cd /news/artificial-intelligence/policy-pulse-issue-24-week-of-july-1… · home topics artificial-intelligence article
[ARTICLE · art-56586] src=blog.disclose.io ↗ pub= topic=artificial-intelligence verified=true sentiment=↓ negative

Policy Pulse - Issue #24 | Week of July 11, 2026

OpenAI launched GPT-5.6 Sol on July 9 after the White House lifted a restriction that had limited access to government-vetted partners, but the UK AI Security Institute found universal jailbreaks enabling autonomous cyberattacks within hours of privileged access. The findings mirror the flaw that forced Anthropic to disable Fable 5, raising concerns about AI safety and the adequacy of government oversight.

read10 min views1 publishedJul 12, 2026
Policy Pulse - Issue #24 | Week of July 11, 2026
Image: Blog (auto-discovered)

GPT-5.6 Sol goes public as Washington lifts its access gate, and UK AISI finds universal cyber jailbreaks within hours, the same pattern that forced Anthropic's Fable 5 offline. Plus Illinois mandates frontier AI safety audits.

Your weekly briefing on cybersecurity policy affecting vulnerability disclosure and security research.

Top Story

The Gate Swings Open Again: GPT-5.6 Sol Goes Public, and UK AISI Finds Universal Jailbreaks Within Hours

OpenAI publicly launched GPT-5.6 Sol (alongside Terra and Luna) on July 9, after the White House approved broadening a release that had been gated to a small group of government-vetted partners since a June 26 preview (PYMNTS). OpenAI says it limited the rollout "at the government's request" and shared the identities of its trusted early testers before Washington cleared a wider release on July 8.

The clearance did not last long as a clean story. GPT-5.6's system card, published alongside the July 9 launch, discloses that the UK AI Security Institute (AISI), given privileged pre-release access, found "universal jailbreaks in the cyber domain, including jailbreaks that allowed for long-form agentic task completion" in vulnerability discovery and exploit development, and that these jailbreaks "were often developed within hours" (Fortune, July 10). Fortune's framing is pointed: this is the same shape of problem that led Washington to force Anthropic to disable Fable 5 after Amazon found a jailbreak in it, except AISI's finding is arguably worse, because the GPT-5.6 jailbreaks are "universal" and unlock autonomous exploit conduct, not just vulnerability identification.

Why it matters for VDP: Two frontier-model export sagas in three weeks, both resolved through executive discretion rather than statute or comment period, and both surfacing the same underlying fact: a government AI Security Institute can find a working jailbreak into autonomous exploit-development capability within hours of privileged access. UK AISI had that access. CISA and the broader US defender community did not. VDP intake teams should assume the ceiling on AI-assisted submission sophistication just moved again, and that "the vendor's safety testing already covered this" is not a safe assumption to build a triage model on.

Throwback: In Issue #23, we covered Washington reversing export controls on Anthropic's Mythos 5 and Fable 5 after roughly two and a half weeks; this week's GPT-5.6 Sol saga runs the identical playbook on a second frontier lab, on an even faster clock.

Upcoming Deadlines & Events

Date Agency Event/Deadline Action Required Link
Jul 13, 2026
NIST Draft IR 8320E (confidential computing for cloud workloads) comment period closes Submit final comments

Mid-Jul 2026gov.uk** Late Jul 2026**Federal News NetworkJul 31, 2026NIST CSRC drafts open for comment** Aug 1, 2026**White House EO 14409Aug 14, 2026NIST CSRC drafts open for comment** Aug 24, 2026**copyright.gov/1201** Sep 11, 2026**Crowell client alert### This Week in Policy

