The security landscape is undergoing yet another major shift, and nowhere was this more evident than at Black Hat USA 2025. As artificial intelligence (especially the agentic variety) becomes deeply embedded in enterprise systems, it’s creating both security challenges and opportunities. Here’s what security professionals need to know about this rapidly evolving landscape.

AI systems—and particularly the AI assistants that have become integral to enterprise workflows—are emerging as prime targets for attackers. In one of the most interesting and scariest presentations, Michael Bargury of Zenity demonstrated previously unknown “0click” exploit methods affecting major AI platforms including ChatGPT, Gemini, and Microsoft Copilot. These findings underscore how AI assistants, despite their robust security measures, can become vectors for system compromise.

AI security presents a paradox: As organizations expand AI capabilities to enhance productivity, they must necessarily increase these tools’ access to sensitive data and systems. This expansion creates new attack surfaces and more complex supply chains to defend. NVIDIA’s AI red team highlighted this vulnerability, revealing how large language models (LLMs) are uniquely susceptible to malicious inputs, and demonstrated several novel exploit techniques that take advantage of these inherent weaknesses.

However, it’s not all new territory. Many traditional security principles remain relevant and are, in fact, more crucial than ever. Nathan Hamiel and Nils Amiet of Kudelski Security showed how AI-powered development tools are inadvertently reintroducing well-known vulnerabilities into modern applications. Their findings suggest that basic application security practices remain fundamental to AI security.

Looking forward, threat modeling becomes increasingly critical but also more complex. The security community is responding with new frameworks designed specifically for AI systems such as MAESTRO and NIST’s AI Risk Management Framework. The OWASP Agentic Security Top 10 project, launched during this year’s conference, provides a structured approach to understanding and addressing AI-specific security risks.

For security professionals, the path forward requires a balanced approach: maintaining strong fundamentals while developing new expertise in AI-specific security challenges. Organizations must reassess their security posture through this new lens, considering both traditional vulnerabilities and emerging AI-specific threats.

The discussions at Black Hat USA 2025 made it clear that while AI presents new security challenges, it also offers opportunities for innovation in defense strategies. Mikko Hypponen’s opening keynote presented a historical perspective on the last 30 years of cybersecurity advancements and concluded that security is not only better than it’s ever been but poised to leverage a head start in AI usage. Black Hat has a way of underscoring the reasons for concern, but taken as a whole, this year’s presentations show us that there are also many reasons to be optimistic. Individual success will depend on how well security teams can adapt their existing practices while embracing new approaches specifically designed for AI systems.

I’m really looking forward to our second O’Reilly AI Codecon, Coding for the Agentic World, which is happening on September 9, online from 8 am to noon pacific time, with a follow-on day of additional demos on September 16. But I’m also looking forward to how the AI market itself unfolds: the surprising twists and turns ahead as users and developers apply AI to real world problems.

The pages linked above give details on the program for the events. What I want to give here is a bit of the why behind the program, with a bit more detail on some of the fireside chats I will be leading.

From Invention to Application

There has been so much focus in the past on the big AI labs, the model developers, and their razzle dazzle about AGI, or even ASI. That narrative implied that we were heading towards something unprecedented. But if this is a “normal technology” (albeit one as transformational as electricity, the internal combustion engine, or the internet), we know that LLMs themselves are just the beginning of a long process of discovery, product invention, business adoption, and societal adaptation.

That process of collaborative discovery of the real uses for AI and reinvention of the businesses that use it is happening most clearly in the software industry. It is where AI is being pushed to the limits, where new products beyond the chatbot are being introduced, where new workflows are being developed, and where we understand what works and what doesn’t.

This work is often being pushed forward by individuals, who are “learning by doing.” Some of these individuals work for large companies, others for startups, others for enterprises, and others as independent hackers.

