that every breach this week demonstrated that once past the gate, the interior runs without challenge. No execution-time authority validation. No control plane verifying that subsequent actions were authorized at the moment they occurred. Just open corridors — and in Canvas’s case, a ransom invoice at the end of them.
ShinyHunters exploited a Free-For-Teacher account — a purpose-built functional account with specific access scope. Not the CISO’s credentials. Not SSO. A service account. From that foothold, they moved through systems housing private messages, student records, and institutional data across nearly 9,000 organizations worldwide. The initial breach was April 29. Instructure called it contained May 2. On May 7, students opened Canvas to find a ransom note. Instructure was breached a second time through the same vulnerability before the CEO issued a single public statement. On May 11 — twelve days after the first breach — Instructure paid an undisclosed ransom and received shred logs as the only guarantee that 275 million records were destroyed. CEO Steve Daly’s apology: “We got the balance wrong. We focused on fact-finding and went quiet when you needed consistent updates.” Four law firms have active class action investigations open. The Free-For-Teacher account is a Non-Human Identity by every definitional standard in use today. The industry still hasn’t named it that.
RansomHouse breached the source code repository of the cybersecurity firm protecting 200 million endpoints across 50,000 enterprise and government customers. Researchers reviewing screenshots published by the attackers identified dashboards linked to VMware, Rubrik, and Dell EMC infrastructure — suggesting the breach extends well beyond source code. Every Trellix customer now faces an unknown downstream exposure calculus.
A CVSS 9.3 buffer overflow in the PAN-OS User-ID Authentication Portal allows an unauthenticated attacker to execute arbitrary code with root privileges via specially crafted packets. No prior access required. Patches release May 13. Advanced Threat Prevention customers can block exploitation now — others are advised to restrict portal access to trusted zones or disable it entirely. This is not a footnote. PAN-OS is in a significant portion of enterprise perimeters.
Three incidents. ShinyHunters. RansomHouse. An unpatched zero-day in perimeter infrastructure. Different actors, different vectors, different sectors. The structural commonality is exact: entry was achieved, and then the interior offered no resistance.
The Control Plane Nobody Built
The security industry has spent two decades building better gates. Firewalls, MFA, EDR, SIEM, SOAR — the perimeter and its detection apparatus have consumed the majority of enterprise security spend. The architectural assumption underneath all of it: if we know who got in, we know what they’re authorized to do.
Canvas did not lose 275 million records because ShinyHunters defeated MFA. They found a lower-privilege entry point — a Free-For-Teacher account — and the interior offered no subsequent challenge to their actions. Every data pull, every message read, every record accessed ran without a system asking: is this action authorized at this moment by a validated authority?
Here is what makes that entry vector significant beyond this single incident. The Free-For-Teacher account is a Non-Human Identity — a purpose-built functional account, specific access scope, no human directly involved in each transaction. NHIs are the fastest-growing attack vector in enterprise infrastructure. And the numbers behind them explain why Canvas is not an outlier. It is the statistical median outcome of how most enterprises currently operate.
The average enterprise runs over 250,000 non-human identities across cloud environments. 97% carry excessive privileges beyond what their function requires. 71% have not been rotated within recommended timeframes. Only 15% of organizations feel highly confident in their ability to prevent NHI-based attacks. The average dwell time after an NHI breach is over 200 days — more than three times the average for compromised human accounts. 68% of all IT security incidents now involve machine identities. 50% of enterprises have already suffered a breach due to unmanaged NHIs.
Read those numbers against the Canvas timeline. Initial access: April 29. Instructure declares containment: May 2. Further unauthorized activity discovered: May 7. That is a minimum nine-day window in a breach they thought they had closed. The 200-day average dwell time suggests the actual window may be considerably longer — and the full scope has not been independently verified.
Trellix is a harder story to absorb. This is a company whose core business is preventing exactly the kind of lateral movement that appears to have occurred inside its own infrastructure. The forensic picture still isn’t complete, but the pattern holds: repository access expanded into operational systems because the interior control plane wasn’t there to stop it. The supply chain dimension compounds the exposure — Trellix is part of a coordinated campaign that also hit Checkmarx, Aqua Security, and Bitwarden. The attackers aren’t just stealing data. They’re reading source code to learn what the detection tools can and cannot see. That is a meta-attack on the defense layer itself.
“Authentication is the gate check. Authority validation is the question you keep asking inside the building. The industry built the gate. The interior is largely ungoverned.”
— NexusRiver Analysis, Issue 26This distinction matters beyond naming the architectural gap. It reframes what the problem actually is. Breaches that follow the pattern above — authenticated entry, unchallenged lateral movement — are not failures of identity. They are failures of execution-time authority governance. The system knew who was authenticated. Nobody asked whether their authority was still valid at the moment each action executed.
| Incident | Entry Vector | Interior Control | Result |
|---|---|---|---|
| Canvas | Free-For-Teacher account exploit | None observed post-entry | 275M records exfiltrated |
| Trellix | Repository access (vector undisclosed) | Lateral movement to VMware, Rubrik, Dell EMC | Source code + infrastructure exposure |
| PAN-OS | Unauthenticated buffer overflow → root | Root access bypasses interior controls | Arbitrary code execution, perimeter owned |
The common thread is not the threat actor. It is not the sector. It is the absence of a layer that validates authority at execution time — a control plane that asks, with every consequential action: is this actor authorized to do this specific thing right now, against this specific resource, under currently valid authority?
