Archive for November 12, 2025

Newer Entries »

Black Kite Releases Global Adaptive AI Assessment Framework (BK-GA³™) Developed in Consultation with Shared Assessments 

Posted in Commentary with tags on November 12, 2025 by itnerd

Black Kite today announced the release of its Global Adaptive AI Assessment Framework™, BK-GA³™. Designed to keep pace with evolving AI security threats, BK-GA³™ is the first truly global framework for assessing AI risk. BK-GA³™ was developed by the Black Kite Research Group and in consultation with Shared Assessments LLC, the member-driven leader in third-party risk assurance.

When developing BK-GA³™, hundreds of unique requirements across over 50 assessment frameworks were evaluated and best practices were synthesized to create a unified standard capable of evolving with the threat landscape. As a result, BK-GA³™ enables teams to apply a single, focused AI risk framework to efficiently identify vendor control gaps across their third-party ecosystem efficiently.

Key capabilities include:

  • Continuous Adaptation: Regularly updated by the BK-GA³™ working committee to reflect evolving standards and emerging AI threats.
  • Global Assurance Alignment: Maps to established frameworks, such as ISO, NIST, and more.
  • Unified Best Practices: Synthesizes best practices from hundreds of unique requirements across 50+ assessment frameworks into a single standard.
  • Built-in Intelligence: Considers OSINT and insights from the Black Kite Research Group to stay aligned with the latest trends and emerging AI threats.

BK-GA³™ is available both publicly and through the Black Kite platform. The publicly available component is a freely accessible AI risk framework developed with input from industry leaders and supported with continued collaboration from Shared Assessments. Black Kite customers can access the new framework through the Black Kite platform, where they can automatically access vendor AI risks.

To access BK-GA³™, visit https://content.blackkite.com/ebook/black-kite-global-adaptive-ai-assessment-framework/

Leave a comment »

November Patch Tuesday Commentary From Fortra

Posted in Commentary with tags on November 12, 2025 by itnerd

Tyler Reguly, Associate Director, Security R&D, Fortra

Microsoft seems to have decided that the past few months have given us all the entertainment that we needed and toned things down a little this month. We do have one CVE that has seen active exploitation (CVE-2025-62215) and 6 CVEs that Microsoft has assigned a severity level of Critical (CVE-2025-60724, CVE-2025-62214, CVE-2025-62199, CVE-2025-60716, CVE-2025-60724, CVE-2025-30398). This set includes the single CVE, CVE-2025-60724, to also earn a critical severity on the CVSS scale with a score of 9.8. That 9.8 is something that will likely get a lot of discussion.

One of the things that makes CVE-2025-60724 interesting is a remark that Microsoft made in the FAQ, “In the worst-case scenario, an attacker could trigger this vulnerability on web services by uploading documents containing a specially crafted metafile (AV:N) without user interaction.” This is where I tend to find fault with the way Microsoft handles these vulnerabilities. We have traditional Windows cumulative updates, but a very non-standard attack vector – file upload. There are plenty of unknowns with this one and a lot of questions that we could ask… “Does the technology matter? The backend language processing the metafile? The web server selection?” Microsoft isn’t exactly giving me a lot of confidence that I could mitigate or reduce my risk if patching isn’t immediately possible.

If I’m a CISO, then CVE-2025-60724 has me worried this month. We have a vulnerability that Microsoft and CVSS agree is critical and an attack vector that requires no user interaction and no privileges, just the ability to upload a file. We know nothing about the file type, the technologies that are impacted (other than GDI+ in the title), or the services impacted. Do I need to worry about my SharePoint infrastructure? What about third-party software – my wiki or my bug tracker? This is definitely one that feels a little spooky without a lot of extra details being provided.

While not directly related to today’s patch drop, I wanted to call attention to the additional documentation (via blog post: https://www.microsoft.com/en-us/msrc/blog/2025/10/understanding-cve-2025-55315) that Microsoft published related to CVE-2025-55315. This is fantastic additional context around the vulnerability and the risks involved. This is the type of documentation that we should see for every critical or actively exploited vulnerability that Microsoft patches. If you are a CISO or in communication with a Microsoft TAM, you should reach out and let them know that this is an improvement to their communication and that releasing content like this for more vulnerabilities and in a more timely fashion would be hugely beneficial to the security community.

Leave a comment »

2026 Predictions From Parallel Works

Posted in Commentary with tags on November 12, 2025 by itnerd

Matthew Shaxted, CEO and Founder of Parallel Works, shares his perspectives on how the next phase of enterprise AI will be defined by the rise of private infrastructure, specialized cloud providers, and a growing emphasis on data sovereignty and hybrid architectures.

The Rise of Private AI: Enterprises will increasingly move away from fully relying on public hyperscalers and toward private or semi-private AI infrastructure. Neo cloud providers will take center stage as hedge funds, defense contractors, and other data-sensitive organizations will begin leveraging them for GPU access and to manage Kubernetes environments. This will then allow them to transition to owning their own AI systems. This shift reflects a growing desire for control, cost predictability and sovereignty in how AI workloads are trained and deployed.

Neo Cloud Providers Challenge Hyperscaler Dominance: Specialized GPU-focused cloud providers — often delivering services 4x less than Amazon, Google, or Microsoft’s cost — will carve out a meaningful share of AI workloads. Their pricing models, flexibility, and regional presence will give mid-sized enterprises and research institutions a more viable entry point into advanced AI and HPC workloads. This new tier of “neo clouds” will increasingly become a bridge between expensive public cloud offerings and private infrastructure ownership.

Sovereign AI and Policy-Aware Scheduling: As data sovereignty concerns escalate, organizations will prioritize the ability to keep sensitive data and AI workloads within defined regions or facilities. Intelligent scheduling and policy-driven orchestration will become more prevalent and essential capabilities, ensuring compliance while still enabling performance and efficiency. Sovereign AI will reshape infrastructure strategies in defense, healthcare, and financial services, where regulatory guardrails are non-negotiable.

Hybrid Multi-Cloud as the Default Model: By 2026, hybrid and multi-cloud architectures will be the standard for HPC and AI, replacing the one-size-fits-all approach of monolithic on-prem systems. Workloads will dynamically move across on-prem, cloud, and specialized resources (GPUs, quantum, etc.) to balance performance, cost, and compliance. Cloud bursting and heterogeneous workload placement will no longer be differentiators — they will be table steaks for competitiveness in AI-driven industries.

Leave a comment »

Newer Entries »