Adversa AI: 33 Curated Agentic Security Resources for April 2026 — 93% of Frameworks Use Unscoped API Keys
Adversa AI's April 2026 agentic security digest curates 33 resources spanning research papers, documented vulnerabilities, defensive tooling, and threat modeling guides — and the headline statistic is damning: a systematic audit of 30 AI agent frameworks found that 93% rely on unscoped API keys, exactly 0% implement per-agent identity, and 97% lack user consent mechanisms. For a technology category that enterprise organizations are deploying into production workflows handling sensitive data and taking real-world actions, those numbers represent a known and largely unaddressed exploit surface.
The digest also highlights Unit 42's real-world telemetry identifying 22 distinct techniques of indirect prompt injection being actively weaponized against deployed AI agents — a shift from theoretical attack surface to confirmed active threat. Also featured are memory control-flow attacks, where poisoned entries in an agent's persistent memory can be used to redirect its behavior across sessions without triggering obvious anomaly detection. The cumulative RSA-shaped narrative running through this month's resources is that the threat has moved from academic proof-of-concept to active infrastructure-level compromise.
For teams building or shipping agents in 2026, this digest serves as both a reading list and a checklist. The 93%/0%/97% numbers on API key scoping, per-agent identity, and consent are not aspirational benchmarks — they are the current baseline, which means most production agent deployments are running with architectural gaps that the attacker community is already actively exploiting. Addressing per-agent identity and scoped credentials is no longer optional work; it is the minimum viable security posture for anything touching real users or real data.