Our focus in these AI Codecon events is to smooth adoption of AI by helping our customers cut through the hype and understand what is working. O’Reilly’s mission has always been changing the world by sharing the knowledge of innovators. In our events, we always look for people who are at the forefront of invention. As outlined in the call to action for the first event, I was concerned about the chatter that AI would make developers obsolete. I argued instead that it would profoundly change the process of software development and the jobs that developers do, but that it would make them more important than ever.

It looks like I was right. There is a huge ferment, with so much new to learn and do that it’s a really exciting time to be a software developer. I’m really excited about the practicality of the conversation. We’re not just talking about the “what if.” We’re seeing new AI powered services meeting real business needs. We are witnessing the shift from human-centric workflows to agent-centric workflows, and it’s happening faster than you think.

We’re also seeing widespread adoption of the protocols that will power it all. If you’ve followed my work from open source to web 2.0 to the present, you know that I believe strongly that the most dynamic systems have “an architecture of participation.” That is, they aren’t monolithic. The barriers to entry need to be low and business models fluid (at least in the early stages) for innovation to flourish.

When AI was framed as a race for superintelligence, there was a strong expectation that it would be winner takes all. The first company to get to ASI (or even just to AGI) would soon be so far ahead that it would inevitably become a dominant monopoly. Developers would all use its APIs, making it into the single dominant platform for AI development.

Protocols like MCP and A2A are instead enabling a decentralized AI future. The explosion of entrepreneurial activity around agentic AI reminds me of the best kind of open innovation, much like I saw in the early days of the personal computer and the internet.

I was going to use my opening remarks to sound that theme, and then I read Alex Komoroske’s marvelous essay, “Why Centralized AI Is Not Our Inevitable Future.” So I asked him to do it instead. He’s going to give an updated, developer-focused version of that as our kickoff talk.

Then we’re going into a section on agentic interfaces. We’ve lived for decades with the GUI (either on computers or mobile applications) and the web as the dominant ways we use computers. AI is changing all that.

It’s not just agentic interfaces, though. It’s really developing true AI-native products, searching out the possibilities of this new computing fabric.

The Great Interface Rethink

In the “normal technology” framing, a fundamental technology innovation is distinct from products based on it. Think of the invention of the LLM itself as electricity, and ChatGPT as the equivalent of Edison’s incandescent light bulb and the development of the distribution network to power it.

There’s a bit of a lesson in the fact that the telegraph was the first large-scale practical application of electricity, over 40 years before Edison’s lightbulb. The telephone was another killer app that used electricity to power it. But despite their scale, these were specialized devices. It was the infrastructure for incandescent lighting that turned electricity into a general purpose technology.

The world soon saw electrical resistance products like irons and toasters, and electric motors powering not just factories but household appliances such as washing machines and eventually refrigerators and air conditioning. Many of these household products were plugged into light sockets, since the pronged plug as we know it today wasn’t introduced until 30 years after the first light bulb.

The lesson is that at some point in the development of a general purpose technology, product innovation takes over from pure technology innovation. That’s the phase we’re entering now.

Look at the evolution of LLM-based products: Github Copilot embedded AI into Visual Studio Code; the interface was an extension to VS Code, a ten year old GUI-based program. Google’s AI efforts were tied into its web-based search products. ChatGPT broke the mold and introduced the first radically new interface since the web browser. Suddenly, chat was the preferred new interface for everything. But Claude Code took things further with Artifacts and then Claude Code, and once coding assistants gained more complex interfaces, that kicked off today’s fierce competition between coding tools. The next revolution is the construction of a new computing paradigm where software is composed of intelligent, autonomous agents.

I’m really looking forward to Rachel-Lee Nabors’ talk on how, with an agentic interface, we might transcend the traditional browser: AI agents can adapt content directly to users, offering privacy, accessibility, and flexibility that legacy web interfaces cannot match.

