Acronis researchers identified 575 malicious skills across the OpenClaw ecosystem. Snyk found roughly one in five agent skills is outright malicious. The AI distribution layer has become a primary supply chain attack surface, and Australian regulated industries have direct CPS 230 and CPS 234 exposure.

Frontier LLMs have collapsed the bug-to-exploit window from five months to ten hours, and agents have become a brand new attack surface. Here is what Australian regulated businesses need to do this quarter, and how it maps to the Essential Eight, CPS 234 and the Privacy Act reforms.

Solo agents are becoming cooperating teams, software is becoming outcomes, and the buyer in regulated industries is being asked a different question. Here is what the shift to agentic AI and vertical AI means for boards, regulators and operators in 2026.