Adhoc Briefing — March 25, 2026

Run: adhoc | Articles: 22 | Tier: 1

Executive Summary

This is the densest validation week Common Nexus has seen. RSAC 2026 and Nvidia GTC produced a rare simultaneous consensus across Check Point, Microsoft, Google Cloud, CrowdStrike, ServiceNow, and Palantir: AI agents have bypassed every existing security control, and the only organizations that know their exposure are the ones that have looked. Check Point’s Oded Vanunu disclosed 6 CVEs across Claude Code, Codex, Cursor, and Gemini CLI, all demonstrating that AI coding tools operate entirely outside EDR visibility — “all security products are blind, totally blind.” Microsoft’s own VP of Data and AI Security ranked AI agent proliferation as a bigger threat than data leakage or new regulation. These are not vendor marketing statements. These are the people building the controls saying the controls don’t work yet.

The supply chain attack surface materialized concretely this week with the TeamPCP campaign. LiteLLM — 95 million monthly downloads — was compromised with a credential stealer that harvested AWS, Azure, GCP keys, SSH keys, Kubernetes secrets, and crypto wallets, using a .pth file trick that executes on every Python startup even when LiteLLM is never imported. The same actor compromised Trivy, Checkmarx KICS, GitHub Actions, and 66+ npm packages in five days using a single stolen credential. The recursive trust problem is now documented: the security tools enterprises use to verify their supply chain were themselves compromised. Meanwhile, a federal court ruled in United States v. Heppner that AI tool conversations are not privileged communications — discoverable in litigation and regulatory proceedings. For FinServ buyers, this is the ruling that converts AI governance from a best practice into an active legal risk.

The data wall this week is definitive: 97% of organizations had identity incidents in the past year, 70% tied to AI activity (Microsoft Entra); 45% of tech companies experienced data leaks from unauthorized AI use, 52% of department-level AI initiatives have no oversight (EY); 31% of organizations are confident they can comply with applicable digital law (IAPP). Copilot Cowork and Work IQ shipped — every M365 tenant now has autonomous AI agents with organizational memory, regardless of licensing tier. Common Nexus’s core thesis is no longer a prediction. It is the week’s headline.

Persona Analysis

Growth Strategist: Three independent conference stages (RSAC, GTC, Microsoft Ignite) plus a federal court ruling landed in the same week, all pointing at the same gap. That convergence is a lead generation moment — not just content fuel. The Check Point “all security products are blind” quote is the strongest RSAC soundbite of the year; the Heppner ruling is the strongest legal trigger of the quarter. Pair them: “Check Point proved your security stack can’t see AI agents. A federal court just ruled the conversations those agents have aren’t privileged either. That’s two reasons to run an assessment this month, not next quarter.” The EY 45% data leak stat is the boss-forward credibility anchor — Big Four, fresh data, precise number. Use it to open, use the court ruling to close.

Content Strategy Lead: This week supports three distinct posts, not one. Post 1 (Thursday/Friday): RSAC/Check Point angle — “6 CVEs across Claude Code, Codex, Cursor, and Gemini CLI. Your security stack is blind to all of them.” Use the Vanunu quote verbatim, add Common Nexus assessment hook. Post 2 (next week Monday): United States v. Heppner — “A federal court just ruled your Copilot conversations aren’t privileged. Here’s what that means for your firm.” This is a FinServ-specific post with compliance urgency. Post 3 (next week Wednesday): LiteLLM supply chain — “95M monthly downloads, 12 lines of obfuscated code, AWS/Azure/GCP keys stolen. Do you know which AI packages your developers are running?” Save the EY stats and CSA CSAI foundation for the following week’s content cadence. Do not over-post this week — three excellent posts beat seven good ones.

Privacy & Security Auditor: Four methodology implications from this batch. First, the Check Point CVE research expands assessment scope: AI coding assistants (Claude Code, Cursor, Copilot in IDE) are now a documented attack vector with disclosed CVEs — the assessment should inventory developer AI tool usage, not just M365 Copilot. Second, the TeamPCP LiteLLM attack is a checklist addition: PyPI package auditing for AI dependencies with the .pth persistence mechanism is a new discovery vector. Third, Copilot Cowork and Work IQ expand the M365 data surface materially — autonomous agents with organizational memory that can run multi-step tasks without prompting require updated assessment methodology to capture agent-to-agent data flows, not just user-to-AI flows. Fourth, United States v. Heppner adds a discovery risk dimension to assessment deliverables: for FinServ clients, AI conversation logs held by Microsoft, OpenAI, or Google may now be books-and-records under SEC/FINRA/CFTC, which is a finding category the assessment should document. The CSA CSAI Foundation’s AI Controls Matrix + ISO 42001 + SOC 2 stack provides a standards reference to cite in assessment reports.

