CIO/CISO ITsec Summary week 09, 2026

CISA replaced its acting director and announced a mission-narrowing reorganization just as the OWASP Top 10 for Agentic Applications formalized the security taxonomy for autonomous AI systems, NSA published the most actionable zero trust implementation guidelines to date, and ETH Zurich researchers dismantled the ‘zero-knowledge’ marketing claims of three major password managers serving 60 million users — while 80% of enterprise employees now use unsanctioned AI tools and Okta launched Agent Discovery to map shadow AI blast radius.
itsec
Published

February 28, 2026

Executive Summary

The week of February 20–27, 2026 was marked by institutional turbulence at the nation’s primary civilian cybersecurity agency and the crystallization of agentic AI as a formal security domain. CISA replaced acting director Madhu Gottumukkala on February 27 — following controversies including uploading sensitive documents to a public ChatGPT instance — and announced a reorganization that will narrow the agency’s mission to prioritize operational technology security while shedding other functions. The timing compounds the challenges documented in previous weeks: CISA now operates with roughly one-third of its pre-2025 workforce, under its third leadership change in twelve months, while simultaneously restructuring its organizational priorities. On the AI governance front, the OWASP Top 10 for Agentic Applications — developed by over 100 experts — provided the first standardized risk taxonomy for autonomous AI systems, while Barracuda Networks warned that agentic AI has become a “threat multiplier” capable of poisoning 87% of downstream decision-making within four hours of a single agent compromise. Meanwhile, ETH Zurich cryptographers published research debunking the “zero-knowledge encryption” claims of three major password managers used by over 60 million people, identifying 25 distinct attack paths that could compromise stored credentials.

This report covers strategic IT security topics for executive leadership. For tactical CPS/ICS vulnerabilities, see the CPS Threat Intelligence report. For ransomware incidents, see the Ransomware Intelligence report.

Week of February 20 - February 27, 2026

Regulatory and Compliance

The most consequential regulatory development this week was not a new rule but a leadership and structural upheaval at the agency responsible for enforcing many of them. On February 27, CISA replaced acting director Madhu Gottumukkala, moving him to a newly created DHS “director of strategic implementation” role focused on Secretary Noem’s priorities around curbing waste, fraud, and abuse. Nick Andersen, executive assistant director for cybersecurity, will now serve as acting director — the agency’s third leader in twelve months. Gottumukkala’s tenure was marked by congressional scrutiny after reports that he failed a polygraph test and uploaded sensitive documents to a public version of ChatGPT, raising pointed questions about security practices at the agency charged with defending the nation’s digital infrastructure. Beyond the leadership change, CISA announced a reorganization that will narrow the agency’s mission, deprioritizing certain activities to concentrate resources on operational technology security and other high-profile goals. The agency’s chief information officer and acting chief human capital officer were separately told to accept reassignment within DHS or resign, and CISA’s threat-hunting leader announced a departure for the private sector. For organizations that have relied on CISA for threat intelligence, vulnerability coordination, and security assessments, the compounding effects of workforce reduction, leadership instability, and mission narrowing represent a sustained degradation of federal cybersecurity capacity that shows no signs of stabilizing. (Axios, TechCrunch, Cybersecurity Dive, GovInfoSecurity, Federal News Network)

The EU’s cybersecurity regulatory calendar continued to solidify, with two critical Cyber Resilience Act milestones now visible on the near-term horizon. Conformity assessment bodies (CABs) will begin operating on June 11, 2026, and mandatory reporting of actively exploited vulnerabilities begins September 11, with ENISA building a centralized Single Reporting Platform for all submissions. In parallel, the European Commission’s January 20 cybersecurity package — proposing a revised Cybersecurity Act (CSA2) and targeted NIS2 amendments — continued to draw legal analysis, with DLA Piper and LexisNexis publishing detailed assessments of how the package would simplify compliance for an estimated 28,700 companies by creating a new “small midcap” enterprise category with reduced supervisory intensity and consolidating breach reporting under NIS2, GDPR, DORA, and the Critical Entities Resilience Directive into a single unified platform. For multinational organizations, the proposed unified reporting mechanism would represent a meaningful reduction in regulatory fragmentation — but the legislative timeline means dual compliance with existing and forthcoming frameworks remains necessary through at least 2027. (DLA Piper, LexisNexis, CMS Law-Now)