But it seems to me that there will be two kinds of agents, which I call “demand side” and “supply side” agents. What’s a “demand side” agent? Instead of navigating complex apps, you’ll simply state your goal. The agent will understand the context, access the necessary tools, and present you with the result. The vision is still science fiction. The reality is often a kludge powered by browser use or API calls, with MCP servers increasingly offering an AI-friendlier interface for those demand side agents to interact with. But why should it stop there? MCP servers are static interfaces. What if there were agents on both sides of the conversation, in a dynamic negotiation? I suspect that while demand side agents will be developed by venture funded startups, most server side agents will be developed by enterprises as a kind of conversational interface for both humans and AI agents that want access to their complex workflows, data, and business models. And those enterprises will often be using agentic platforms tailored for their use. That’s part of the “supply side agent” vision of companies like Sierra. I’ll be talking with Sierra co-founder Clay Bavor about this next step in agentic development.

We’ve grown accustomed to thinking about agents as lonely consumers—“tell me the weather,” “scan my code,” “summarize my inbox.” But that’s only half the story. If we build supply-side agent infrastructure—autonomous, discoverable, governed, negotiated—we unlock agility, resilience, security, and collaboration.

My interest in product innovation, not just advances in the underlying technology, is also why I’m excited about my fireside chat with Josh Woodward, who co-led the team that developed Notebook.LM at Google. I’m a huge fan of Notebook.LM, which in many ways brought the power of RAG (Retrieval Augmented Generation) to end users, allowing them to collect a set of documents into a Google drive, and then use that collection to drive chat, audio overviews of documents, study guides, mind maps, and much more.

Notebook.LM is also a lovely way to build on the deep collaborative infrastructure provided by Google Drive. We need to think more deeply about collaborative interfaces for AI. Right now, AI interaction is mostly a solitary sport. You can share the outputs with others, but not the generative process. I wrote about this recently in “People Work in Teams, AI Assistants in Silos.” I think that’s a big miss, and I’m hoping to probe Josh about Google’s plans in this area, and eager to see other innovations in AI-mediated human collaboration.

GitHub is another existing tool for collaboration that has become central to the AI ecosystem. I’m really looking forward to talking with outgoing CEO Thomas Dohmke both about the ways that Github already provides a kind of exoskeleton for collaboration when using AI code generation tools. It seems to me that one of the frontiers of AI-human interfaces will be those that enable not just small teams but eventually large groups to collaborate. I suspect that Github may have more to teach us about that future than we now suspect.

And finally, we are now learning that managing context is a critical part of designing effective AI applications. My co-chair Addy Osmani will be talking about the emergence of context engineering as a real discipline, and its relevance to agentic AI development.

Tool-Chaining Agents and Real Workflows

Today’s AI tools are largely solo performers—a Copilot suggesting code or a ChatGPT answering a query. The next leap is from single agents to interconnected systems. The program is filled with sessions on “tool-to-tool workflows” and multi-agent systems.

Ken Kousen will showcase the new generation of coding agents, including Claude Code, Codex CLI, Gemini CLI, and Junie, that help developers navigate codebases, automate tasks, and even refactor intelligently. In her talk, Angie Jones takes it further: agents that go beyond code generation to manage PRs, write tests, and update documentation—stepping “out of the IDE” and into real-world workflows.

Even more exciting is the idea of agents collaborating with each other. The Demo Day will showcase a multi-agent coding system where agents share, correct, and evolve code together. This isn’t science fiction; Amit Rustagi’s talk on decentralized AI agent infrastructure using technologies like WebAssembly and IPFS provides a practical architectural framework for making these agent swarms a reality.

The Crucial Ingredient: Common Protocols

How do all these agents talk to each other? How do they discover new tools and use them safely? The answer that echoes throughout the agenda is the Model Context Protocol (MCP).

Much as the distribution network for electricity was the enabler for all of the product innovation of the electrical revolution, MCP is the foundational plumbing, the universal language that will allow this new ecosystem to flourish. Multiple sessions and an entire Demo Day are dedicated to it. We’ll see how Google is using it for agent-to-agent communication, how it can be used to control complex software like Blender with natural language, and even how it can power novel SaaS product demos.