Martell-Method Advisor: Three things. One: draft the Check Point RSAC LinkedIn post this week, not next — the news cycle closes in 48-72 hours and RSAC coverage peaks this week. Two: add the Heppner ruling to the standard sales conversation deck before the next prospect call — one slide, bullet points, FinServ framing. Three: flag Copilot Cowork/Work IQ as an assessment methodology update that needs to happen before the next paid engagement — this is a deliverable quality issue, not a content issue. Everything else in this briefing is reference material, not action.

Business Strategist: The Copilot-is-now-everywhere signal is a pipeline expander. Microsoft embedding Copilot in core M365 apps for all users regardless of licensing tier means every M365 customer is now an AI governance prospect — not just the ones who bought Copilot E3/E5. The qualification question shifts from “do you use Copilot?” to “do you use M365?” That is a much larger addressable market. The Agent 365 governance dashboard Microsoft launched is the control plane IT managers need help configuring — that is a natural post-assessment deliverable and potential ongoing advisory engagement. The Heppner ruling creates a new buyer persona: in-house legal and GC at FinServ firms who now need to brief their compliance team on AI conversation discovery risk. That’s a different conversation than the IT manager conversation and may require a different sales motion.

Red Team Analyst: The TeamPCP campaign is the most technically significant event in this batch because it demonstrated recursive supply chain compromise — attacking the tools that defend the supply chain. The .pth persistence mechanism in LiteLLM is particularly dangerous because it sidesteps import-based detection entirely; any Python environment with the package installed is compromised regardless of whether LiteLLM is in the active codebase. The RSAC CVE disclosures (Claude Code hooks executing before trust dialog, Cursor MCP server swap, Gemini CLI silent GEMINI.md execution) show that AI coding tools have the same privilege escalation patterns as compromised CI/CD infrastructure — they run with filesystem and network access at developer-granted privilege levels. For enterprises, the threat model is now: an attacker who can influence any AI-readable configuration file (.json, .env, .toml, .md) in a developer’s project can achieve arbitrary code execution on that developer’s machine. That is a fundamentally different attack surface than traditional malware delivery.

Blue Team Analyst: The defensive gaps are documented and addressable. For LiteLLM and PyPI supply chain risk: the immediate mitigation is pinned package versions with hash verification in requirements.txt — never install floating versions of AI proxy libraries in production. For AI coding tool CVEs: the Check Point research recommends treating every developer workstation as a zero-trust endpoint with Configuration = Code policies; practically, this means restricting AI coding assistant network access at the endpoint level and auditing .claude/, .cursor/, .gemini/ configuration directories for unexpected content. For Copilot Cowork autonomous agents: the Microsoft-published deployment blueprint recommends SharePoint Advanced Management and Purview DLP configuration before enabling agentic features — this is the gap the assessment closes. The CSA CSAI Foundation’s AI Risk Observatory will become the authoritative CVE numbering authority for agentic AI vulnerabilities; tracking it is useful for keeping assessment methodology current.

Top 3 Actions — Consensus

1. Publish RSAC Check Point LinkedIn post by Friday March 27 — use the “all security products are blind” quote, 6 CVEs across 4 AI coding tools, Common Nexus assessment hook. This is the strongest news cycle of the quarter and it has a 48-hour window.

2. Add United States v. Heppner to the sales conversation deck before the next prospect call — one slide: what was ruled, what it means for FinServ AI conversations held by Microsoft/OpenAI/Google, why an AI governance assessment now documents discovery exposure. This converts GC and compliance officer stakeholders into assessment champions.

3. Update assessment methodology and talking points to cover Copilot Cowork / Work IQ / Agent 365 — autonomous agents with org memory that run on all M365 tenants regardless of licensing are a new data exposure vector not covered by current assessment deliverables. Fix this before the next paid engagement, not after.

Articles

Critical Threat Intelligence — RSAC 2026 & GTC (3)

Supply Chain Attacks — TeamPCP / LiteLLM (3)

Legal & Regulatory (4)

Market Validation — Governance Gap Data (4)

Microsoft Copilot & M365 (3)

Data Sovereignty & Infrastructure (5)

Common Nexus Intelligence — Adhoc — Generated 2026-03-25