Two sets of security requirement updates were published on February 20, 2026. Baseline security requirements for Atlassian Government Cloud (AGC) apps take effect March 31, 2026. The annual update to the general Cloud App Security Requirements for 2026 adds new provisions across four areas.

Key additions (from the source)

• AI Security: Apps using Forge Rovo actions and agents must validate action inputs as untrusted, implement permission checks for admin-level actions, and accurately configure actionVerb values
• Data Protection: External OAuth2 clients must use Forge's OAuth2 Providers as confidential clients; app logs must exclude PII, credentials, and sensitive data; apps must ensure strict tenant isolation; apps must not execute arbitrary code via child processes
• Application Security: Forge SQL apps must use parameterized queries; updated CSP guidance on unsafe-inline and unsafe-eval
• Runtime Security: Apps must not use end-of-life Node.js runtimes