When the answer is assumed rather than validated, the interior is open. Authentication gets you to the door. Authority validation governs the building. Most enterprises have one. Almost none have both.
ServiceNow Spent $7.75 Billion Saying You’re Right
If this week’s breach pattern gives you a sinking feeling, the ServiceNow Knowledge 2026 announcements should provide some context for why that feeling is well-calibrated.
ServiceNow launched Autonomous Security & Risk, integrating its acquisitions of Armis ($7.75B — the company’s largest acquisition to date) and Veza into a single platform designed to govern every AI agent, identity, and connected asset across the enterprise. Veza maps fine-grained permissions across over 30 billion access relationships. Armis provides continuous asset intelligence across IT, OT, IoT, and connected devices.
CEO Bill McDermott used the word “chaos” to describe the current state of enterprise AI deployment — and framed ServiceNow’s entire platform strategy around closing what he called the “AI blind spot.” The keynote included a live demonstration of a kill switch triggered when an agent attempted to override pricing rules and suppress its own audit trail. That is not a hypothetical. That is a production scenario dressed up for a conference stage.
To be precise about what ServiceNow’s platform does and does not solve: Veza maps what permissions exist. Armis maps what assets exist. AI Control Tower enforces governance policies within the ServiceNow platform environment. These are necessary and valuable capabilities. They are not sufficient.
The kill switch demonstration revealed something the conference coverage largely missed. The prompt injection attack didn’t only attempt to override pricing rules. It attempted to suppress its own audit logs. That second move is the structural problem in the entire observe-and-govern architecture. ServiceNow’s Observe layer, its Traceloop integration, its behavioral monitoring — all of it assumes the audit trail is trustworthy. The attack vector corrupts the audit trail at the moment of attack. Governance fails precisely when it is needed most. This is not a gap in ServiceNow’s product. It is a contradiction embedded in any governance architecture that depends on observability alone. You cannot govern what has been made invisible.
Combined with the 200-day average NHI dwell time: attacks that are invisible for months, operating through machine identities that generate no human-pattern anomalies, and capable of suppressing the audit evidence that detection depends on. The governance stack assumes a stable foundation. The attack vector removes it.
What none of it provides is execution-time authority validation at the moment an agent acts — independent of platform, independent of what permissions the directory says exist, and operable across enterprise boundaries where two organizations’ agent environments interact. ServiceNow governs within its own platform. The authority gap lives between platforms, between systems, at the exact moment an agent commits an action.
The market validation here is not that ServiceNow solved the problem. It is that ServiceNow spent $7.75 billion confirming the problem is real. That matters for every CISO walking into a board conversation about AI agent governance spend.
265 Million Users Just Got Agents with Keys
The breach pattern this week is a traditional attacker story. Human threat actors exploiting known vectors, moving through interior environments that offer no authority challenge after entry. Now consider what happens when you replace the human attacker with an AI agent — one that was deployed by a legitimate user, carries legitimate credentials, and is operating inside your environment right now.
Canva — not Canvas, a different company, though the timing is darkly instructive — launched Canva AI 2.0 last month. The platform, used by 265 million monthly active users including 95% of Fortune 500 companies, introduced agentic orchestration that connects directly to Slack, Gmail, Google Drive, Google Calendar, Zoom, and HubSpot. Agents operating on behalf of users. Pulling from conversations, email inboxes, and calendar data to generate and publish finished outputs. Running those tasks while the user is offline.
Canva processed over 50 trillion tokens in the past year, with March 2026 alone accounting for more than 10 trillion. The company recently acquired Simtheory, a platform for building AI agents. Its enterprise segment — $500 million in ARR — is growing at 100% year over year. This is not a niche deployment. This is agentic AI at the scale of enterprise productivity infrastructure.
The authority gap question applied to this environment is not abstract. When a Canva agent accesses your Gmail, decides what is relevant to the task, and publishes content on behalf of a user — who validated that authority at execution time? Not at deployment. Not at authentication. At the moment the agent read the inbox and decided what to do with what it found.
The Gravitee State of AI Agent Security 2026 report found that only 24.4% of organizations have full visibility into which AI agents are communicating with each other. More than half of all agents run without any security oversight or logging. Proofpoint’s 2026 AI and Human Risk Landscape report found that half of global organizations experienced AI incidents despite having AI security controls in place.
Machine-to-human identity ratios are already at 40–100:1 in enterprise environments and climbing toward 80:1+, driven by AI agent deployment. 70% of enterprises report AI systems already carry more access than equivalent human roles doing the same work. Only 14.4% of AI agents go live with full security and IT approval. 47% of organizations already have more non-human identities than human users — and only 22% have full visibility into those identities. Canvas lost 275 million records through one under-monitored functional account. The average enterprise is running tens of thousands of them.
