home.social

#aisvs — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #aisvs, aggregated by home.social.

fetched live
  1. New post: Part 2 of the Regulatory Stack series.

    If your AI safety strategy is "the model will behave", it's a bet, not a strategy.

    The three primitives I argue are non-optional:

    • NHI w/ short-TTL identity (SPIFFE/SPIRE)
    • Gateway-enforced token & compute wallets
    • eBPF egress + IaC-sync allow-lists

    Plus deterministic replay, because "Error: 500" doesn't survive a regulator.
    CRA clock starts 11 Sept 2026.

    sakurasky.com/blog/regulatory-

    #AgenticAI #AISVS

  2. The EU AI Act says you must verify. OWASP's AISVS tells you what to verify across 14 categories. Neither tells you how to enforce.

    That gap is where most agentic deployments fail. Part 1 of our new Regulatory Stack series maps the 14 AISVS categories onto a working 16-control enforcement architecture, with the architectural read on what's actually missing in production.

    sakurasky.com/blog/regulatory-

    #AISVS #AgenticAI #AppSec #AIAct

  3. OWASP's new strategic plan is being read as a community update. It isn't.

    It commits the Foundation to AISVS assessments (covering agentic systems, MCP, and vector DBs), two new flagship certifications, and active engagement with the EU CRA, the AI Act, and NIST SSDF.

    That changes how AI security gets verified, how developers get hired, and what "state of the art" means under European regulation.

    Read my thoughts about it:

    sakurasky.com/blog/owasp-strat

    #AppSec #OWASP #AISVS #AIAct #AgenticAI