The SEC’s evolving enforcement posture gained additional clarity this week. The Cyber and Emerging Technologies Unit is shifting toward enforcement actions premised on traditional fraud concepts rather than targeting disclosure failures at a lower negligence standard. Companies filing Form 10-K must now use the Cybersecurity Disclosure Taxonomy in iXBRL format, including a specific flag for material cybersecurity risk impact. The fraud-based approach raises the stakes considerably: intentional misrepresentation of cybersecurity posture could trigger securities fraud charges rather than mere compliance violations. CISOs and general counsel should ensure that materiality determinations are well-documented, board communications accurately reflect known risks, and incident response processes are robust enough to withstand regulatory scrutiny conducted through a fraud lens. (White & Case, PwC)

AI Governance and Agentic AI

The OWASP Top 10 for Agentic Applications 2026, developed by over 100 experts and released in late 2025, gained significant traction this week as organizations began applying its risk taxonomy to production AI deployments. The framework identifies ten critical risk categories: agent goal hijacking (where attackers redirect agent objectives by manipulating instructions, tool outputs, or external content), tool misuse and exploitation, identity and privilege abuse (exploiting inherited or cached credentials and agent-to-agent trust), agentic supply chain vulnerabilities, unexpected code execution, and memory and context poisoning, among others. The framework’s central architectural principle — “least agency,” stating that AI agents should be given the minimum autonomy, tool access, and credential scope required for their intended task — provides a concrete design constraint that security architects can apply immediately. For organizations that adopted the Promptware Kill Chain framework discussed in last week’s report, the OWASP taxonomy complements it by providing a risk classification system that maps to specific defensive controls. (OWASP, Palo Alto Networks)

Barracuda Networks published an analysis on February 27 characterizing agentic AI as the “2026 threat multiplier,” warning that autonomous AI agents enable adaptive attacks that operate without human oversight. The research highlighted a particularly alarming finding: a single compromised AI agent can poison 87% of downstream decision-making within four hours, as corrupted outputs cascade through interconnected agent ecosystems. This cascading failure mode distinguishes agentic AI risk from traditional software vulnerabilities — the blast radius is determined not by a single system’s exposure but by the density and trust relationships of the agent network. Simultaneously, Orca Security disclosed “RoguePilot,” a vulnerability in GitHub Codespaces that allowed attackers to seize control of repositories by injecting malicious Copilot instructions into GitHub issues. The attack demonstrated that AI coding assistants can be weaponized through the same collaboration channels developers rely on, turning trusted development infrastructure into an attack vector. (Barracuda, Help Net Security)

Bruce Schneier published two pieces with strategic implications during the week. His coverage of ETH Zurich’s password manager research (discussed below under Identity) is directly relevant to credential management strategy. Separately, he highlighted research showing that LLMs generate predictable passwords — a finding with implications for organizations using AI assistants to generate credentials or security configurations, and a reminder that AI-generated outputs should never be trusted as cryptographically random without independent verification. (Schneier on Security — LLMs Generate Predictable Passwords)

Okta announced Agent Discovery within its Identity Security Posture Management (ISPM) platform, enabling organizations to discover shadow AI agents, uncover hidden identity risks and misconfigurations of both unknown and known agents, and map each agent’s potential blast radius across enterprise systems. The announcement reflects the maturation of shadow AI from an awareness problem to a tooling problem — the 80% of enterprise employees now using unsanctioned AI tools (per JumpCloud’s February data) need to be discovered and governed rather than simply prohibited. Okta also released version 1.1 of its Security Technical Implementation Guide (STIG), adding hardening recommendations specifically for non-human identities and network security configurations relevant to US government agencies. (Okta — Agent Discovery, Okta — STIG 1.1, JumpCloud)

Board-Level Risk and CISO Strategy

The CISA leadership instability documented above has direct implications for board-level risk committees. Organizations that incorporated CISA threat intelligence, vulnerability coordination, and security assessment services into their risk management frameworks now face a sustained reduction in federal cybersecurity capacity. The agency’s announced reorganization — prioritizing operational technology security while shedding other missions — means that organizations in sectors outside OT may find federal support further diminished. Board risk committees should evaluate their organization’s dependency on CISA services and determine whether commercial alternatives or sector-specific ISACs can fill emerging gaps, recognizing that this is not a temporary disruption but an ongoing structural shift.

