Mend.io Full Layout with Copy

Hello test,

AI governance is moving from principle to practice, security teams are rethinking how they measure AI risk, and a fresh wave of npm supply chain attacks is testing everyone's defenses. Here's what your AppSec team needs to know this month.

 
 

What's new

9-Step AI Governance Implementation Strategy and the Solutions to Know

A step-by-step framework for establishing AI governance, covering the controls, ownership, and tooling that security teams need to manage AI risk in practice rather than on paper.

👉 Read the announcement

Evaluating AI Security Posture Management Tools: 7 Key Criteria

What to look for when assessing AI-SPM tools, with seven criteria that separate real coverage from checkbox features.

👉 Read the criteria

AI changed what you ship. It also changed what you have to secure.

How AI-built software expands the attack surface, and why securing the AI layer is now part of the AppSec mandate, not a separate project.

👉 Read the perspective

Why AI Can't Verify Its Own Code and What That Means for Enterprise AppSec

Why AI-generated code still needs independent verification, and what that means for teams shipping at AI speed.

👉 Read the analysis

Frontier Model Is the Wrong Meter for Continuous Security

Why chasing the latest frontier model is the wrong benchmark for continuous security, and what actually moves the needle on cost and coverage.

👉 Read the post

AI Security Agents: Key Capabilities and 5 Critical Best Practices

What AI security agents can and cannot do, plus five best practices for deploying them without adding new risk.

👉 Read the best practices

AI Guardrails in 2026: Types, Challenges, and Impact of Agentic AI

A practical look at AI guardrails for compliance, security, and trust, and how agentic AI raises the bar.

👉 Read the guide

Attestation in Cybersecurity: Types, Uses & Best Practices

A primer on attestation in cybersecurity: the main types, where it is used, and best practices for getting it right.

👉 Read the primer

 
 

What We're Tracking

Mend.io's research team has been tracking a fresh wave of npm supply chain attacks this month, from scope takeovers to credential-stealing package campaigns.


- Mastra npm Scope Takeover: 140+ Packages Compromised via easy-day-js Dropper


- Miasma: Red Hat Cloud Services npm Packages Hit by a Mini Shai-Hulud-Style Campaign

👉 Follow Mend.io's threat research

 
 

In The News

Mend.io wins in the Ninth Annual AI Breakthrough Awards


Mend.io was recognized among the most innovative AI technology companies in this year's AI Breakthrough Awards.

👉 Read the news

The AI Myths CISOs Can No Longer Afford to Believe


Mend.io's Azi shares perspective on the AI security myths security leaders need to move past.

👉 Read the article

 
 

Customer quote

Principal Security Engineer | Education Technology | ⭐⭐⭐⭐⭐

"It is hard to assign a value to an incident you prevented from happening. You need to understand and manage your risks. Your company and customers demand it. You cannot put a price on trust, and Mend.io helps us maintain the trust we have with our customers."

- Kieran Whelan, Principal Security Engineer, texthelp

 
 

Events & Webinars

Beyond Bandwidth: AppSec in the Age of AI Agents

July 30 | 11:00 AM ET

What AppSec looks like when AI agents are part of both your applications and the threat model.

👉 Register now

Black Hat USA

August 4-6 | Las Vegas

Mend.io will be at Black Hat USA this August. Get on the calendar early.

👉 Reserve time with the team

When Software Becomes Business Risk

A replay on application risk governance and dependency management, and how unmanaged software risk becomes business risk.

👉 Watch the replay

Securing The Build: The AI-Generated Dependency Problem (Podcast)

How AI-generated dependencies create new software supply chain risks, including slopsquatting and poisoned training data. If you build with AI, this episode is for you.

👉 Listen to the episode

Modern AI risk doesn't live in one layer. It lives in the code layer, the AI layer, and the seams between them.

Mend.io secures the code layer and the AI layer, and continuously protects the interaction between them, where modern risk emerges.