State AGs push back on federal plans to preempt AI laws
A bipartisan coalition of attorneys general from more than thirty five states and the District of Columbia is pushing Congress not to block state level AI regulations. Their letters warn that broad federal preemption would strip states of their ability to respond quickly to AI related harms, from deceptive chatbots to discriminatory uses of automated decision systems. In parallel, some lawmakers are considering ways to attach AI preemption language to child online safety bills, turning this into a fast moving legislative chess match that could reshape AI compliance for years.
Exec takeaway: Plan for a layered future, with federal baselines plus divergent state AI rules. You will need multi state AI governance, detailed data and model mapping, and playbooks for how product changes and deployments are evaluated against different state regimes.
Sources:
https://www.naag.org/press-releases/bipartisan-coalition-of-36-state-attorneys-general-opposes-federal-ban-on-state-ai-laws/
https://www.reuters.com/legal/litigation/dozens-state-attorneys-general-urge-us-congress-not-block-ai-laws-2025-11-25/
https://ag.ny.gov/press-release/2025/attorney-general-james-leads-bipartisan-coalition-urging-congress-reject
DOE’s reorganization elevates AI, quantum, and fusion
The Department of Energy has announced a far reaching reorganization that creates a new Office of Fusion and a dedicated structure for artificial intelligence and quantum technologies. Applied research programs and technology transfer functions are being reshuffled to support a more explicit roadmap around critical technologies, while outside observers note both new opportunities and uncertainties for basic science. For technology and energy leaders, the reorg is more than org chart housekeeping. It sets the stage for how DOE will prioritize, fund, and secure AI, quantum, and fusion projects over the next decade.
Exec takeaway: Expect DOE to drive harder requirements on data sharing, cybersecurity, and performance metrics for AI and quantum projects. Vendors and labs should align proposals and architectures to the new office structure and to the mission themes that emerge from DOE’s updated roadmaps.
Sources:
https://www.aip.org/fyi/doe-creates-new-fusion-office-as-part-of-major-reorganization
https://www.hklaw.com/en/insights/publications/2025/11/doe-releases-updated-agency-structure-and-organization-chart
https://www.fusionindustryassociation.org/u-s-department-of-energy-creates-dedicated-office-of-fusion/
Genesis Mission executive order creates a national AI science platform
The new Genesis Mission executive order directs the Department of Energy to build an integrated AI platform that brings together federal scientific datasets, national lab supercomputers, and emerging quantum resources. The goal is to double the productivity and impact of American science within a decade by using AI models and agents to explore hypotheses, accelerate simulations, and automate research workflows. The mission is being compared to historical efforts like Apollo and the Manhattan Project in terms of ambition and scope.
Exec takeaway: If you operate in energy, healthcare, defense, or advanced engineering, Genesis will influence funding streams and partnership priorities. Align your data platforms, security models, and AI capabilities so that they can plug into a world where DOE led AI infrastructure becomes a central hub for discovery.
Sources:
https://www.whitehouse.gov/presidential-actions/2025/11/launching-the-genesis-mission/
https://www.energy.gov/articles/energy-department-launches-genesis-mission-transform-american-science-and-innovation
https://www.aip.org/fyi/trump-administration-launches-genesis-mission-to-boost-science-through-ai
https://fedscoop.com/trump-ai-executive-order-genesis-mission-platform/
Agentic AI’s rise and Vijil’s seventeen million dollar security bet
Market forecasts now put agentic AI on a growth curve toward roughly fifty billion dollars in value by 2030, as organizations explore AI agents that can take actions, not just answer questions. At the same time, startup Vijil has raised seventeen million dollars to harden AI agents, providing continuous monitoring and trust infrastructure, and has been named a Gartner cool vendor in agentic AI trust, risk, and security management. Together these moves highlight a familiar pattern. As capabilities and hype surge, specialized security players emerge to contain the new risk surface.
Exec takeaway: Treat agents as a new identity class, not just a feature of existing apps. Define what they are allowed to do, how they authenticate, how their actions are logged, and how you will unwind or block those actions when something goes wrong. Agent governance belongs alongside model governance in your AI operating model.