The shadow AI challenge reached a statistical threshold that demands executive attention. JumpCloud’s February 2026 data found that 80% of office workers now use some form of public AI without IT department knowledge, while 70% of employee AI interactions occur through features embedded in existing SaaS applications — making shadow AI increasingly difficult to detect through traditional endpoint controls. IBM’s 2025 Cost of Data Breach Report pegged AI-associated breach costs at over $650,000 per incident. Unlike earlier generations of shadow IT, shadow AI is inherently data-intensive: employees routinely paste proprietary documents, customer records, source code, and regulated information into unapproved AI tools. The embedded nature of AI in SaaS platforms means that blocking specific AI applications is no longer sufficient — governance must extend to AI features within approved enterprise tools. (JumpCloud, Palo Alto Networks, TechTarget)

RSA Conference 2026, scheduled for March 23–26 at Moscone Center in San Francisco, is expected to center on agentic AI identity management and sovereign security as dominant themes. ABI Research’s pre-conference analysis predicts that geopolitical tensions will drive significant interest in sovereign cloud and sovereign AI offerings, with cybersecurity increasingly framed as a national strategic capability rather than a corporate IT function. CISOs should watch for concrete vendor announcements around agentic AI security, identity management for machine identities, and cloud-native security platform consolidation, while maintaining appropriate skepticism about AI capability claims that lack demonstrated implementations. (ABI Research, RSAC)

Cloud Security Posture

The Google-Wiz acquisition, which received unconditional EU approval on February 10 and is expected to close financially in March 2026, continued to reshape cloud security strategy discussions this week. With the $32 billion deal absorbing the leading multi-cloud security platform into a single hyperscaler’s ecosystem, organizations relying on Wiz for cloud-agnostic security monitoring should evaluate contingency plans in the event that Wiz’s cross-cloud capabilities are gradually prioritized toward Google Cloud. The CSPM market’s ongoing consolidation — 75% of new CSPM purchases in 2025 were already part of integrated Cloud-Native Application Protection Platforms (CNAPP) — means that cloud security tool selection is increasingly a platform decision rather than a point-product evaluation. CrowdStrike’s reporting of a 75% year-over-year increase in cloud environment intrusions, combined with IBM’s finding that public-cloud-only breach costs average $5.17 million, underscores the urgency of getting cloud security architecture right during this consolidation wave. (Gartner, GlobeNewsWire)

Trend Micro’s research report “What OpenClaw Reveals About Agentic Assistants,” published in February, documented how AI-powered assistants operating in cloud environments introduce novel security challenges through their interaction patterns with cloud APIs, container orchestration layers, and data stores. The research highlighted that agentic assistants operating with elevated cloud permissions create lateral movement opportunities that traditional CSPM tools are not designed to detect, as the agents’ behavior — accessing multiple services, querying databases, and modifying configurations — mimics legitimate administrative activity. This finding reinforces the need for CSPM solutions to evolve beyond static misconfiguration detection toward behavioral analysis that can distinguish authorized agent activity from compromised agent behavior. (Trend Micro)

Identity, Access Management and Zero Trust

The NSA released its Zero Trust Implementation Guidelines (ZIGs) on February 19 — the most granular and actionable zero trust guidance published by a US government agency to date. Phase One defines 36 activities supporting 30 zero trust capabilities for establishing a secure baseline, while Phase Two adds 41 activities enabling 34 additional capabilities focused on integrating core zero trust solutions. The two-phase structure provides a practical maturity roadmap that organizations can use to benchmark their progress, rather than the aspirational frameworks that have characterized much of the zero trust discourse to date. The American Hospital Association specifically recommended that healthcare organizations adapt these guidelines given the sector’s elevated targeting, while Infosecurity Magazine’s analysis noted that the gap between the NSA’s 77-activity framework and typical enterprise implementations remains substantial — Gartner projects that only 10% of large enterprises will achieve a mature, measurable zero trust program by year-end 2026, despite 81% claiming to be “adopting” zero trust architectures. (NSA, AHA, Infosecurity Magazine, Help Net Security)

