← Back to Security Blog
Compliance & Regulations Breaking March 7, 2026 9 min read

FBI Surveillance System Breached, New Pentagon CISO Named, CISA Expands KEV — Security Regulation Roundup

The FBI is investigating a breach of a system holding sensitive surveillance information. The Pentagon appoints James "Aaron" Bishop as its new CISO. CISA adds 23 iOS vulnerabilities from the Coruna exploit kit to the KEV catalog. Meanwhile, AI security vulnerabilities in Chrome's Gemini integration highlight the urgency of the EU AI Act's newly enforced prohibited practices. Google's 2025 zero-day report reveals 90 exploited vulnerabilities — half targeting enterprise infrastructure.


🔴 FBI Investigating Breach of Surveillance System

Critical Government Security Incident

The FBI has confirmed it is investigating "suspicious" cyber activity on a system containing sensitive surveillance information. The bureau notified members of Congress about the incident and is working to determine the scope and impact of the compromise.

Regulatory Implications

This incident carries significant implications for government cybersecurity regulation and oversight:

For EU organizations, this incident underscores the importance of NIS2 Article 21 requirements for incident handling and crisis management — even the most security-focused agencies remain vulnerable.


🛡️ Pentagon Appoints New CISO: James "Aaron" Bishop

James "Aaron" Bishop has been selected to serve as the new Pentagon Chief Information Security Officer, replacing David McKeown, who will transition to the private sector after 40 years of government service. The appointment signals continued prioritization of cybersecurity at the highest levels of U.S. defense.

What This Means for Regulation

The Pentagon CISO oversees cybersecurity policy for the Department of Defense — the world's largest organization by headcount. Bishop's appointment comes at a critical time:


⚠️ CISA Adds Coruna Exploit Kit iOS Flaws to KEV Catalog

23 iOS Vulnerabilities Added to Known Exploited Vulnerabilities Catalog

CISA has added iOS vulnerabilities exploited by the Coruna exploit kit — described as a "nation-state-grade" tool — to the Known Exploited Vulnerabilities (KEV) catalog. The exploit kit targets 23 vulnerabilities affecting iOS versions 13 through 17.2.1.

Compliance Impact

Under Binding Operational Directive (BOD) 22-01, all U.S. federal civilian agencies must remediate KEV-listed vulnerabilities within prescribed timelines. But the regulatory impact extends far beyond the U.S.:

Coruna Exploit Kit: Key Details

AttributeDetail
ClassificationNation-state grade commercial exploit kit
TargetiOS 13 through iOS 17.2.1
Vulnerabilities23 chained exploits for full device compromise
CapabilityZero-click remote code execution, persistent access
KEV StatusAll 23 CVEs now in CISA KEV catalog

🤖 AI Security Under Fire: Chrome Gemini Vulnerability & Fake Extensions

Two developments this week highlight the growing intersection of AI security and regulatory compliance:

Chrome Gemini Vulnerability (CVE-2026-0628)

Google patched CVE-2026-0628 (CVSS 8.8 — High), an elevation-of-privilege vulnerability in the Gemini AI integration within Chrome. Reported by Palo Alto Networks Unit 42, the flaw allowed malicious browser extensions with basic permissions to hijack the Gemini Live panel, potentially accessing:

Fake AI Extensions Epidemic

Security researchers continue to flag malicious browser extensions masquerading as AI tools in official app stores. These extensions provide superficial AI functionality while silently exfiltrating user data, keystroke logs, and authentication tokens.

EU AI Act Relevance

As of February 2, 2026, the EU AI Act's prohibited practices (Article 5) are now enforceable. While these specific vulnerabilities don't fall under prohibited AI categories, they highlight critical gaps in AI system security that the Act's high-risk AI requirements (effective August 2026) will address:


📊 Google Zero-Day Report: 90 Exploited Vulnerabilities in 2025

Google's annual zero-day exploitation analysis reveals 90 zero-day vulnerabilities were exploited in the wild during 2025 — with a significant shift toward enterprise-targeting:

Regulatory Takeaway

The enterprise focus of zero-day exploitation directly validates the regulatory approach of NIS2 and DORA:


🔄 Microsoft Copilot Data Protection Updates

Microsoft announced new controls over which files its Microsoft 365 Copilot AI assistant can access during data processing. The change comes in direct response to customer reports that Copilot was including confidential information in its outputs.

Key Changes

GDPR & AI Act Compliance

This development is directly relevant to EU compliance:


⚡ Cisco SD-WAN Vulnerabilities Exploited in the Wild

Cisco confirmed that two recently patched Catalyst SD-WAN vulnerabilities — CVE-2026-20128 and CVE-2026-20122 — are being actively exploited. SD-WAN infrastructure is classified as critical infrastructure in multiple regulatory frameworks.

NIS2 Critical Infrastructure Alert

Organizations operating SD-WAN infrastructure that falls under NIS2 essential or important entity classifications must treat these exploited vulnerabilities as mandatory immediate patches. Under Article 21, failure to address known-exploited vulnerabilities in critical network infrastructure may constitute a compliance violation subject to administrative fines.


📋 Compliance Action Items — Week of March 7, 2026

  1. Patch iOS devices immediately — All 23 Coruna exploit kit CVEs now in CISA KEV; NIS2/DORA-regulated entities must prioritize
  2. Update Cisco SD-WAN — CVE-2026-20128 and CVE-2026-20122 actively exploited; critical infrastructure risk
  3. Audit AI tool permissions — Review browser extensions claiming AI functionality; remove unverified extensions
  4. Configure Microsoft 365 DLP — Ensure DLP labels are applied to sensitive files before Copilot default protections activate in April
  5. Review Chrome security updates — Patch CVE-2026-0628 (Gemini vulnerability); assess AI-integrated browser components
  6. EU AI Act readiness — Prohibited practices now enforceable; inventory AI systems for compliance by August 2026 high-risk deadline
  7. NIS2 incident response drill — The FBI breach underscores that even top-tier security organizations face compromise; test your 24-hour early warning procedures

Automate Your Compliance Monitoring

KENSAI continuously monitors your infrastructure against NIS2, DORA, GDPR, and EU AI Act requirements. Real-time vulnerability detection meets regulatory mapping.

Start Free Compliance Scan

Stay regulated. Stay protected.

🗡️ KENSAI Compliance Intelligence

March 7, 2026

🛡️ Is your website secure?

Discover vulnerabilities before attackers do.

Scan your website for free →