Autonomous AI systems operating in Google Cloud may, under certain conditions, gain access to an organisation’s data and resources at the level of a privileged user. According to researchers from the Unit 42 team, the issue concerns the Google Cloud environment, including the Vertex AI platform, where default configurations may grant AI agents overly broad permissions[1]. In practice, this means that a misconfigured or compromised agent could gain access to key data and systems beyond its actual operational needs.
This discovery forms part of a broader trend linked to the growing role of autonomous systems in cloud environments. More and more companies are using AI agents to automate business processes, giving them access to multiple systems at the same time. This is not an isolated case: analyses by Palo Alto Networks show that as many as 99% of organisations experienced at least one attack targeting AI systems in the past year, with the most common scenarios involving privilege takeover and access to data[2].
“As the deployment of AI agents grows, companies are creating systems with a very broad scope of autonomy. If their permissions are not properly restricted, they can become a natural target for attackers and, as a result, operate like privileged users with access to critical resources. In the case of Google Cloud Vertex AI, the problem stemmed from the fact that the default settings assigned the agent a scope of access that exceeded its actual operational needs, which in practice opened the door to further privilege escalation. As a result, a single component could become the starting point for broader access to cloud resources, including data stored in an organisation’s infrastructure,” says Tomasz Pietrzyk, Technical Director at Palo Alto Networks in Central and Eastern Europe.
The analysis also indicates that, under certain conditions, access to elements of the platform’s infrastructure was possible, increasing the risk of learning its architecture and potentially carrying out supply chain attacks. Unit 42 experts also point out that the scope of default permissions may, in some scenarios, include other services connected to an organisation’s ecosystem.
The new findings show a shift in the nature of threats related to artificial intelligence. Until now, AI has primarily been a tool used by cybercriminals, for example to automate phishing or create malicious software. Today, it is increasingly becoming not only a target of attacks, but also an intermediary in them. At the same time, the development of AI shortens the time between the discovery of a vulnerability and its exploitation, which further increases the importance of misconfigurations and excessive permissions.
“Proper configuration and oversight of AI systems are crucial. In practice, this means the need to strictly limit the scope of permissions in line with the basic security principle of least privilege, use dedicated service accounts instead of default settings, and regularly audit access to data and services. Monitoring the behaviour of AI agents is also playing an increasingly important role. As with privileged users, their activity should be analysed for anomalies,” emphasises Tomasz Pietrzyk.
The development of platforms such as Vertex AI is accelerating the digital transformation of enterprises, but at the same time it is changing the way organisations think about security. Autonomous systems are becoming full participants in the IT environment, which means they require the same approach as users with high-level privileges: a clearly defined scope of access and constant control over their activity.
[1] Unit 42: Double Agents: Abusing Vertex AI to Gain Privileged Access
[2] Palo Alto Networks: Cloud Security 2025 Report Insights
Source: CEO.com.pl