The week’s most striking identity security research came from ETH Zurich cryptographers, published by Bruce Schneier on February 23. The researchers examined the security architectures of Bitwarden, LastPass, and Dashlane — three widely used cloud-based password managers serving over 60 million users and nearly 125,000 businesses — and identified 25 distinct attack paths ranging from integrity violations to complete access to all stored passwords. The underlying design weaknesses included missing key authentication, lack of authenticated encryption, poor key separation, and continued support for outdated cryptographic methods. Most significantly, the researchers demonstrated that the term “zero-knowledge encryption” — used by all three vendors as a core marketing claim — has no industry-accepted cryptographic definition. Researcher Matilda Backendal stated: “The promise is that even if someone is able to access the server, this does not pose a security risk to customers because the data is encrypted and therefore unreadable. We have now shown that this is not the case.” For CISOs who have mandated enterprise password manager deployments, this research warrants an immediate review of which password manager is in use, its architectural assumptions, and whether additional controls — such as hardware security keys for vault access — are needed to compensate for the identified weaknesses. (Schneier on Security, Cyber Unit)

Okta’s February platform announcements bridged the gap between identity governance and security-driven operations. By unifying Identity Threat Protection (ITP) with Identity Governance (OIG), Okta is positioning governance as a security tool rather than a compliance exercise — a distinction that matters as non-human identities proliferate and compliance-only approaches create blind spots that attackers exploit. The new Identity Security Posture Management and Privileged Access capabilities provide end-to-end coverage for AI agents, service accounts, shared accounts, break-glass identities, API keys, access tokens, and automation tools. The convergence of identity governance and threat protection into a single platform reflects the broader industry recognition, reinforced by the OWASP Agentic Applications taxonomy, that managing identity for autonomous agents requires continuous security assessment rather than periodic compliance reviews. (Okta, Okta)

Vendor and Supply Chain Risk

Google’s disruption of UNC2814 — a suspected China-nexus cyber espionage group that breached at least 53 organizations across 42 countries — underscored the persistent scale and sophistication of state-sponsored supply chain and espionage operations. While the tactical details fall outside this report’s scope, the strategic implication is clear: organizations must assume that state-level adversaries are actively operating within their extended supply chains, and that detection often requires the combined visibility of multiple industry partners working collaboratively. The erosion of federal coordination capacity (as CISA restructures) makes private-sector threat intelligence sharing through ISACs and vendor partnerships more critical than ever.

The Google-Wiz deal approaching financial close in March raises vendor concentration risk for the cloud security market. With Wiz as the leading multi-cloud security platform, its absorption into Google’s ecosystem could eventually reduce the competitive independence that made it attractive to AWS and Azure customers. Organizations should begin evaluating their cloud security vendor strategies against scenarios where Wiz’s multi-cloud neutrality diminishes, identifying alternative CSPM and CNAPP providers for critical capabilities. The broader pattern of hyperscaler acquisition of security platforms — following Microsoft’s investments in security, and Palo Alto’s CyberArk acquisition — means that independent best-of-breed security vendors are a diminishing category.

Industry Surveys and Research

The OWASP Top 10 for Agentic Applications provides the first industry-standard risk classification for autonomous AI systems. Developed by over 100 security experts, the taxonomy addresses risks that existing frameworks (including the OWASP Top 10 for LLM Applications) do not cover, specifically around agent autonomy, inter-agent trust, and cascading failure modes. The framework’s “least agency” principle — minimum autonomy, tool access, and credential scope for each agent — provides a concrete architectural constraint that complements the Promptware Kill Chain’s defensive-in-depth model. (OWASP)

Shadow AI statistics converged from multiple sources this week to paint a consistent picture: 80% of office workers use unsanctioned AI tools (JumpCloud), 70% of employee AI interactions occur through embedded SaaS features rather than standalone applications (making detection harder), and AI-associated breaches cost over $650,000 per incident (IBM). Only 29% of organizations report readiness to secure agentic AI deployments (Help Net Security), while Barracuda’s research found that a compromised agent can poison 87% of downstream decisions within four hours. The gap between AI deployment velocity and AI security readiness represents arguably the most urgent strategic risk facing enterprise security programs in 2026.