The heavy focus on a standardized protocol signals that the industry is maturing past cool demos and is now building the robust, interoperable infrastructure needed for a true agentic economy.

If the development of the internet is any guide, though MCP is a beginning, not the end. TCP/IP became the foundation of a layered protocol stack. It is likely that MCP will be followed by many more specialized protocols.

Why This Matters

I look forward to seeing you there!

AI tools are quickly moving beyond chat UX to sophisticated agent interactions. Our upcoming AI Codecon event, Coding for the Agentic World, will highlight how developers are already using agents to build innovative and effective AI-powered experiences. We hope you’ll join us on September 9 to explore the tools, workflows, and architectures defining the next era of programming. It’s free to attend. Register now to save your seat. And join us for O’Reilly Demo Day on September 16 to see how experts are shaping AI systems to work for them via MCP.

The funding and overall future of Head Start — which helps low-income families with child development and family support services — has been in the headlines for the better half of the year because of potential program cuts, followed by lawsuits, then think pieces and statements lauding its benefits.

The program, which is turning 60 this year and has served more than 40 million families, appears to be in the calm amid the eye of the storm. Local Head Start offices are largely operating business as usual, but leaders have bated breath — the future of its funding will be decided on Oct. 1.

While it may come into an additional $85 million windfall, or maintain its $12.2 billion in funding, both local and national Head Start officials have concerns that either scenario will not be enough.

“On the one hand we’re relieved that the initial proposal to eliminate Head Start is out of the way and we don’t have to have those conversations,” says Michelle Haimowitz, executive director of the Massachusetts Head Start Association. “But another year of flat funding would continue to cut us off at the knees. And the costs don’t magically stay flat; the only way to do that is cut enrollment and make other changes we don’t want to make.”

The concern comes amid months of confusion for staff and parents on the fate of Head Start. In April, leaked documents detailing fiscal year 2026 budgets revealed plans to cut Head Start funding entirely. That same month, four state Head Start advocacy organizations — Illinois, Pennsylvania, Washington and Wisconsin — and two parent groups sued the Trump administration over potential spending cuts on diversity, equity and inclusion initiatives.

The yo-yoing policy proposals brought delays in accessing funds. Megan Woller, executive director of Idaho’s Head Start Association, recalls one local Head Start office considered taking out a loan in July in order to pay staff before the funding came through. Haimowitz added the Massachusetts offices saw “significant” delays in the first half of the year accessing funds and getting grant approvals. Many Head Start offices across the nation, including in Washington, Mississippi and Illinois, have reported experiencing confusion, but meanwhile others, including in Colorado, Ohio and Virginia, are expanding.

The administrative funding hiccups were exacerbated by the stress of not being able to reach regional federal Head Start offices: In April, the 10 Head Start offices that helped local Head Start offices throughout the country were whittled down to five, with the remaining half of offices in Boston, Chicago, New York, San Francisco and Seattle closing. The closures followed plans to reduce the scope of the U.S. Department of Health and Human Services.

“While program specialists are doing everything they can to support us, their capacity to be as communicative and in touch as our program specialist in the Boston office — when they had half as many cases — is going to be significantly diminished,” Haimowitz says.

It also created confusion among parents who did not know the shuttered regional offices did not directly serve children, and instead were intermediaries.

“People got confused because they don’t know who that is; that it’s the federal government supporting the grantees, it’s not your kids’ center,” Woller says. “But the public doesn’t know the difference between all this. I was getting calls of ‘Wait, is my kid’s center closed tomorrow?’”

The funding hangups have largely been alleviated for now — Woller and Haimowitz both said the delays are continuing but seem to be improving — but a collective breath is being held as the future of Head Start’s funding remains in flux. While the Senate Appropriations Committee recommended an $85 million increase to Head Start funding in July — a roughly 0.6 percent bump — on Sept. 2, the House Appropriations Committee pushed the bill forward, proposing maintaining its current level of funding of $12.2 billion. The full Senate and House still need to give final approval and have until Oct. 1 to do so.