Sources:
https://www.biometricupdate.com/202511/agentic-ai-explosion-driven-by-50b-market-opportunity-and-related-risks
https://www.vijil.ai/blog/vijil-raises-17-million-to-make-ai-agents-resilient-named-a-gartner-cool-vendor
https://www.securityweek.com/ai-agent-security-firm-vijil-raises-17-million/
https://pulse2.com/vijil-17-million-funding/
Akira ransomware targets SonicWall VPNs during deals
A new threat spotlight from ReliaQuest shows the Akira ransomware group abusing SonicWall SSL VPN vulnerabilities to gain a foothold in organizations that are in the middle of mergers and acquisitions. By first compromising a smaller acquired company and then pivoting into the larger parent environment, attackers can reach sensitive deal data and core systems quickly. In some cases they move from entry to full ransomware deployment in just hours.
Exec takeaway: Mergers and acquisitions now require their own security architecture. That includes strict segmentation for acquired networks, mandatory VPN and remote access reviews, and clear go or no go criteria before connecting any newly purchased environment into your production backbone.
Sources:
https://reliaquest.com/blog/threat-spotlight-akira-ransomwares-sonicwall-campaign-creates-enterprise-m%26a-risk/
https://www.govinfosecurity.com/akiras-sonicwall-hacks-are-taking-down-large-enterprises-a-30145
Cl0p’s Oracle E Business Suite zero day hits ERP nerve centers
The Cl0p ransomware group is exploiting a zero day vulnerability in Oracle E Business Suite, an enterprise resource planning platform that often runs finance, supply chain, and HR for major organizations. Reports suggest that multiple high value enterprises, including a prominent newspaper, have been impacted. Because E Business Suite sits at the core of financial and operational workflows, a successful compromise can quickly move from data theft to operational paralysis.
Exec takeaway: Treat ERP like tier zero infrastructure. Push for immediate clarity on Oracle patch status, third party hosting arrangements, and how long the organization can operate if E Business Suite must be taken offline. Business continuity plans should explicitly cover ERP outages, not just email and collaboration tools.
Sources:
https://www.reuters.com/business/media-telecom/washington-post-says-it-is-among-victims-cyber-breach-tied-oracle-software-2025-11-06/
https://cyberpress.org/oracle-e-business/
CISA’s ICS advisories expose building automation and UPS risks
CISA’s latest industrial control system advisories call out serious vulnerabilities in building automation servers, CCTV platforms, pneumatic control systems, and UPS monitoring tools. Many of these products sit in a grey area between facilities and IT, which means they often lack clear ownership for patching and network segmentation. The advisories underline how weaknesses in these systems can translate directly into building outages, safety issues, or covert footholds for attackers.
Exec takeaway: Make building systems part of your cyber physical risk inventory. Identify where the affected products run, who can access them, and how they connect to other networks. Then assign explicit ownership for remediation and monitoring across IT, OT, and facilities teams.
Sources:
https://www.cisa.gov/news-events/alerts/2025/11/25/cisa-releases-seven-industrial-control-systems-advisories
https://www.waterisac.org/tlpclear-cisa-ics-advisories-additional-alerts-updates-and-bulletins-november-20-2025
OnSolve CodeRED outage tests emergency alert resilience
A ransomware attack against Crisis24’s legacy OnSolve CodeRED emergency alert platform has knocked local alerting systems offline in multiple jurisdictions across the United States. Reporting also indicates that resident contact data, including some credentials, has been stolen and is beginning to surface online. While the vendor works to migrate customers to a new platform, cities and counties are scrambling to stand up alternative notification paths for fires, weather events, and other life safety incidents.
Exec takeaway: Treat this as a full dress rehearsal for vendor failure. Confirm whether your organization uses CodeRED or similar services, map your dependency on mass notification for both safety and business continuity, and ensure you have tested fallback channels that do not rely on the same vendor stack.
Sources:
https://cyberscoop.com/crisis24-onsolve-codered-emergency-system-ransomware/
https://www.securityweek.com/ransomware-attack-disrupts-local-emergency-alert-system-across-us/
https://www.bleepingcomputer.com/news/security/onsolve-codered-cyberattack-disrupts-emergency-alert-systems-nationwide/
https://www.theregister.com/2025/11/26/codered_emergency_alert_ransomware/
https://komonews.com/news/local/ransomware-attack-cripples-emergency-alert-system-exposes-personal-data-nationwide-warning-fire-earthquake-shooting-public-disaster-id-social-security-password-bank-money-identity-theft-report-online
AWS October outage and the limits of single cloud thinking
The October twentieth outage in AWS’s us east one region lasted more than fifteen hours and disrupted thousands of services, from consumer apps to back office systems. Subsequent analysis traced the incident to a failure in DNS automation for DynamoDB, which cascaded across internal control plane services and broke dependencies that many customers barely knew existed. The episode has revived long running concerns about cloud concentration risk and the fragility of internet scale infrastructure.