The NSA’s Zero Trust Implementation Guidelines offer the most granular public-sector zero trust maturity model available, with 77 defined activities across two phases. However, the gap between guidance and reality remains wide: Gartner estimates only 10% of large enterprises will achieve mature zero trust by year-end 2026. The AHA’s endorsement of the framework for healthcare organizations signals that sector-specific adoption recommendations will accelerate in the coming months.

The ETH Zurich password manager research — identifying 25 attack paths across Bitwarden, LastPass, and Dashlane — represents a rare empirical challenge to vendor security marketing claims. The finding that “zero-knowledge encryption” is a marketing term without a cryptographic definition has implications beyond password managers, as similar unverified claims are used across the SaaS security industry.

Strategic Recommendations

  1. Map CISA dependency and develop alternatives. The agency’s leadership instability, workforce reduction, and mission narrowing represent a structural change, not a temporary disruption. Organizations should audit which CISA services they depend on — threat intelligence feeds, vulnerability coordination, security assessments, critical infrastructure coordination — and identify commercial, ISAC, or vendor-provided alternatives. This assessment should be reported to the board as a change in the organization’s risk environment.

  2. Adopt the OWASP Top 10 for Agentic Applications as a deployment gate. Any organization deploying or approving AI agents should evaluate each deployment against the OWASP taxonomy before production use. The “least agency” principle should be enforced as a design constraint: every agent should operate with the minimum autonomy, tool access, and credential scope required for its specific task. Organizations should combine this with the Promptware Kill Chain framework from week 08 for defense-in-depth coverage.

  3. Deploy AI discovery and governance tooling. With 80% of employees using unsanctioned AI and 70% of interactions occurring through embedded SaaS features, policy-only approaches are insufficient. Evaluate tools like Okta’s Agent Discovery (ISPM), Palo Alto Networks’ shadow AI detection, or equivalent capabilities to gain visibility into AI usage across the enterprise. Establish sanctioned AI alternatives that meet employee productivity needs — prohibition without alternatives drives shadow usage.

  4. Benchmark zero trust programs against NSA ZIG. Use the NSA’s two-phase, 77-activity framework as a maturity assessment tool. Identify which Phase One capabilities (baseline security) your organization has implemented, and develop a roadmap for Phase Two (integrated zero trust solutions). Healthcare organizations should prioritize adoption given sector-specific targeting patterns.

  5. Audit enterprise password manager deployments. The ETH Zurich research affects Bitwarden, LastPass, and Dashlane. Organizations using these tools should assess exposure, verify vendor responses to the identified vulnerabilities, and consider requiring hardware security keys for vault access as a compensating control. More broadly, evaluate any vendor’s “zero-knowledge” marketing claims against the research finding that the term has no standardized cryptographic definition.

Sources Referenced

RSS/Primary Sources

Web Search Discoveries

  • OWASP — Top 10 for Agentic Applications 2026
  • Barracuda Networks — Agentic AI as 2026 threat multiplier
  • NSA — Zero Trust Implementation Guidelines (ZIGs)
  • AHA — NSA zero trust guidelines recommendation for healthcare
  • Help Net Security — Enterprise AI agent security readiness, NSA ZT vs enterprise reality
  • TechCrunch — CISA acting director replacement
  • Cybersecurity Dive — CISA reorganization, acting director removal
  • Federal News Network — CISA leadership shakeup context
  • Nextgov — CISA CIO transfer orders, threat-hunting leader departure
  • DLA Piper — EU Cyber Resilience Act compliance guidance
  • LexisNexis — EU cybersecurity package NIS2 amendments
  • CMS Law-Now — EU cybersecurity package overview
  • White & Case — SEC 10-K cybersecurity disclosure requirements
  • PwC — SEC cyber disclosure rule analysis
  • Palo Alto Networks — OWASP agentic AI security, shadow AI definition
  • Trend Micro — OpenClaw agentic assistant research
  • JumpCloud — Shadow AI statistics 2026
  • TechTarget — Shadow AI CISO guidance
  • ABI Research — RSAC 2026 predictions
  • Cyber Unit — Password manager zero-knowledge encryption research
  • Gartner — CSPM market forecast, zero trust adoption data
  • GlobeNewsWire — CSPM market research report