BUSINESS

Crypto trading firm FalconX’s CEO has previously said it is considering a public listing.

A candid look at emotional intelligence and leadership blind spots.

A rogue AI agent at Meta took action without approval and exposed sensitive company and user data to employees who were not authorized to access it. Meta confirmed the incident to The Information on March 18 but said no user data was ultimately mishandled. The exposure still triggered a major security alert internally.The available evidence suggests the failure occurred after authentication, not during it. The agent held valid credentials, operated inside authorized boundaries, passing every identity check.Summer Yue, director of alignment at Meta Superintelligence Labs, described a different but related failure in a viral post on X last month. She asked an OpenClaw agent to review her email inbox with clear instructions to confirm before acting.The agent began deleting emails on its own. Yue sent it “Do not do that,” then “Stop don’t do anything,” then “STOP OPENCLAW.” It ignored every command. She had to physically rush to another device to halt the process.When asked if she had been testing the agent’s guardrails, Yue was blunt. “Rookie mistake tbh,” she replied. “Turns out alignment researchers aren’t immune to misalignment.” (VentureBeat could not independently verify the incident.)Yue blamed context compaction. The agent’s context window shrank and dropped her safety instructions. The March 18 Meta exposure hasn’t been publicly explained at a forensic level yet.Both incidents share the same structural problem for security leaders. An AI agent operated with privileged access, took actions its operator did not approve, and the identity infrastructure had no mechanism to intervene after authentication succeeded.The agent held valid credentials the entire time. Nothing in the identity stack could distinguish an authorized request from a rogue one after authentication succeeded. Security researchers call this pattern the confused deputy. An agent with valid credentials executes the wrong instruction, and every identity check says the request is fine. That is one failure class inside a broader problem: post-authentication agent control does not exist in most enterprise stacks.Four gaps make this possible. No inventory of which agents are running. Static credentials with no expiration. Zero intent validation after authentication succeeds. And agents delegating to other agents with no mutual verification.Four vendors shipped controls against these gaps in recent months. The governance matrix below maps all four layers to the five questions a security leader brings to the board before RSAC opens Monday.Why the Meta incident changes the calculusThe confused deputy is the sharpest version of this problem, which is a trusted program with high privileges tricked into misusing its own authority. But the broader failure class includes any scenario where an agent with valid access takes actions that its operator did not authorize. Adversarial manipulation, context loss, and misaligned autonomy all share the same identity gap. Nothing in the stack validates what happens after authentication succeeds.Elia Zaitsev, CTO of CrowdStrike, described the underlying pattern in an exclusive interview with VentureBeat. Traditional security controls assume trust once access is granted and lack visibility into what happens inside live sessions, Zaitsev said. The identities, roles, and services attackers use are indistinguishable from legitimate activity at the control plane.The 2026 CISO AI Risk Report from Saviynt (n=235 CISOs) found 47% observed AI agents exhibiting unintended or unauthorized behavior. Only 5% felt confident they could contain a compromised AI agent. Read those two numbers together. AI agents already function as a new class of insider risk, holding persistent credentials and operating at machine scale.Three findings from a single report — Cloud Security Alliance and Oasis Security’s survey of 383 IT and security professionals — frame the scale of the problem: 79% have moderate or low confidence in preventing NHI-based attacks, 92% lack confidence that their legacy IAM tools can manage AI and NHI risks specifically, and 78% have no documented policies for creating or removing AI identities. The attack surface is not hypothetical. CVE-2026-27826 and CVE-2026-27825 hit mcp-atlassian in late February with SSRF and arbitrary file write through the trust boundaries the Model Context Protocol (MCP) creates by design. mcp-atlassian has over 4 million downloads, according to Pluto Security’s disclosure. Anyone on the same local network could execute code on the victim’s machine by sending two HTTP requests. No authentication required.Jake Williams, a faculty member at IANS Research, has been direct about the trajectory. MCP will be the defining AI security issue of 2026, he told the IANS community, warning that developers are building authentication patterns that belong in introductory tutorials, not enterprise applications.Four vendors shipped AI agent identity controls in recent months. Nobody mapped them into one governance framework. The matrix below does.The four-layer identity governance matrix None of these four vendors replaces a security leader’s existing IAM stack. Each closes a specific identity gap that legacy IAM cannot see. Other vendors, including CyberArk, Oasis Security, and Astrix, ship relevant NHI controls; this matrix focuses on the four that most directly map to the post-authentication failure class the Meta incident exposed. [runtime