VERIK / V051 / 13 MAY 2026
Five CategoriesGovernance

Microsoft Named the Harness as the Actor

A production vulnerability-discovery system found sixteen of May's Patch Tuesday flaws. The finding credit belongs to the harness, not to any single model.

On May 13, 2026, Microsoft disclosed that a new internal system called MDASH, a multi-model agentic scanning harness built by its Autonomous Code Security team, had found sixteen of the 137 vulnerabilities fixed in that month's Patch Tuesday release, four of them critical, including unauthenticated remote code execution flaws in the Windows kernel TCP/IP stack and the IKEv2 service, according to SecurityWeek's reporting. MDASH orchestrates more than 100 specialized AI agents across multiple frontier and distilled models in a structured pipeline: preparation, scanning, validation, deduplication, and proof construction. Some agents propose candidate vulnerabilities. Other agents argue for or against exploitability. A final stage attempts to construct an input that actually triggers the bug before any finding reaches a human engineer. On the public CyberGym benchmark of 1,507 real-world vulnerability tasks, MDASH scored 88%. Against pre-patch snapshots of two heavily audited Windows components, it recovered 96% and 100% of the confirmed vulnerabilities found in those components over the prior five years. MDASH remains in limited private preview; Microsoft is inviting security teams to apply for early access.

The naming choice is the load-bearing detail. Microsoft did not credit a model. It credited a harness, a term of art for the orchestration layer that sequences agents, arbitrates disagreement among them, and decides which findings survive to the next stage. The vulnerability was not found by an LLM answering a prompt. It was found by a multi-stage pipeline in which no single component's output is the final word.

The Harness as Substrate Actor

Treating the harness as the unit that acted, rather than any individual model inside it, changes what a governance framework has to describe. A model-centric compliance regime asks which model produced an output and whether that model was evaluated for safety. A harness-centric reality asks a different question: which stage of the pipeline is accountable for a given finding, and what happened to the findings that did not survive deduplication or proof construction. MDASH's own architecture, preparation, scanning, validation, deduplication, proof construction, is itself a governance-relevant object. Each stage discards candidates. The audit trail for what was discarded, and why, is not a model output. It is a property of the harness's internal control flow.

This is not unique to MDASH. Multiple research groups have converged on the same structural observation within the same publication window. A May 27, 2026 paper on Cybersecurity SuperIntelligence opens by asking, directly, "what is the best harness for cybersecurity AI," and finds that no single scaffold dominates across challenge types: the best individual scaffold solved 15 of 33 Cybench challenges (45.5%), while a blackboard architecture in which scaffold-specialized agents exchange intermediate findings through a shared substrate solved 19 of 33 (57.6%), a 27% relative gain achieved 25% faster than the best individual scaffold, at comparable cost. The paper's authors are explicit that the harness, not the underlying model, is the variable that determines outcome. MDASH is a production instance of the same claim: the orchestration layer, not the frontier model inside it, is doing the work that matters for governance purposes.

What a Harness Obscures

A pipeline with a validation stage and a deduplication stage is, by construction, a pipeline that produces false negatives on purpose. Findings get discarded because they fail an internal exploitability argument, or because they duplicate an earlier candidate, or because proof construction could not build a triggering input in the time allotted. Those decisions are consequential. A vulnerability that MDASH's validation stage rejects as non-exploitable, incorrectly, does not reach a human engineer, and there is no external mechanism described in Microsoft's disclosure for auditing that rejection after the fact.

This is the same gap identified in the CISA-led Five Eyes advisory on agentic AI under its Accountability category: agentic system architecture can obscure what caused a particular action, and that obscurity compounds as agents are given more roles and more capabilities. MDASH is not itself a compromise scenario. It is a defensive tool, built to find bugs before an attacker does. But the same architectural property that makes it effective, a multi-stage pipeline where later stages filter and arbitrate earlier stages' output, is the property that makes its internal decision record opaque to anyone outside Microsoft's Autonomous Code Security team. The 16 vulnerabilities that were found are visible because they became Patch Tuesday entries. The candidates that MDASH considered and discarded are not visible to anyone.

Harness as the Unit of Analysis

The convergence on "harness" as a first-class object is now showing up across independent publication venues in the same window. Beyond the CSI paper's meta-scaffold framing, empirical benchmarks aimed at cybersecurity agents, including the CyberGym benchmark that Microsoft used to validate MDASH, are increasingly designed to score pipelines rather than models. That shift matters for anyone trying to write a governance requirement, because a requirement written against "the model" does not bind the orchestration layer where discard decisions, arbitration decisions, and proof-construction failures actually happen. If the harness is the actor, a compliance regime that only evaluates models is evaluating the wrong object.

Microsoft's disclosure did not frame MDASH this way explicitly. It described the pipeline stages and reported the results. But the structure of the disclosure, crediting the system rather than a model, and describing a preview program rather than a general-availability release, leaves the governance question fully open. A system that finds 16 zero-day-class vulnerabilities before a Patch Tuesday cycle is a genuine defensive capability. It is also a system whose internal arbitration logic, run at scale across more than 100 agents, has no described external verification path.

Open Questions

The governance artifact is retained. The governance function is not.