[un]prompted March 2026 Talks — Sorted by Relevance to RA + CMM
Naming
The source page is headlined “[un]prompted II” but the body says “back for the second time in (or around) September” — i.e. the September 2026 event is [un]prompted II, and this March 3–4, 2026 conference is the prior one. This wiki uses date-based slugs to avoid the ambiguity. See [[unprompted-conference-march-2026|[un]prompted Conference — AI Security Practitioner Conference (March 3–4, 2026)]] for the catalog.
What this page is for. Anton wants to track down slides/notes/videos for the talks most likely to feed the six-plane RA and the 9-domain CMM. This page ranks the entire agenda from highest to lowest relevance to Securing AI (security OF agentic AI in enterprise), with the reasons made explicit so the ranking is auditable.
Scope filter. “Securing AI” = controls and architecture for protecting AI agents and AI-using systems. Talks about “AI for security” (using AI to find traditional vulns, do DFIR, build SOC tooling) are separated below, not omitted, because some of them still inform CMM domains (D7 Observability & Detection, D9 Operations).
Tier 1 — Direct evidence for one or more RA planes / CMM domains
These talks present concrete production architecture, control patterns, or measurement methodology that should map directly into the RA, CMM evidence rubric, or the standards crosswalk. Highest priority for slide/video pursuit.
| # | Talk | Speaker(s) | RA plane(s) | CMM domain(s) | Why it’s Tier 1 |
|---|---|---|---|---|---|
| 1 | Breaking the Lethal Trifecta (Without Ruining Your Agents) ✅ ingested | Andrew Bullen, Stripe | Egress, Control, Observability | D3, D4, D5 | Production Lethal Trifecta containment: Smokescreen + agent-tag CI; Toolshed + ToolAnnotations; queued/batched/optimistic confirmations; coins Lethal Bifecta. L3/L4 evidence; deep-agent enforcement still WIP per speaker. |
| 2 | Guardrails beyond Vibes: Shipping Security Agents in Production | J. Zhang + S. Shah, Stripe | Control, Runtime, Observability | D3, D4, D7 | Orchestrator/child agent architecture + offline+online eval — directly slot into Oversight Layer (PDP + PEP for Agentic AI) and L3 evidence |
| 3 | Capability-Based Authorization for AI Agents — Warrants That Survive Prompt Injection ✅ ingested | Niki Aimable Niyikiza, Tenuo / Snap | Identity, Control | D2, D3 | Macaroon/UCAN-lineage cryptographic warrants with monotonic attenuation across delegation hops; 4 deployment modes (in-process / sidecar / gateway / MCP-proxy); reports baseline 90%→0% multi-agent ASR on custom harness. Partially closes PEP gap from the delegation-aware angle. |
| 4 | Hooking Coding Agents with Cedar ✅ ingested | Matt Maisel, Sondera | Control, Runtime | D3, D4 | Open-source Cedar + Rust hook reference monitor for Cursor/Claude Code/Gemini CLI — trajectory event model (action/observation/control/state) as structural unit; IFC taint tracking across turns; policy agent for formal Cedar generation/validation over MCP; partially closes PEP gap from the hook-based angle |
| 5 | Securing Workspace GenAI at Google Speed: Surviving the Perfect Storm ✅ ingested | Nicolas Lidzborski, Google | Runtime, Data, Egress, Control | D3, D4, D5, D7 | Three-year Google Workspace retrospective. Names Prompt as Code as the structural framing; Agency Gap / Orchestration Hijacking / Recursive Prompt Injection (and Semantic Gaslighting) as named threat sub-classes; the four-layer “Architecting the Fortress” structural blueprint; Plan-Validate-Execute Pattern as canonical HITL pattern; Sentinel Tokens (Prompt Delimitation) for prompt delimitation. Calendar-invite hijack (Nassi et al.) as worked example. Architectural sibling to Bullen’s Stripe talk (input/orchestration/output side; Bullen covers egress/tool-policy side). |
| 6 | Your Agent Works for Me Now | Johann Rehberger | Runtime, Egress, Observability | D4, D5, D7 | Promptware as a class — delayed tool invocation, intent-activation evasion, persistence + lateral movement + C2 + exfil; previously undisclosed Gemini/Copilot exploits — feeds OWASP-ASI mappings in the CMM crosswalk |
| 7 | Glass-Box Security: Operationalizing Mechanistic Interpretability | Carl Hurd, Starseer | Observability | D7 | ”Internal EDR” + neuron-level semantic tripwires — adds a new D7 Glass-Box L4/L5 evidence path beyond OTel/SIEM |