AI & Emerging Tech Security

Illinois signs the nation's first mandatory third-party frontier-AI audit law. Governor JB Pritzker signed SB 315, the Artificial Intelligence Safety Measures Act, on July 6, targeting AI developers with more than $500 million in annual revenue. It requires 72-hour reporting of critical safety incidents (24 hours if there's imminent risk of death or serious injury) and, as its headline provision, annual independent third-party safety audits, first-in-the-nation for that mandate. The law takes effect January 1, 2028, and follows similar 2025 legislation in California and New York; the three states together represent roughly 40% of the US AI market (Capitol News Illinois).For VDP programs: independent third-party audit is quietly becoming a compliance obligation rather than a voluntary practice, which widens the market for external adversarial evaluation work adjacent to disclosure programs. - Brussels answers Washington's gatekeeping model with a sovereignty play. On July 7 the European Commission presented its Action Plan on Cybersecurity and Artificial Intelligence, committing to a "European blueprint for structured access to advanced AI capabilities for cybersecurity" built with ENISA, a joint ENISA/Joint Research Centre secure testing platform for AI-in-cybersecurity, and a campaign to secure critical open-source software (European Commission).For VDP programs: read alongside this week's top story, the EU is explicitly building its own frontier-AI evaluation and defender-access infrastructure so European critical-infrastructure operators are not dependent on US discretionary access decisions like the one that gated, then ungated, GPT-5.6 Sol.

Federal Strategy & Regulation

Treasury's AI cybersecurity clearinghouse deadline passes, and HackerOne warns it needs teeth. Executive Order 14409 (signed June 2) gave Treasury, in consultation with NSA and CISA, 30 days to form an "AI cybersecurity clearinghouse" coordinating vulnerability scanning, validation, and remediation across critical infrastructure. The deadline passed in early July. In a July 8 op-ed, HackerOne Chief Legal and Policy Officer Ilona Cohen warned the effort risks becoming something that "looks like a clearinghouse, but functions like a committee: collecting information, convening meetings, and then stalling when it gets to the hard part," and argued that "AI tools can surface vulnerabilities faster than anyone can act on them. What lags behind is everything that comes after discovery" (CyberScoop).For VDP programs: a federal coordination body is being built on top of the exact scan-validate-remediate-disclose workflow VDP practitioners already run, and a senior figure from the researcher community is publicly arguing for embedding disclosure expertise in its design from the start. - August 1 deadline nears for the framework that will decide which models count as "covered." The same EO 14409 requires Treasury, NSA, CISA, ONCD, and NIST to deliver, by August 1, a classified benchmarking process to determine the cyber-capability threshold at which an AI model becomes a "covered frontier model" subject to the government-engagement regime this week's top story describes (EO 14409 text).For VDP programs: this threshold, not a public comment process, is what will determine which future frontier models get gated the way Fable 5 and GPT-5.6 Sol briefly were.

CVE & Vulnerability Programs

NVD's backlog "will exist forever" without structural change, Commerce OIG finds. A Commerce Department Office of Inspector General audit found more than 27,000 unenriched CVEs sitting in NIST's National Vulnerability Database backlog by the end of 2025, and gave NIST until late July to submit a corrective action plan. OIG cybersecurity audit director Chuck Mitchell told Federal News Network the backlog "was gonna exist forever unless NIST made some significant changes," recommending a strategic plan, an achievable backlog-management plan, and clearer public communication; NIST agreed with all three and says it had already begun implementing changes (Federal News Network,CyberScoop).For VDP programs: NVD enrichment (CPE, CVSS, CWE) underpins most vulnerability-management tooling; plan for degraded enrichment and lean harder on KEV and vendor advisories in the meantime. - GhostApproval: a coordinated-disclosure case study in six AI coding assistants, and a vendor adjudication split. Wiz disclosed "GhostApproval," a symlink and trust-boundary flaw class (CWE-61 layered under a UI-misrepresentation issue, CWE-451) letting a malicious repository trick human-in-the-loop approval dialogs in AI coding assistants into approving out-of-workspace file writes, up to remote code execution. Vendor responses split cleanly: Amazon Q Developer (fixed, v1.69.0, CVE-2026-12958) and Cursor (fixed, v3.0, CVE-2026-50549) shipped patches and CVEs; Google Antigravity fixed with a CVE pending; Anthropic disputed the report's classification as a vulnerability but had already independently shipped symlink-resolution warnings in Claude Code v2.1.32 in February, nine days before receiving Wiz's report; Augment and Windsurf remain in progress (Wiz).For VDP programs: a clean multi-vendor coordinated-disclosure case study, including the "is it a vulnerability or intended behavior" adjudication fight that AI-tooling reports increasingly raise for triage teams. - CISA's KEV catalog absorbs six more actively exploited flaws, including AI infrastructure. CISA added CVE-2026-48908 (JoomShaper SP Page Builder), CVE-2026-55255 (Langflow authorization bypass), and CVE-2026-56290 (Joomlack Page Builder) on July 7, then CVE-2026-48939 (iCagenda) and CVE-2026-56291 (Balbooa Forms) on July 10 (CISA, Jul 7;CISA, Jul 10), the first full week of routine additions under CISA's newer risk-based BOD 26-04 remediation regime. Langflow's inclusion, an actively exploited authorization bypass in a widely used LLM application-builder, marks AI application infrastructure showing up in KEV as its own category.For VDP programs: KEV status is the highest-signal input federal-adjacent programs use for remediation prioritization, and AI-stack components are now a live part of that catalog, not a hypothetical.