enforcement] means inline controls active during agent execution.Governance LayerShould Be in PlaceRisk If NotWho Ships It NowVendor QuestionAgent DiscoveryReal-time inventory of every agent, its credentials, and its systemsShadow agents with inherited privileges nobody audited. Enterprise shadow AI deployment rates continue to climb as employees adopt agent tools without IT approvalCrowdStrike Falcon Shield [runtime]: AI agent inventory across SaaS platforms. Palo Alto Networks AI-SPM [runtime]: continuous AI asset discovery. Erik Trexler, Palo Alto Networks SVP: “The collapse between identity and attack surface will define 2026.”Which agents are running that we did not provision?Credential LifecycleEphemeral scoped tokens, automatic rotation, zero standing privilegesStatic key stolen = permanent access at full permissions. Long-lived API keys give attackers persistent access indefinitely. Non-human identities already outnumber humans by wide margins — Palo Alto Networks cited 82-to-1 in its 2026 predictions, the Cloud Security Alliance 100-to-1 in its March 2026 cloud assessment.CrowdStrike SGNL [runtime]: zero standing privileges, dynamic authorization across human/NHI/agent. Acquired January 2026 (expected to close FQ1 2027). Danny Brickman, CEO of Oasis Security: “AI turns identity into a high-velocity system where every new agent mints credentials in minutes.”Any agent authenticating with a key older than 90 days?Post-Auth IntentBehavioral validation that authorized requests match legitimate intentThe agent passes every check and executes the wrong instruction through the sanctioned API. The Meta failure pattern. Legacy IAM has no detection category for thisSentinelOne Singularity Identity [runtime]: identity threat detection and response across human and non-human activity, correlating identity, endpoint, and workload signals to detect misuse inside authorized sessions. Jeff Reed, CTO: “Identity risk no longer begins and ends at authentication.” Launched Feb 25What validates intent between authentication and action?Threat IntelligenceAgent-specific attack pattern recognition, behavioral baselines for agent sessionsAttack inside an authorized session. No signature fires. SOC sees normal traffic. Dwell time extends indefinitelyCisco AI Defense [runtime]: agent-specific threat patterns. Lavi Lazarovitz, CyberArk VP of cyber research: “Think of AI agents as a new class of digital coworkers” that “make decisions, learn from their environment, and act autonomously.” Your EDR baseline human behavior. Agent behavior is harder to distinguish from legitimate automationWhat does a confused deputy look like in our telemetry?The matrix reveals a progression. Discovery and credential lifecycle are closable now with shipping products. Post-authentication intent validation is partially closable. SentinelOne detects identity threats across human and non-human activity after access is granted, but no vendor fully validates whether the instruction behind an authorized request matches legitimate intent. Cisco provides the threat intelligence layer, but detection signatures for post-authentication agent failures barely exist. SOC teams trained on human behavior baselines face agent traffic that is faster, more uniform, and harder to distinguish from legitimate automation.The gap that remains architecturally open No major security vendor ships mutual agent-to-agent authentication as a production product. Protocols, including Google’s A2A and a March 2026 IETF draft, describe how to build it. When Agent A delegates to Agent B, no identity verification happens between them. A compromised agent inherits the trust of every agent it communicates with. Compromise one through prompt injection, and it issues instructions to the entire chain using the trust of the legitimate agent already built. The MCP specification forbids token passthrough. Developers do it anyway. The OWASP February 2026 Practical Guide for Secure MCP Server Development cataloged the confused deputy as a named threat class. Production-grade controls have not caught up. This is the fifth question a security leader brings to the board.What to do before your next board meeting Inventory every AI agent and MCP server connection. Any agent authenticating with a static API key older than 90 days is a post-authentication failure waiting to happen.Kill static API keys. Move every agent to scoped, ephemeral tokens with automatic rotation.Deploy runtime discovery. You cannot audit the identity of an agent you do not know exists. Shadow deployment rates are climbing.Test for confused deputy exposure. For every MCP server connection, check whether the server enforces per-user authorization or grants identical access to every caller. If every agent gets the same permissions regardless of who triggered the request, the confused deputy is already exploitable.Bring the governance matrix to your next board meeting. Four controls deployed, one architectural gap documented, and procurement timeline attached.The identity stack you built for human employees catches stolen passwords and blocks unauthorized logins. It does not catch an AI agent following a malicious instruction through a legitimate API call with valid credentials. The Meta incident proved that it is not theoretical. It happened at a company with one of the largest AI safety teams in the world. Four vendors shipped the first controls designed to find it. The fifth layer does not exist yet. Whether that changes your posture depends on whether you treat this matrix as a working audit instrument or skip past it in the vendor deck.