Exec takeaway: Use this as a real world case study in your resilience planning. Document exactly how the outage affected your own services, test failover procedures for cross region or cross cloud scenarios, and revisit whether your recovery time objectives match the reality of complex hyperscale failures.
Sources:
https://www.thousandeyes.com/blog/aws-outage-analysis-october-20-2025
https://www.theverge.com/news/802486/aws-outage-alexa-fortnite-snapchat-offline
https://www.theguardian.com/technology/2025/oct/24/amazon-reveals-cause-of-aws-outage
https://www.wired.com/story/aws-cloud-outage-long-tail
https://apnews.com/article/654a12ac9aff0bf4b9dc0e22499d92d7
HashJack shows how a hash symbol can hijack AI browsers
New research from Cato Networks describes a technique called HashJack that hides malicious prompts after the hash symbol in otherwise legitimate URLs. When AI browsers and assistants send the full URL into a model, those hidden prompts can force the assistant to exfiltrate data, deliver phishing links, or provide harmful guidance, even though the visible page content looks clean. Products such as Comet, Copilot for Edge, and Gemini for Chrome are among those highlighted as vulnerable to this design issue.
Exec takeaway: AI security is now deeply intertwined with product design and context handling. Inventory where AI browsers and assistants are in use, set policies for which tools are allowed, and ensure that URL handling, prompt sanitization, and monitoring controls are in place for both official and Shadow AI tools.
Sources:
https://www.catonetworks.com/blog/cato-ctrl-hashjack-first-known-indirect-prompt-injection/
https://www.csoonline.com/article/4097087/ai-browsers-can-be-tricked-with-malicious-prompts-hidden-in-url-fragments.html
https://www.infosecurity-magazine.com/news/hashjack-indirect-prompt-injection/
https://cyberpress.org/hashjack-a-new-attack/
Charlotte AI earns FedRAMP High and brings AI copilots to government SOCs
CrowdStrike has announced that its Charlotte AI security assistant has achieved FedRAMP High Authorization for deployment in GovCloud. This certification clears the way for federal, state, and local agencies to use Charlotte AI to triage detections and orchestrate automated response actions within the Falcon platform, under the government’s most stringent cloud security requirements. The milestone shows that AI copilots are moving from experiments into certified components of public sector security operations.
Exec takeaway: Public sector security leaders can now pilot AI copilots within a FedRAMP High framework, but governance and oversight remain essential. Define which workflows Charlotte AI is allowed to automate, how its decisions will be reviewed, and how you will measure both effectiveness and unintended consequences over time.
Sources:
https://www.crowdstrike.com/en-us/press-releases/crowdstrike-charlotte-ai-achieves-fedramp-high-authorization-transforming-public-sector-defense-with-agentic-soc/
https://ir.crowdstrike.com/news-releases/news-release-details/crowdstrike-charlotte-ai-achieves-fedramp-high-authorization
https://finance.yahoo.com/news/crowdstrike-charlotte-ai-achieves-fedramp-184600624.html
https://www.investing.com/news/company-news/crowdstrikes-charlotte-ai-receives-fedramp-high-authorization-93CH-4378034
Topics We’re Tracking (But Didn’t Make the Cut)
Dropped Topic: Additional vendor specific earnings commentary tied to Charlotte AI
Why It Did Not Make the Cut: Added more noise than signal for security leaders, with limited operational detail beyond what the main story already covers.
Why It Caught Our Eye: Shows how investors are pricing AI driven security offerings and may foreshadow further platform level consolidation.
Dropped Topic: Broader political maneuvering around defense spending riders tied to AI
Why It Did Not Make the Cut: Still fluid, with limited concrete language available in public drafts at time of production.
Why It Caught Our Eye: Could become the next vehicle for AI related policy and preemption fights if negotiations crystallize.
Quick Disclaimer and Sources Note: The author used AI in part to create this newscast. Our goal is to be transparent and show you how we sourced the info we used.
This newscast was developed using only public sources of information.
The Exchange Daily is a production of Metora Solutions. For more information about how to participate in this daily newscast, contact us at podcasts@metorasolutions.com.
