OpenAI's Codex Security scanned 1.2 million commits and found 10,561 high-severity 취약점 — redefining what automated compliance looks like. The Pentagon's CTO publicly clashed with Anthropic over autonomous warfare and AI weapons policy. Pakistan-linked Transparent Tribe is mass-producing AI-generated 악성코드 across multiple languages. Meanwhile, DORA's ICT risk reporting enters a critical compliance phase, and NIS2 supply chain requirements are tightening across EU member states. Here's what 규정 준수팀 need to know this Sunday morning.
OpenAI launched Codex Security on March 7, an AI-powered security agent that scanned 1.2 million commits across open-source repositories during its beta period, identifying 792 critical and 10,561 high-severity findings — including new CVEs in OpenSSH, GnuTLS, GOGS, PHP, and Chromium.
Codex Security operates in three phases: it analyzes repository structure to build a security-relevant threat model, identifies 취약점 grounded in system context, then pressure-tests findings in a sandboxed environment to validate them before surfacing results. False positive rates dropped by over 50% during the beta.
This represents a paradigm shift for compliance frameworks that mandate 취약점 management:
| Project | CVEs | 영향 |
|---|---|---|
| GnuPG | CVE-2026-24881, CVE-2026-24882 | Cryptographic operations compromise |
| GnuTLS | CVE-2025-32988, CVE-2025-32989 | TLS implementation flaws |
| GOGS | CVE-2025-64175, CVE-2026-25242 | Git hosting platform 익스플로잇ation |
| Thorium | 7 CVEs (CVE-2025-35430 through 35436) | Nuclear/critical infrastructure software |
Organizations subject to NIS2, DORA, or sector-specific regulations should evaluate AI-powered 취약점 scanning tools now. As these tools become widely available, regulators will increasingly view manual-only vulnerability management as insufficient. The bar for "appropriate technical measures" is rising.
Pentagon Chief Technology Officer Emil Michael publicly disclosed that he clashed with AI company Anthropic over autonomous warfare capabilities. The military is developing procedures for enabling different levels of autonomy in warfare depending on risk levels.
This confrontation exposes the fundamental regulatory gap between military AI deployment and civilian AI governance frameworks:
The EU AI Act explicitly excludes military and national security applications from its scope (Article 2(3)). However, this clash highlights critical questions:
Pakistan-aligned threat group Transparent Tribe is using AI coding tools to mass-produce 악성코드 implants in Nim, Zig, and Crystal — lesser-known languages designed to evade detection. Bitdefender researchers call this "AI-assisted malware industrialization" and coined the term "vibeware" for AI-generated 악성코드.
This development creates unprecedented challenges for every major compliance framework:
Simultaneously, Microsoft reported that hackers are abusing AI at every stage of cyberattacks — from reconnaissance and 소셜 엔지니어링 to 익스플로잇 development and post-compromise activities. This systemic shift from isolated AI misuse to full attack-chain AI integration demands a regulatory response at the framework level.
As of March 2026, the Digital Operational Resilience Act (DORA) is fully in force for EU financial entities. The ICT 위험 관리 framework requirements under Articles 5-16 are now subject to supervisory review, with European Supervisory Authorities (ESAs) actively assessing compliance.
| DORA Requirement | Status | Action Required |
|---|---|---|
| ICT 위험 관리 Framework (Art. 5-16) | 🔴 Active enforcement | Complete framework documentation and board-level approval |
| ICT 사고 보고 (Art. 17-23) | 🔴 Active enforcement | Establish reporting channels to competent authorities within prescribed timelines |
| Digital Operational Resilience Testing (Art. 24-27) | 🟡 Phase-in period | Implement basic testing; advanced TLPT for systemically important entities |
| Third-Party ICT Risk (Art. 28-44) | 🟡 Assessment phase | Map all critical ICT service providers; begin contractual reviews |
| Information Sharing (Art. 45) | 🟢 Voluntary | Consider joining threat intelligence sharing arrangements |
이번 주's developments — particularly AI security agents (Codex Security) and AI-generated threats (Transparent Tribe) — create a dual challenge for financial entities: they must evaluate AI-powered tools for compliance while simultaneously defending against AI-powered threats. DORA's technology-neutral approach means supervisors will assess the outcome of 위험 관리, not the specific tools used — but the standard of care is implicitly rising.
Multiple developments 이번 주 reinforce the expanding reach of NIS2 supply chain requirements:
The ongoing FBI investigation into a breach of its surveillance data system (first reported March 7) continues to raise questions about government system security. For EU organizations, this incident serves as a reminder that NIS2 Article 21(2)(d) requires supply chain security measures that account for 취약점 in relationships with direct suppliers — including government and intelligence-sharing systems.
Iranian 위협 행위자s have been confirmed inside networks of a U.S. airport, bank, and software company since at least February 2026. Under NIS2, EU entities with U.S. supply chain dependencies must assess whether their American partners' compromised status affects their own risk posture.
A Rockwell Automation 취약점 disclosed in 2021 is now being actively 익스플로잇ed in attacks targeting industrial control systems. This five-year gap between disclosure and exploitation highlights why NIS2's vulnerability handling requirements under Article 21 demand ongoing monitoring — not just initial patching.
| 날짜 | Framework | Milestone |
|---|---|---|
| March 11, 2026 | Patch Tuesday | Microsoft March 2026 Patch Tuesday — expect critical patches; forecast warns "AI security may be an oxymoron" |
| May 2, 2026 | EU AI Act | GPAI model transparency obligations take effect — providers must document cybersecurity measures |
| August 2, 2026 | EU AI Act | 높음-risk AI system requirements become enforceable (Articles 6-49) |
| October 17, 2026 | NIS2 | Member state transposition deadline — all 27 EU countries must have NIS2 in national law |
| January 17, 2027 | DORA | 치명적 ICT third-party provider oversight framework fully operational |
KENSAI's automated security scanning helps you meet NIS2, DORA, and EU AI Act 규정 준수 요구사항 with continuous 취약점 assessment across your entire attack surface.
Start Free Security Scan →Published by the KENSAI Security Research Team — March 8, 2026
Sources: The Hacker News, SecurityWeek, BleepingComputer, Help Net Security, Bitdefender, Microsoft, OpenAI, CISA