Legal & Researcher Protections

UK's moving cyber bill isn't the one researchers need. The Cyber Security and Resilience Bill is progressing through the House of Lords this month (reported for a Lords second reading around July 14, a date we could not independently confirm against Parliament's own site, which blocked automated verification), but per gov.uk's own bill summary it reforms the Network and Information Systems Regulations 2018, a resilience measure, not the Computer Misuse Act statutory-defence reform the security research community has been asking for (gov.uk bill collection). That separate CMA reform remains on an unscheduled track; researcher advocates continue to describe the statutory-defence proposal under discussion as narrowly drawn, covering only a small slice of professional internet-facing security testing and excluding bug-bounty hunting and proof-of-concept development.For VDP programs and UK-based researchers specifically: don't mistake this week's parliamentary activity for CMA relief. The bill moving is a resilience bill; the reform that would actually change researcher liability exposure is still stalled.

International Developments

Brussels takes NIS2 laggards to court. The European Commission referred Ireland, Spain, France, and the Netherlands to the Court of Justice of the EU on July 8 for failing to fully transpose the NIS2 Directive, which was due by October 17, 2024. The Commission is seeking financial sanctions, a lump sum plus daily penalties, until each country notifies complete transposition, following formal notices in November 2024 and reasoned opinions in May 2025 (European Commission).For VDP programs: NIS2 is the legal scaffolding behind national coordinated-vulnerability-disclosure frameworks across the EU. Enforcement with financial teeth signals Brussels is done waiting on the member states that anchor a meaningful share of the bloc's VDP-relevant infrastructure. - ENISA closes consultation on secure update delivery. ENISA's public consultation on its second technical advisory covering secure update mechanisms, aimed at helping small and medium manufacturers manage update-lifecycle threats, closed July 10, part of the technical guidance supporting Cyber Resilience Act compliance (OpenSSF).For VDP programs: disclosure only closes the loop if the fix can ship safely. This advisory is the practical, patch-delivery half of the CRA obligations that take effect September 11.

Worth Reading

(Help Net Security): Argues AI-accelerated discovery has broken per-CVE tracking, citing Microsoft's 200-plus CVEs in a single June release cycle, Chrome 150's 433 security fixes, and Adobe's move to twice-monthly patch releases. Useful connective tissue to this week's NVD backlog story.Is CVE Tracking Still Practical?(Reason / Volokh Conspiracy): Orin Kerr's analysis of whether an AI agent acting on a user's own credentials can "exceed authorized access," and why prior Ninth Circuit precedent on authentication "gates" makes the answer genuinely unsettled. The pending Ninth Circuit ruling could reshape authorization doctrine underneath every good-faith safe harbor.AI Agents and the CFAA: Amazon.com Services v. Perplexity AI(Wiz): The full technical writeup behind this issue's CVE section item, worth reading in full for the vendor-by-vendor disclosure timeline and the "is this in scope" adjudication dispute.GhostApproval: A Trust Boundary Gap in AI Coding Assistants

Policy Pulse is a weekly bulletin from disclose.io. Keeping the security research community informed on policy that affects our work.

Have a tip or want to contribute? Reply to this email, reach out on Twitter/X, or drop a comment here!

── more in #artificial-intelligence 4 stories · sorted by recency
── more on @openai 3 stories trending now
sponsored brought to you by zahid.host 4,200+ EU-deployed projects
reading about agents? ship yours in a single git push.

Run your AI side-project on zahid.host

EU-based hosting, git-push deploys, automatic HTTPS, no cold starts. Free tier with a custom domain — perfect for shipping the agent you just read about.

$git push zahid main
Live at https://your-agent.zahid.host
Get free account → Pricing
from €0/mo · no card required
LIVE [news/policy-pulse-issue-2…] indexed:0 read:10min 2026-07-12 ·