In its fourth-quarter earnings report in February, the ride-hailing giant Uber outlined its strategy to expand into autonomous vehicles. And within a month, it has successfully announced several high-profile partnerships, deepening its push into the emerging AV industry.The latest moves came this week, involving Uber’s new deals with Rivian and Nvidia.On Thursday, March 19, under a new agreement with EV maker Rivian, Uber plans to invest up to $1.25 billion and support the deployment of up to 50,000 AVs over time. The initial rollouts are expected to begin in key U.S. markets such as San Francisco and Miami in 2028.In its March 16 announcement, the company outlined plans to deploy Nvidia-powered Level 4 robotaxis on Uber’s platform beginning in 2027, with expansion across 28 cities globally by 2028. The partnership adds to a growing list of AV collaborations that are also reshaping how investors view Uber’s long-term growth strategy.Uber to invest $1.25 billion in RivianIn its March 19 announcement, Uber said it intends to invest up to $1.25 billion in the EV maker Rivian (stock up 3.5% midday) by 2031 to accelerate both companies’ AV plans.The partnership will initially deploy 10,000 fully autonomous R2 robotaxis in San Francisco and Miami in 2028 in its first phase. Uber and Rivian expect to expand this to 25 cities by 2031.Subject to achieving certain AV milestones, Uber has opened the purchase of up to 40,000 more robotaxis in 2030, bringing the total to 50,000 robotaxis in its fleet.Uber has made an initial $300 million investment toward building a scaled, fully autonomous fleet of Rivian R2 robotaxis, which will be available exclusively through the Uber platform.Uber CEO Dara Khosrowshahi said Rivian’s expertise and data from its growing vehicle base, along with Uber’s ability to manage commercial fleets, “gives us conviction to set these ambitious but achievable targets.””We couldn’t be more excited about this partnership with Uber — it will help accelerate our path to level 4 autonomy to create one of the safest and most convenient autonomous platforms in the world,” said Rivian CEO RJ Scaringe.

Uber stock is down 7% year to date.Shutterstock

The Uber-Nvidia partnershipThe Rivian deal closely follows Uber’s March 16 unveiling of its expanded partnership with Nvidia, which will power the company’s next-generation robotaxi network.Nvidia’s DRIVE Hyperion autonomous vehicle platform and Nvidia Alpamayo, a reasoning-based AI model designed to handle unpredictable scenarios such as “erratic pedestrian behavior” or “construction zones,” are at the center of this deployment.This new software stack will unlock Level 4 autonomous driving capabilities, allowing vehicles to drive without human intervention in defined environments. This agreement will follow a phased deployment, starting with data-collection vehicles to train the Alpamayo system on local driving conditions. This rollout will then move to operator-supervised deployments before transitioning to fully driverless Level 4 operations. This structure is designed to support expansion across 28 cities globally by 2028, beginning with launches in Los Angeles and San Francisco in the first half of 2027.”Autonomous technology holds enormous promise to make transportation safer, more reliable, and more accessible,” said Khosrowshahi.Wall Street sees Uber AV momentumMultiple deals have successfully marked the beginning of March for Uber, and analysts are taking note of the company’s position in the AV race.Bank of America analyst Justin Post, in a recent note shared with TheStreet, said Uber’s expanding network of partners could significantly improve its position. More Automotive:Tesla investors may miss game-changing moveKey auto parts and services company files Chapter 11 bankruptcyTop-rated analyst drops curt 8-word take on Tesla stockThis is especially true at a time when competition from Waymo and Tesla, as they scale their AV services, has increased the threat to the existing U.S. rideshare market.The rising concerns about competitors building their robotaxi fleets can be further eased by the growing number of US L4 OEM (Original Equipment Manufacturer) suppliers, along with Nvidia’s L4 platform development. Together, they can drive multiple stock expansions for Uber.BofA’s view is building on the firm’s earlier optimism, which I covered here. The shifting Uber narrative from a company that may not build AVs to a platform aggregator underscores its ability to become the primary marketplace connecting riders with robotaxi fleets, BofA notes.”Increasing competition among AV suppliers could also further encourage leading AV OEM’s, including Waymo and Tesla, to make their vehicles available on Uber’s marketplace, and we note the recent Zoox partnership as a proof point in an evolving market.”Investors may be slightly concerned and question whether it would disrupt Uber’s existing business model as a ride-share giant. Uber’s stock was down 1% intraday on Thursday, March 19, after its agreement with Rivian. However, over the past five days, Uber gained 3.4% and is up 3.5% this month, although it still remains 7.6% down year to date.Related: Rivian stock gets shocking upgrade as Iran fears raise the stakes