| 8 | Are Your LLM’s Safety Mechanisms Intact? Detecting Backdoors with White-Box Analysis | Akash Mukherje, Realm Labs | Data (model), Observability | D6, D7, D8 | Backdoors that pass black-box eval but fail white-box; relevant to Supply Chain Security for Agentic AI for model-supply-chain integrity |
| 9 | Total Recon: How We Discovered 1000s of Open Agents in the Wild | A. Efrat + R. Ben Chaim, Zenity | Identity, Egress, Observability | D7, D8 | External-attack-surface evidence at scale; PowerPwn as an AI-BOM adjunct (recon tool to discover your own exposure) |
| 10 | Building Secure Agentic Systems: Lessons from Daily-Driver Agents | Brooks McMillin, Dropbox | Identity, Control, Data | D2, D3, D6 | Multi-agent memory-isolation failures + the fix is a CMM evidence gem; capability bounding as concrete L3 |
| 11 | 1.8M Prompts, 30 Alerts: Hunting Abuse in a User-Defined Agent Ecosystem | M. Rittinghouse + M. Huang, Salesforce | Observability | D7 | Asset Rarity + Query Complexity behavioral baselines at production scale — concrete L4 evidence for D7 Agent Observability (insider-threat framing) |
| 12 | Beyond the Chatbot: Delivering an Agentic SOC | P. Smith + R. Sharma, Salesforce | Control, Observability | D7, D9 | Polyphonic (supervisor–worker) architecture — direct architectural alternative; complements the RA’s Oversight Layer (PDP + PEP for Agentic AI) |
| 13 | Training BrowseSafe | Kyle Polley, Perplexity | Runtime | D4 | Production prompt-injection detection; F1 ~0.91 at <100ms; BrowseSafe-Bench is a CMM-friendly artifact (measurement + flywheel) |
| 14 | The Parseltongue Protocol — 100+ Obfuscation Methods | Joey Melo, CrowdStrike | Runtime, Data | D4, D6 | Largest published obfuscation eval (17,000+ prompts × 9 models) — drives D4 jailbreak-resistance L3/L4 evidence |
| 15 | When Passports Execute: Exploiting AI-Driven KYC Pipelines | Sean Park, TrendAI | Data, Runtime | D4, D6 | Document-embedded Indirect Prompt Injection hitting compliance verification chains — concrete RAG Hardening failure mode |
| 16 | Can You See What Your AI Saw? GenAI Endpoint Observability | Mika Ayenson, Elastic | Observability | D7 | Argues for extending OpenTelemetry semantic conventions to GenAI tool activity — likely future standard input to D7 maturity rubric |
| 17 | Detecting GenAI Threats at Scale with YARA-Like Semantic Rules (SYARA) | Mohamed Nabeel, Palo Alto Networks | Runtime, Observability | D4, D7 | 98% detection at <100ms/$0.001 — economic argument that pure-LLM gates are wrong shape for D7 |
| 18 | Operation Pale Fire: Red-Teaming goose | W. Ring + J. Peedikayil, Block | Runtime, Observability | D4, D7, D9 | Self-red-team of an open-source agent — directly informs Red Teaming Capability Framework and CMM L3 internal-red-team evidence |
| 19 | Rethinking How We Evaluate Security Agents | Mudita Khurana, Airbnb | Observability | D7, D9 | Find→confirm→patch→validate loop + capability-centric eval — directly extends CLASP |
| 20 | The AI Security Larsen Effect (capability-based vendor framework) | Maxim Kovalsky, Consortium Networks | (cross-cutting) | D1, D9 | Capability-based configure/buy/build framework — usable in CMM L2 vendor-shortlist evidence |
| 21 | AI Security with Guarantees | Ilia Shumailov, AI Sequrity | Control, Runtime | D3, D4 | Claims security guarantees for computer-use agents; if delivered, opens an L4/L5 evidence path |
| 22 | The Advent of Confidential AI | Raghu Yeluri, Intel | Data, Runtime | D4, D6 | TEEs for inference + prompts + context — concrete control for D6 (model isolation) and the Insight map’s “model security” stripe |
| 23 | Trajectory-Aware Post-Training of Open-Weight Models for Security Agents | A. Brown + M. Prashant, AWS | Data (model) | D6, D9 | Open-source SFT→GRPO pipeline + reward design — concrete approach to “build the security agent yourself” rather than depending on frontier API |
| 24 | Vibe Check: Security Failures in AI-Assisted IDEs | Piotr Ryciak, Mindgard | Runtime, Egress | D4, D5, D8 | Catalog of zero/one-click + autorun + delayed-trigger paths in Codex, Kiro, Antigravity, Cursor — direct Supply Chain Security for Agentic AI evidence |
| 25 | Injecting Security Context During Vibe Coding | Srajan Gupta, Dave | Control, Runtime | D3, D4, D8 | MCP server that injects security guidance pre-generation + verifies post-generation — slots into MCP Security + L3 evidence |
Tier 2 — Adjacent: production agent threats, governance, AI-assisted incidents
Useful for the RA threat-control matrix and for situating CMM thresholds; less directly an architectural artifact.
