PALO ALTO — The cybersecurity research team behind Wednesday’s six-vendor agentic-AI supply-chain probing disclosure published a follow-on policy paper Saturday afternoon urging substantially faster disclosure norms across the broader AI vendor ecosystem, citing operational evidence that the probing pattern had been active for at least eleven weeks before independent detection.

The follow-on paper, published Saturday by the team at SecureML Research with co-signatures from researchers at three additional independent security firms, characterizes the existing AI-industry disclosure-norm framework as “structurally inadequate to the operational tempo of agentic-AI threat activity” and proposes a five-element disclosure framework that would substantially compress the timelines under which vendors are expected to communicate threat information to peer organizations and to federal authorities.

The Wednesday disclosure had documented a probing pattern affecting six independent agentic-AI infrastructure vendors in which an adversary actor had been systematically testing the vendors’ tool-execution sandboxing implementations for permissions-escalation vulnerabilities. The probing had produced no successful exploitation but had identified operational telemetry patterns that the research team characterized as consistent with state-level adversary capability and methodology.

Saturday’s follow-on paper draws specific attention to the eleven-week gap between the probing pattern’s initial activation and its independent detection. The paper attributes the detection gap to a combination of factors, including the relatively novel nature of agentic-AI infrastructure as a target surface, the vendors’ relatively immature operational-security telemetry implementations, and the absence of a structured information-sharing framework analogous to the Information Sharing and Analysis Centers that operate in more mature critical-infrastructure sectors.

The proposed five-element disclosure framework includes: mandatory same-day disclosure of suspected adversary activity targeting tool-execution sandboxing implementations; a seven-day mandatory disclosure window for confirmed adversary activity even without identified exploitation; a quarterly mandatory operational-security telemetry reporting framework analogous to the Treasury proposal’s grid-impact reporting; the establishment of an Agentic AI Information Sharing and Analysis Center under the framework of the Cybersecurity and Infrastructure Security Agency; and a sector-specific incident-response coordination framework that would activate during cross-vendor incident periods.

A senior SecureML Research researcher, in a Saturday-afternoon briefing for technology reporters, said the proposed framework was “deliberately constructed to be substantively implementable on a near-term basis” and was not intended to substitute for the broader regulatory frameworks currently under congressional consideration. The researcher noted that the proposed framework’s principal elements could be implemented under voluntary-arrangement structures analogous to the May Eighth frontier-model disclosure framework, with statutory backing as a subsequent step.

The Cybersecurity and Infrastructure Security Agency’s response to Wednesday’s disclosure had been to issue a public statement endorsing the research team’s findings and indicating that the agency was “engaged with the affected vendors on operational-response measures.” A senior CISA official, contacted Saturday afternoon, said the agency’s evaluation of the Saturday follow-on paper would be conducted by the agency’s emerging-technology threat-analysis team over the coming weeks.

The Frontier Model Assurance Council, established under the May Eighth framework, has indicated that its institutional remit covers frontier-model release questions rather than infrastructure-side security questions and that the proposed Agentic AI ISAC would represent a complementary rather than substitutive institutional structure. A senior Council official, contacted Saturday afternoon, said the Council was “supportive in principle” of the proposed ISAC framework and would engage substantively in the framework’s development if requested.

The six affected vendors — none of whom have been named in either the Wednesday disclosure or the Saturday follow-on paper — have, according to the SecureML team, been “broadly cooperative” with the research team’s responsible-disclosure protocols and have completed substantive remediation of the identified telemetry-detection gaps. The vendors’ specific identities will remain confidential under the team’s standing responsible-disclosure framework.

Industry-association response to the Saturday paper has been broadly supportive. The Information Technology Industry Council, in a Saturday-evening statement, said the proposed framework’s “core elements are in the direction of what the industry would view as workable” but indicated that the specific timeline parameters in the proposal would require further industry consultation before broad endorsement could be offered. ITI said the association expected to convene a working group to develop a substantive industry response over the coming weeks.

Senator Maggie Hennessey, D-Colo., in a Saturday-afternoon statement, said the Saturday paper’s framework had been “thoughtfully constructed” and indicated that her office would consider whether elements of the framework could be incorporated into the Hennessey-Blackburn AI Transparency and Grid Impact Act, which has been advancing through the Senate Commerce Committee. The senator noted that the bill’s current scope covered frontier-model release and grid-impact disclosure rather than supply-chain security, but said the bill could be amended to incorporate the proposed framework’s most operationally implementable elements.

The Wednesday disclosure and the Saturday follow-on paper are expected to be the principal focus of the agentic-AI security session at the upcoming USENIX Security Symposium in San Francisco, scheduled for August 14-16. The SecureML team is scheduled to present the underlying technical research at the symposium’s opening session, with the policy framework discussion scheduled for a parallel session.

The SecureML team has indicated that a third paper in the sequence — focused on the technical-detection methodologies that could enable faster independent detection of similar probing patterns — is in preparation for publication in late June.