May 2026 Summaries
8 posts from Speakeasy
Filter
Month:
Year:
Post Summaries
Back to Blog
In 2026, AI governance has become a crucial infrastructure priority for enterprises due to the rapid proliferation of AI agents, which pose significant security and compliance challenges. Gartner forecasts a substantial increase in AI agent deployment, and the associated risks have prompted organizations to prioritize governance frameworks that ensure access control, logging, and auditable actions. The disparity in spending on AI security versus capability has led to costly breaches, pushing companies like JPMorgan and Goldman Sachs to integrate comprehensive governance strategies. The introduction of regulatory measures, such as the EU AI Act, adds urgency to compliance efforts, with substantial fines for non-compliance. Companies like Uber have exemplified effective governance by building robust AI infrastructure, while others are adopting products like the Speakeasy AI control plane to streamline implementation. This shift in focus highlights that the primary barrier to scaling AI is governance rather than technical limitations or costs, as demonstrated by the increased board oversight and the emergence of AI governance platforms as essential tools for managing AI deployment.
May 30, 2026
1,514 words in the original blog post.
Uber has developed a comprehensive enterprise AI security infrastructure, achieving significant integration of AI tools across its operations by 2026, with AI generating a substantial portion of code within the company. This infrastructure, built over several years, includes three key components: the GenAI Gateway, which manages PII redaction and access control; the MCP Gateway and Registry, which oversees agent-to-tool connections and enforces security protocols; and an agent identity system that tracks the lineage of multi-agent workflows. This layered approach enables Uber to maintain strict governance, prevent data exfiltration, and ensure secure tool access, facilitated by a dedicated Agentic AI Platform team. Uber's methodical approach—prioritizing the construction of governance layers before scaling AI adoption—serves as a model that the broader market can emulate through products like Speakeasy, which offers similar infrastructure solutions.
May 28, 2026
1,151 words in the original blog post.
In May 2026, the NSA released a 15-page Cybersecurity Information Sheet providing the first formal guidance on Model Context Protocol (MCP) security, outlining four specific operational requirements for organizations running AI agents in production. These requirements address unique vulnerabilities of AI agents under MCP, focusing on cryptographic message integrity, least-privilege access at tool-call boundaries, tamper-evident audits, and trust chains between clients, gateways, and servers. The guidance aims to mitigate risks like prompt injection attacks and unauthorized message modifications by ensuring verifiable audit trails and end-to-end trust. Although the requirements align with existing IETF, OpenAPI, and OWASP standards, the NSA's formalization provides a new compliance baseline likely to influence frameworks such as FedRAMP and CMMC. Companies like Speakeasy have preemptively integrated these controls into their systems, ensuring robust security measures that align with NSA recommendations.
May 27, 2026
1,457 words in the original blog post.
The OWASP Agentic Top 10, introduced by the Agentic Security Initiative in December 2025, addresses security risks specific to agentic AI systems that operate autonomously across multiple interactions and environments. Unlike the OWASP LLM Top 10, which focuses on single interactions, the Agentic Top 10 considers the complexities of distributed agents handling tasks such as reading, writing, and executing code, often without anticipated developer oversight. This framework identifies ten key risks, including agent goal hijack, tool misuse, identity abuse, and rogue agents, emphasizing the need for robust trust boundaries, scoped identities, and comprehensive auditing within agent systems. The framework also highlights gaps, such as economic attribution and multi-tenant isolation, and suggests that effective enforcement requires a combination of model gateways, MCP gateways, agent hooks, identity management, and audit logging. The OWASP Agentic Top 10 aims to provide a structured approach to mitigating risks in the increasingly complex landscape of agentic AI deployments.
May 21, 2026
3,228 words in the original blog post.
An MCP server should ideally respond to browsers and agents with content negotiation on the Accept header, providing HTML for humans and protocol data for agents, enhancing user experience and accessibility. This approach, which has been quietly implemented by Speakeasy, ensures that every MCP URL serves an install page at the same URL as the protocol, addressing the common issue of users encountering errors or unfriendly data formats when accessing these URLs. By incorporating features like one-click install buttons, a full tool list with descriptions, and OAuth flow initiation, these pages offer a more user-friendly interface without altering the protocol's core functionality. The article emphasizes that content negotiation on a single URL is preferable to maintaining separate URLs for different responses, as it avoids complications with redirects and ensures consistency. The text suggests that the MCP specification could benefit from recommending this approach to make the protocol more accessible to first-time users, thereby offering a smoother experience when encountering MCP servers.
May 17, 2026
824 words in the original blog post.
Claude Enterprise represents a significant advancement over unmanaged AI tools by providing developer identity linkage to corporate SSO providers, compliance teams access to conversation logs, and administrators the ability to publish an approved list of MCP servers. However, its security measures are primarily focused on the conversation layer and do not extend to the tool-call layer, which is crucial for managing agentic workflows in production environments. This gap in security controls leaves several attack surfaces, such as prompt injection and tool poisoning, unaddressed, leading to potential compliance issues under frameworks like the EU AI Act, which requires comprehensive oversight and audit trails for AI decision-making. The introduction of an AI control plane addresses these shortcomings by enforcing protocol-level governance, offering capabilities like real-time permission updates and structured audit logs for tool calls, ensuring more robust security and compliance for organizations using AI systems.
May 15, 2026
1,971 words in the original blog post.
Claude Enterprise offers enhanced security features for AI usage by integrating corporate SSO and providing compliance teams with access to conversation logs, but it falls short in governing post-response AI actions. While it ensures access control and audit logging for conversation data, it lacks oversight of tool calls and system actions, leaving vulnerabilities like prompt injection, tool poisoning, and supply chain compromises unaddressed. Regulatory requirements such as the EU AI Act demand comprehensive audit trails beyond conversation logs, emphasizing the need for a robust AI control plane that enforces policy server-side and logs all tool interactions. Claude's controls, primarily focused on the conversation layer, are insufficient for agentic workflows in production, as they do not capture or regulate the broader actions taken by AI agents. The AI control plane is highlighted as a solution to bridge these gaps by routing every tool call through a central gateway, ensuring comprehensive oversight and compliance, especially as organizations prepare for upcoming regulatory deadlines.
May 15, 2026
1,970 words in the original blog post.
Organizations often encounter shadow AI issues, where unauthorized AI agents interact with production systems, leading to security and governance challenges. This arises primarily in companies that rapidly adopt AI technologies without adequate oversight. New AI infrastructure like AI gateways, MCP gateways, and AI control planes have emerged to address these challenges. AI gateways manage interactions between applications and model providers, handling tasks like routing, failover, and cost tracking. MCP gateways focus on AI agents' connections to systems via the Model Context Protocol, centralizing credential management and ensuring tool access is controlled and logged. AI control planes provide a unified governance layer, integrating both gateways to ensure consistent identity management, policy enforcement, and comprehensive auditing across all AI interactions. These solutions mitigate risks such as data leakage, unauthorized access, and compliance issues by providing comprehensive oversight and control over AI operations within organizations.
May 07, 2026
4,880 words in the original blog post.