Welcome back to This Week in AI Security. This was a week where the gates frontier labs have been building all year — government review, safety grading, state disclosure law — actually swung open or shut on schedule. Two of the year’s most capable models cleared very different bars to reach the public, an independent panel published its report card on how seriously the industry takes its own risk, and a zero-click flaw in one of the most-used AI coding tools was a reminder that the attack surface keeps growing right alongside the safeguards.

New Attack Surfaces

A zero-click flaw let attackers escape Cursor’s sandbox without a single click. Cato Networks disclosed DuneSlide, two critical vulnerabilities (CVE-2026-50548 and CVE-2026-50549, both rated 9.8 on CVSS 3.1) in the Cursor AI code editor that chain prompt injection into full remote code execution — no user interaction required. The trick lives in how Cursor’s sandbox trusts the AI agent’s own instructions: one flaw let a malicious prompt (say, one buried in an MCP server response or a search result the agent reads) redirect the sandbox’s allowed write path outside the project folder; the second abused symlink handling to bypass out-of-bounds write protections entirely. Per CSO Online’s coverage, the flaws were patched in Cursor 3.0 back in April, but public disclosure only landed this week — and with Cursor reportedly used by more than half the Fortune 500, the lag between “patched” and “publicly known” mattered. It’s the same story that’s opened this newsletter for three weeks running now: sandboxes built to contain an AI agent keep failing not because the isolation technology is new, but because the agent’s own text output is treated as more trustworthy than it should be.

Lab Releases & Research

GPT-5.6 and Grok 4.5 both went fully public this week — on very different safety terms. OpenAI moved its GPT-5.6 family (Sol, Terra, and Luna) to general availability on July 9, ending the limited-partner preview covered in last week’s edition. Per CNBC, the release followed additional testing by the Commerce Department’s Center for AI Standards and Innovation (CAISI), with OpenAI sending technical staff to Washington to work through the review directly — a preview of how Executive Order 14409’s voluntary frontier-model review process is likely to run once it’s formally in effect. The same week, xAI launched Grok 4.5, its first release since acquiring Cursor’s former coding-agent business, explicitly built for multi-hour autonomous agent runs. The contrast is the story: GPT-5.6’s rollout came with a documented government review and a stated “most robust safety stack to date,” while Grok 4.5 launched with benchmark claims but, as of this week, no published system card or structured safety evaluation — a gap that matters more than usual given the model’s design for exactly the kind of long-running, low-oversight agentic tasks that safety researchers keep flagging as highest-risk.

The UK’s AI Security Institute showed what it looks like when defenders get first crack at frontier AI. In a case study published July 7, AISI’s engineering team spent two weeks pointing frontier coding agents at their own staging cloud environment, comparing static analysis, autonomous agent probing, and human-guided red-teaming with commercial coding agents. Every model they tried surfaced valuable findings, including a “creative and non-obvious” five-step privilege-escalation chain that one model found for under £150 in token costs — the kind of subtle misconfiguration unlikely to turn up in routine review. The team’s honest caveat is worth repeating: the approach that required the most human expertise produced the most actionable results, which cuts against the narrative that AI-assisted security is a simple automate-and-forget upgrade. It’s a useful defensive counterweight to a year of headlines about AI finding exploits for attackers — the same capability, pointed inward.

Regulatory & Governance Moves

Illinois became the first state to pair AI safety disclosure with an independent audit requirement. Governor JB Pritzker signed SB 315, the Artificial Intelligence Safety Measures Act, on July 6. The law applies to frontier-model developers with over $500 million in annual revenue, requiring them to publish a framework for how they assess “catastrophic risk” — incidents that could kill or seriously injure more than 50 people, or cause over $1 million in property damage — and to report qualifying safety incidents to the state within 72 hours (24 hours if there’s imminent risk of death or serious injury). California and New York have passed comparable transparency rules this year, but per Capitol News Illinois, Illinois is the first to require independent verification of those disclosures rather than taking developers’ self-reports at face value. The law takes effect January 1, 2027, which gives covered labs about six months to build the audit infrastructure most of them don’t currently have.

The EU paired its AI Act deadlines with a new plan to actually use AI for cyber defense. On July 7, the European Commission unveiled a plan on AI and cybersecurity that commits to building EU capacity to evaluate advanced AI models’ cyber capabilities and risks before they hit the market, creating structured access frameworks so European defenders can use frontier AI for their own security work, and standing up testing infrastructure through ENISA and the Joint Research Centre. The plan explicitly builds on the AI Act, the Cyber Resilience Act, NIS2, and the Cyber Solidarity Act rather than replacing any of them — Brussels’ answer to a question this newsletter keeps returning to: once you accept that AI is now both attacker and defender tooling, regulation has to cover the “give defenders access” side, not just the “restrict misuse” side.

Industry Accountability

An independent panel graded nine major AI labs on safety, and nobody passed. The Future of Life Institute published its Summer 2026 AI Safety Index on July 7, with an expert panel from UC Berkeley, Oxford, and the University of Montreal scoring companies across risk assessment, current harms, safety frameworks, existential safety, governance, and transparency. Anthropic led with a C+; OpenAI and Google DeepMind followed with a C; Meta scored a D+; Z.ai and Alibaba Cloud scored D-; and xAI, DeepSeek, and Mistral all received an F. Beyond the letter grades, the panel’s more pointed finding is that several companies have quietly walked back earlier “red line” commitments to pause development if models approached dangerous capability thresholds, and that policies barring military use of frontier models have also been rolled back at more than one lab. Grades are easy to argue with; a documented retreat from previously public commitments is harder to wave away.

What to Watch

  • Whether Grok 4.5 gets a system card. xAI has published safety evaluations for earlier Grok models; the absence of one at launch for a model explicitly built for long-running autonomous agent tasks is the kind of gap regulators on both sides of the Atlantic are now positioned to notice.
  • CAISI’s review process as a template. GPT-5.6’s path to general availability — preview, government testing, expanded release — is shaping up to be the default choreography for frontier releases under EO 14409. Watch whether the next lab to ship a frontier model follows the same script or tries to skip it.
  • How other states respond to Illinois’s audit requirement. SB 315 sets a bar California and New York’s disclosure-only laws don’t clear. If federal frontier-model rules stay voluntary, state-level audit mandates are where real enforcement teeth are most likely to show up next.
  • Whether the FLI Index’s “walked-back commitments” finding gets a rebuttal. Grades invite dismissal; specific claims about abandoned red-line and military-use pledges are checkable, and worth watching for whether any named lab publicly disputes the record.
  • Patch-to-disclosure lag on agent tooling. DuneSlide was fixed in April but only disclosed this week; GuardFall and the Cowork sandbox escape from two weeks ago followed a similar pattern. A three-week newsletter streak of sandbox failures is starting to look less like a string of coincidences and more like a category.