‘There Is No Plan B’

Tommy Sheridan, deputy director of the National Head Start Association, has served in the role for close to two decades. He acknowledged Head Start has been a pawn in political games on both sides of the aisle long before this year, pointing to a proposed funding cut in 2011 that was ultimately reversed, and the sequestration efforts in 2013.

Critics of Head Start have argued that it doesn’t produce strong enough outcomes for families to justify taxpayer support. Supporters contest that characterization.

Sheridan maintains what he calls a “cautious optimism” when it comes to the program’s funding future.

“Yes, we’ve seen those types of stressors and feel very confident Congress and the president will continue to keep their commitment to support families in every corner of the country,” he says. “Sometimes you have to take a step back to go forward; it feels that’s where the conversation has been, but we’re excited to move forward.”

However, what is unique in this year’s case is the possibility for Head Start’s funding to stay flat. The federal program has only had three instances over six decades when it did not receive an increase in funding, according to Sheridan. If the government decides to keep its funding flat yet again for the program this year, it would be the first time in its history that it did not receive a funding boost two fiscal years in a row.

Even if the 0.6 percent proposed increase for Head Start funding were enacted, it would not keep up with the rising cost of living — Social Security benefits, for example, increased 2.5 percent to account for cost of living in 2025. Each state has its own amount of Head Start funding, with some receiving more than others due to additional state investments. Massachusetts, for example, allocated an additional $20 million for the Head Start Supplemental Grant in fiscal year 2025, largely to boost classroom teacher salaries.

“Our concern is the fact we’re facing incredibly high costs: inflationary costs, rising health care costs, the need to pay staff competitive wages,” Sheridan says. “It’s not like any warm body can work as a Head Start teacher; that is a very specific set of skills, it requires degrees and training. So when we work with our staff and train them up, we want to reward them. With seeing flat funding, programs do have to make those cuts somewhere.”

The early childhood education sector is already battling with keeping its workforce, which has long been plagued by low wages. Woller says concern over the future of funding could accelerate the workforce exodus.

“The purpose of Head Start is to help lift families out of poverty, but we have to demonstrate that in part in how we pay the staff, and it’s really hard when the funding is as low as it is,” she says. “And when staff see everything crumbling at the federal level, they may look elsewhere; that’s also a big concern.”

There are also no viable alternative funding pathways, according to local and national officials. Head Start services are free for families.

“The types of services that Head Start provides take manpower other streams of child care funding don’t support,” Haimowitz says. “The state supplement has been growing and we’re incredibly grateful for that, but no alternative source is going to meet the types of needs that Head Start funding provides.”

Woller put it more simply.

“No, there is no Plan B,” she says with a self-defeated laugh. “There’s no backup plan when it’s this amount of dollars.”

Serving All Children?

There’s the added confusion of the recently announced policy change to reclassify Head Start as a federal public benefit, which would bar non-U.S. citizens from enrolling in Head Start services. There are currently no systems in place to check for immigration status.

The policy idea has not been passed as of the beginning of September. Both regional and national Head Start officials say they have not been given any directive or guidance to enforce these proposed rules, and that all families that were eligible for Head Start according to preexisting guidelines continue to be.

“Philosophically, the Head Start promise is all children, regardless of circumstance at birth, can succeed at school and life,” Woller says. “We want to make sure we uphold that.”

While the funding future of Head Start remains in flux, officials are trying to spread the word that the programming remains open and available for any one that needs it.

“The tough part is the uncertainty and lack of answers; that’s the part that’s keeping folks up at night,” Haimowitz says. “There are so few answers for all the questions we have, and directors are trying to keep their teachers on staff, keep families feeling comfortable and showing Head Start is open and enrolling amidst all this real uncertainty. It’s tough.”