Google Cloud: Vertex AI Agent Builder billing shift and Agent Designer support for older agents
Google updated Vertex AI Agent Builder documentation to move the charging start date for Sessions, Memory Bank, and Code Execution to February 11, 2026. That timing shift gives platform and FinOps teams a short runway to tighten cost controls, tagging, and budget guardrails before spend begins.
Google also expanded Agent Designer access so teams can manage and edit agents created before January 12, 2026 using the Agent Gallery and the visual Flow experience. This is a governance enabler for standardizing change control and reducing one-off agent implementations that are hard to audit.
Sources:
· https://docs.cloud.google.com/vertex-ai/docs/release-notes
· https://docs.cloud.google.com/release-notes
Microsoft: Azure OpenAI Sweden Central incident highlights regional dependency risk
Microsoft reported an incident impacting Azure OpenAI in Sweden Central on January 27, 2026. The report includes inference failures and deployment metadata issues, which can cascade into downstream services when AI endpoints are chained into business workflows.
If you have production AI in a single region, this is the prompt to validate multi-region options where feasible, and to formalize degraded-mode behavior so critical processes don’t fail hard during vendor incidents.
Sources:
· https://azure.status.microsoft/status/history/
Amazon: EC2 C8gn regional expansion for Graviton4 network-optimized fleets
AWS expanded availability for EC2 C8gn instances, positioning them as a network-optimized Graviton4 option with improved compute performance versus the prior generation in the family. For teams with high-throughput services, this can change both capacity planning and unit economics.
Infrastructure and FinOps leaders should re-check instance catalogs and migration candidates, especially for CPU-based inference and network-heavy back-end services where performance per dollar matters.
Sources:
· https://aws.amazon.com/about-aws/whats-new/2026/01/amazon-ec2-c8gn-instances-additional-regions/
Federal: FedRAMP RFC-0022 proposes a time-limited ‘FedRAMP Validated Level 1’ pilot path
FedRAMP RFC-0022 proposes a special, time-limited status called FedRAMP Validated Level 1 for cloud services that meet widespread commercial security requirements. The proposal emphasizes reuse of existing commercial assessments to enable faster, low-risk piloting while providers work toward a full FedRAMP 20x validation.
For agencies, the key is defining what qualifies as negligible or extremely low risk, and documenting compensating controls and data boundaries. For providers, the key is avoiding compliance debt by designing a clear graduation plan from pilot status to full authorization.
Sources:
· https://www.fedramp.gov/rfcs/0022/
Standards: NIST comment deadlines today, including the Cyber AI Profile draft
NIST’s drafts open for comment list includes multiple items with comments due January 30, 2026, including the Cyber AI Profile draft, an updated Secure Software Development Framework draft, and token and assertion protection guidance. These drafts are likely to influence procurement language and audit expectations once finalized.
If your organization has strong requirements for AI security, secure development baselines, or identity assurance, submitting comments and aligning internally now can prevent surprise control gaps later.
Sources:
· https://csrc.nist.gov/publications/drafts-open-for-comment
Cyber risk wrap: Fortinet CVE status in KEV and an AWS CodeBuild webhook configuration reminder
A Fortinet authentication bypass vulnerability, CVE-2026-24858, is listed by NIST NVD as present in the CISA Known Exploited Vulnerabilities catalog, signaling a patch and exposure validation priority. Treat this as both remediation and post-remediation verification, including log review and indicator hunting appropriate to your environment.
AWS also published a security bulletin related to a CodeBuild webhook filter configuration issue for certain AWS-managed open-source GitHub repositories. The broader lesson is CI/CD supply chain hygiene, including webhook assumptions, branch protection, and policy-as-code enforcement.
Sources:
· https://nvd.nist.gov/vuln/detail/CVE-2026-24858
· https://aws.amazon.com/security/security-bulletins/rss/2026-002-aws/
Topics We’re Tracking (But Didn’t Make the Cut)
Dropped Topic: CISA alert page publication copy for CVE-2026-24858
· Why It Didn’t Make the Cut: The CISA alert page was not accessible for validation at production time, so the package relies on NIST NVD for KEV status evidence.
· Why It Caught Our Eye: CISA publication copy can add remediation deadlines and operational guidance beyond the CVE record.
---
Quick Disclaimer and Sources Note: The author used AI in part to create this newscast. Our goal is to be transparent and show you how we sourced the info we used.
---
This newscast was developed using only public sources of information.
---
The Exchange Daily is a production of Metora Solutions. For more information about how to participate in this daily newscast, contact us at podcasts@metorasolutions.com.
All original content, formatting, and presentation are copyright 2026 Metora Solutions LLC, all rights reserved. For more information about our work and other projects, drop us a note at info@metorasolutions.com.
This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit theexchangedaily.substack.com