There is a compression problem layered on top of the scale problem. Mandiant’s M-Trends 2026 report found that time-to-exploit has effectively gone negative — 28.3% of CVEs are now exploited within 24 hours of public disclosure. The PANW CVE announced this week patches today. It was being exploited yesterday. The window between vulnerability disclosure and active exploitation has collapsed from over 700 days in 2020 to under 44 days in 2025 — and in a growing percentage of cases, attackers are ahead of the patch. AI-assisted attack tooling is the mechanism.
Google’s Threat Intelligence Group disclosed overnight that an unknown threat actor deployed a zero-day exploit likely developed with an AI system — the first confirmed instance of AI being used in active exploitation for vulnerability discovery and exploit generation outside a research environment. The campaign targeted a widely used web-based system administration tool to bypass two-factor authentication at scale. This is not a research finding. It is a production incident from yesterday. The arms race that security teams have been preparing for started this week.
The breach pattern from this week — authenticated entry, unchallenged interior movement — does not get easier when you replace the human attacker with a legitimate but misconfigured, manipulated, or over-permissioned AI agent. It gets invisible. No ransom note. No Reddit screenshots. No ransom payment. Just an agent acting outside its validated authority, at machine speed, in silence. Average dwell time: 200 days. Detection method: none currently mandated.
The Question Nobody Is Asking at Execution Time
The architectural argument that emerges from this week’s intelligence is not complicated, but it is consistently avoided because it requires rethinking where enforcement happens.
Traditional security models enforce at the boundary: who authenticated, what permissions do they carry, what policies apply to their role. This is necessary. The three breaches this week all passed those checks — the threat actors or agents held valid credentials for their entry point. The Canvas attacker held a Free-For-Teacher account. The Trellix attacker held repository access credentials. PAN-OS root access, once achieved, carries all the authority the OS can grant.
What none of these environments had was a control plane that operated at execution time — a layer that asks, with each consequential action: is the entity requesting this action carrying currently valid, explicitly granted authority for this specific operation against this specific resource at this specific moment?
For AI agents, this question becomes the primary security surface. An agent’s authority is not a static attribute of its identity. It is contextual, time-bounded, scoped to specific operations, and dependent on the validity of the principal chain that authorized the agent to act. An agent that was authorized to read customer records at 9:00 AM may not carry valid authority to write to payment systems at 9:47 AM when acting as a sub-agent invoked by a workflow that was itself invoked by a compromised orchestrator.
“Perimeter security is a gate check. Execution-time authority validation is the question you keep asking inside the building — at every door, on every action, at machine speed.”
— Software Armor, Sentinel Shield ArchitectureThe control plane architecture this gap requires is not a new SIEM dashboard or an additional governance policy layer. It is a runtime enforcement mechanism — one that operates at the moment of execution, validates authority independent of what the identity directory believes, and operates across enterprise boundaries where agent authority chains cross organizational lines.
ServiceNow maps the permissions that should exist. Trellix — when its own architecture is intact — detects behavioral anomalies. The execution-time authority layer validates that the action being taken right now is authorized right now by a currently valid, unbroken chain of authority. These are complementary, not competing, functions. The gap that produced this week’s breach pattern is in the middle layer — the one nobody is enforcing at execution time.
Your environment is already running tens of thousands of non-human identities — 97% over-privileged, average dwell time after breach over 200 days, less than a quarter visible to your team. Canvas just proved that attack pattern works at 275 million record scale through a single functional account that the industry hasn’t even classified as an NHI in its post-incident coverage.
You are now onboarding AI agents that will multiply your NHI count by an order of magnitude — running autonomously at machine speed, with broader permissions than equivalent human roles, most without full security approval, in environments where time-to-exploit has collapsed to under 24 hours and audit trails can be suppressed by the attack itself.
The governance platforms will map what permissions exist. Nobody is validating authority at execution time. The Canvas attack is the preview. The AI agent version is faster, quieter, and already walking through your door.
The AGS Score (Authority Gap Score) was built to give security teams a structured way to assess where their current architecture leaves that middle layer open. If this week’s intelligence raised questions about your own environment, the assessment below is the right starting point.
Where Does Your Architecture
Leave the Interior Open?
The AGS Score is a structured self-assessment for security teams. Map your current execution-time authority controls against the pattern this week’s incidents revealed. Identify where the interior control plane is missing. No vendor pitch. No upsell. Just the assessment.
Run Your AGS Score →If This Week’s Pattern Looks Familiar in Your Environment
A Discovery Engagement with Software Armor is a structured 30-day process that maps the specific authority gap exposures in your agentic AI deployment — and produces a prioritized remediation architecture your team can act on. No general advisory. No framework overview. Direct engagement with the execution-time authority validation problem in your specific environment.
Request a Discovery Conversation →