| # | Talk | Speaker(s) | Why Tier 2 |
|---|---|---|---|
| 26 | 8 Minutes to Admin / EtherRAT (VibeHacking) | Sergej Epp, Sysdig | Two in-the-wild AI-assisted attack campaigns — feeds an incidents page on AI-assisted ops; behavioral attribution methodology for AI-assistance |
| 27 | SIFT — FIND EVIL!! Claude Code on DFIR SIFT | Rob T. Lee, SANS | Operational MCP wiring + reference to Anthropic GTG-1002 (80–90% autonomous adversaries) — important context, mostly defender-side AI tooling |
| 28 | Three Phases of AI Adoption | Chase Hasbrouck, US Army Cyber Command | Adoption-curve framing useful for D9 maturity narrative (Shadow Automation supports) |
| 29 | Establishing AI Governance Without Stifling Innovation | Billy Norwood, FFF Enterprises | Healthcare AI governance committee — D1 governance evidence |
| 30 | Enterprise AI Governance at Snowflake | Ragini Ramalingam, Snowflake | Enterprise governance program — D1 governance evidence |
| 31 | 200 Bugs/Week/Engineer: Trail of Bits | Dan Guido, Trail of Bits | ”AI-native operating system” of incentives + sandboxing — D9 organizational redesign + L4 evidence narrative; provocative claim worth scrutiny |
| 32 | Kinetic Risk: Securing & Governing Physical AI | Padma Apparao, Intel | VLA model risks — extends scope beyond text agents; useful for “embodied” annex to RA/CMM |
| 33 | AI Notetakers: The Most Important Person in the Room | Joe Sullivan | AI-as-meeting-record governance gap — D1, D9 (consent + discovery) |
| 34 | Code Is Free: Securing Software in the Agentic Future | P. McMillan + R. Lopopolo, OpenAI | Engineering-first invariants — useful framing, mostly principle-level |
| 35 | The Hard Part Isn’t Building the Agent | Joshua Saxe, Meta | Multi-dim agent eval + genetic-algorithm self-improvement — feeds CLASP and CMM L4 measurement evidence |
| 36 | Security Guidance as a Service | S. Datta Gupta + C. Mukherjee, Adobe | AI-native defensive-knowledge service — D1 + D9 |
| 37 | Anatomy of an Agentic Personal AI Infrastructure | Daniel Miessler | Personal AI infra deepdive + OSS — useful for “AI-supply-chain at the individual end” framing |
| 38 | AI Fingerprints (BinaryShield) | N. Isak + W. Gill, Microsoft | Privacy-preserving cross-org prompt-injection threat intel — extends D7 to a sharing layer |
| 39 | Detection & Deception Engineering (Orbie) | Bob Rudis + G. Thorpe, GreyNoise | Internet-scale honeypot agent — defender capability evidence; feeds D7 narrative |
| 40 | Exploring the AI Automation Boundary for Threat Hunting | Arthi Nagarajan, Datadog | Single-agent → orchestrator-subagent migration — supports the Oversight Layer (PDP + PEP for Agentic AI) supervisor pattern |
| 41 | From OSINT Chaos to Knowledge Graph | Dongdong Sun, Palo Alto Networks | Production AI threat-intel pipeline — primarily AI-for-security, partial D7 architecture lessons |
| 42 | Zeal of the Convert: Taming Shai-Hulud with AI | Rami McCarthy, Wiz | Shai-Hulud post-mortem — incidents page candidate; AI-for-IR reference |
Tier 3 — AI for vulnerability discovery / offense (informs threat landscape, not architecture)
These describe AI agents finding traditional software vulnerabilities. They’re the “left side” of the threat landscape (attacker capability) but don’t directly populate CMM domains. Worth tracking for the field-narrative of standards lag and to inform D8 supply-chain risk assumptions.