TheStreet aims to feature only the best products and services. If you buy something via one of our links, we may earn a commission.Why we love this dealWhether you’re running errands, going on a weekend camping trip, taking the dog for a walk, fishing, or just lounging in the backyard, your lifestyle probably takes you outside at one time or another. You may not even think about it, but the time in the sun adds up, and it’s important to protect your skin from the sun’s harmful rays. If you need a quick and easy way to negate the midday sun without taking the time to put sticky sunscreen on that you’ll probably forget to reapply later, we’ve found a great option for you.The Ygdhst UPF 50+ Sun Hoodie is an easy-to-use option that you can throw on right before you head out the door. It’s lightweight and protects a good amount of the sun to prevent sunburn and skin damage, and at just $10, it’s a smart idea to grab a few to have on hand for your outdoor adventures with the family. This 50% off deal is available for a limited time only. Ygdhst UPF 50+ Sun Hoodie, $10 (was $20) at Amazon

Courtesy of Amazon

Shop at AmazonWhy do shoppers love it?The 50+ UPF sun protection provides excellent protection from harmful rays while also feeling light and breezy. The hood stays on easily without being bulky or restrictive, keeping your neck, ears, and scalp from burning, and the thumbholes allow the sleeves to stay in place while you hike, surf, fish, and garden, while also protecting your hands. The 100% polyester material dries quickly, making it useful during trips. You can rinse it off during camping trips to dry overnight while you sleep, and it helps keep you cool and dry during activities that make you sweat. Related: Amazon is selling a $76 3-pack of sun hoodies for only $20, just in time for springIt features flatlock seams and a tagless collar that minimizes friction spots and skin irritation, while the material stretches with your body as you move. It’s available in multiple colors, such as gray, Army Green, and Ocean Blue, but the best deals are for the blue or white colors. These lighter colors also keep you cooler in the sun versus darker colors that absorb heat. Choose from sizes Small through 3X-Large. They also have a hoodless option for a higher price that doesn’t cover your neck or ears. Pros and cons of this $10 sun hoodieProsSun protection: It has a UPF 50+ rating that protects from UVB and UVA sun rays.Colorful options: The light colors keep you cooler in the sunMultiple sizes: It comes in a variety of sizes. Quick-dry: It wicks sweat and dries fast, preventing sweat buildup. Cons Length: It doesn’t cover the full hand or face, so sunscreen should still be used in those areas.Polyester: Some people may not like the eco-impact of polyester.One reviewer said, “These shirts are extremely comfortable, lightweight, moisture-wicking, and protect you from the sun. I couldn’t be happier with the 3 that I bought.”Another person said, “I picked this up for long days outdoors—mowing the lawn and other yard work. It’s definitely become a go-to piece in my sun-protection lineup. Lightweight, breathable, and blocks the sun without making me overheat. That UPF 50+ rating isn’t just marketing; I’ve worn it through hours in direct sun with no burn and no discomfort.”Shop more dealsIsnowood UPF 50+ Sun Hoodie with Mask, $12 (was $20) at AmazonZity 50+ UPF Fishing Graphic Sun Hoodie, $13 (was $25) at AmazonRoadbox UPF 50 Sun Hoodie, $10 (was $15) at AmazonThe Ygdhst UPF 50 Sun Hoodie is a great option for staying protected in the sun. It’s quick, easy, comfortable, and moisture-wicking. Best of all, it’s just $10 right now at Amazon, saving shoppers a whopping 50% off. The light colors help keep you cool, and the hood and thumbhole additions keep the shirt in place while you have fun.

A spokesperson for Paul told Forbes the video footage “omits context” and was released to “harm Taylor without any regard for the consequences for their child.”

Giving the Pentagon more funds now is a recipe for a prolonged Middle Easr war and billions in wasted tax dollars.

Who’s afraid of $4 gas? Not the executives of these restaurant and retail-store chains.

Casimo will be responsible for growing the Dutch market maker’s institutional crypto offering.

Novo Nordisk’s 7.2 mg dose of Wegovy will compete against Lilly’s GLP-1 injection.