In a striking revelation that emphasizes the growing risks of AI adoption, Palo Alto Networks’ Unit 42 research team has identified a critical vulnerability within Google Cloud Platform’s Vertex AI Agent Engine one that could allow an AI agent to be turned into a malicious “double agent.”
The issue surfaced during an in-depth analysis of AI agent deployments in enterprise cloud environments. Researchers demonstrated how an attacker could exploit default permission settings associated with a Per-Project, Per-Product Service Agent (P4SA). By compromising just one such agent, it became possible to escalate privileges significantly, opening the door to widespread control over a customer’s cloud infrastructure.
The implications of this were far-reaching. Unit 42 found that a compromised agent could gain unrestricted read access to all data stored in Google Cloud Storage buckets within a project. This meant sensitive information across the organization could be exposed without detection.
“This research highlights how rapidly AI adoption is reshaping the threat landscape. Intelligent systems can become high-value attack surfaces if permissions and controls are not rigorously designed.”
— Nir Zuk, Founder and CTO, Palo Alto Networks
Further investigation revealed an even deeper layer of concern. Attackers could also access restricted, Google-owned Artifact Registry repositories. This enabled them to download container images that support the Vertex AI Reasoning Engine, inadvertently exposing internal infrastructure details that are typically shielded from customers.
Perhaps the most subtle yet concerning finding was the existence of overly permissive and non-editable OAuth 2.0 scopes. These created a latent vulnerability that could potentially extend access beyond cloud assets into Google Workspace services like Gmail and Drive expanding the risk footprint significantly.
Following responsible disclosure practices, Unit 42 worked closely with Google’s security team to address the findings. In response, Google updated its documentation to improve transparency around resource usage and recommended organizations adopt the Bring Your Own Service Account (BYOSA) model. This approach helps enforce the principle of least privilege, reducing exposure to excessive permissions.
The discovery serves as a timely warning for enterprises embracing AI-driven platforms. While AI agents promise automation and efficiency, they also introduce new security complexities. As organizations accelerate digital transformation, ensuring robust permission controls and security governance will be essential to prevent innovation from becoming vulnerability.