| # | Talk | Speaker(s) | Note |
|---|---|---|---|
| 43 | Black-hat LLMs | Nicholas Carlini, Anthropic | Threat-landscape thesis from a top researcher; cite, don’t derive architecture |
| 44 | AI Found 12 Zero-Days in OpenSSL | A. Krivka + O. Vlcek, AISLE | Headline data point for “AI shifts vuln-discovery economics” |
| 45 | FENRIR: AI Hunting for AI Zero-Days at Scale | P. Girnus + D. Chen, TrendAI | 100+ vulns / 21 CVEs — concrete capability evidence |
| 46 | AI Agents for Exploiting “Auth-by-One” Errors | B. Dolan-Gavitt + V. Olesen, XBOW | AuthN/AuthZ validators as the unlock — narrow, important pattern |
| 47 | Promp2Pwn — LLMs Winning at Pwn2Own | Georgi G, Interrupt Labs | Bixby finding; capability evidence |
| 48 | AI go Beep Boop! (hardware glitching with Claude) | Adam Laurie, Alpitronic | Capability evidence; out-of-scope for enterprise RA but rhetorically powerful |
| 49 | macOS Vulnerability Research with AI | Olivia Gallucci, Datadog | AI-for-vuln-research; supply-chain implication for D8 |
| 50 | Tenderizing the Target (Marinade) | A. Grattafiori + S. Bingham, NVIDIA | Synthetic vuln injection — useful for tooling evals + D9 training data |
| 51 | Why Most ML Vulnerability Detection Fails | Jenny Guanni Qu, Pebblebed | Counterintuitive lessons (hard negatives, subsystem boundaries); 2.1-year survival figure useful for narrative |
| 52 | Source to Sink: LLM First-Party Vuln Discovery | S. Behrens + J. Cassel, Netflix | Reduces 200 false-positive findings — methodology for D7 noise reduction |
| 53 | Evaluating Threats & Automating Defense (CodeMender) | Heather Adkins, Google | Strategy-level overview; CodeMender as defender capability |
Verdict
Pursue Tier 1 first (rows 1–25) — these talks contribute architecture, control patterns, or measurement methodology that can be cited as evidence in Agentic AI Security Capability Maturity Model — A 2026 Practical Proposal L3/L4 rubrics or feed new sections of Agentic AI Security Reference Architecture (2026) (especially the Egress and Observability planes, where the CMM crosswalk currently has the thinnest evidence base).
Tier 2 is high-value supporting context — incidents, governance program design, defender capability claims worth fact-checking before they age. Especially: Sysdig VibeHacking for an incidents-page write-up; Trail of Bits for the “AI-native firm” thesis (claim deserves scrutiny — 200 bugs/week/engineer is a strong number).
Tier 3 is “AI as offensive capability” — relevant to the threat-landscape narrative but not to populating RA planes or CMM domains. Track headlines and deltas, not full talks.
Open questions for follow-up
Things this catalog can't answer from abstracts alone
- Stripe Lethal Trifecta deck — does Bullen’s CI-time tool-annotation enforcement pattern generalize beyond Stripe’s stack? (RA Egress plane needs a vendor-neutral version.)
- Snap warrants — does the Macaroon/UCAN delegation pattern survive across MCP and A2A in practice, or only in LangChain/LangGraph? Currently the most plausible answer to “Least Agency Principle in production multi-agent flows” but unverified outside Snap’s setting.
- Salesforce Asset Rarity + Query Complexity — operationalizable elsewhere, or does it require Agentforce-scale telemetry to work? D7 needs a smaller-org version.
- Trail of Bits 200 bugs/week/engineer — needs methodology check before citing (compared to what baseline; what bug class; what false-positive rate).
- Starseer “Internal EDR” — is mechanistic-interpretability tooling production-deployable today, or is it a 2027+ promise? Tier 1 ranking assumes the former.
- Anthropic GTG-1002 report (cited by SANS) — primary source needed; if real, this number anchors several CMM threat-narrative claims.