Google's Vertex AI Has an Over-Privileged Problem

CYBER RISK THREAT INTELLIGENCE VULNERABILITIES & THREATS NEWS Google's Vertex AI Has an Over-Privileged Problem Palo Alto researchers show how attackers could exploit AI agents on Google's Vertex AI to steal data and break into restricted cloud infrastructure. Jai Vijayan,Contributing Writer March 31, 2026 4 Min Read SOURCE: KROT_STUDIO VIA SHUTTERSTOCK The AI agents many organizations have begun deploying to automate complex business and operational workflows can be quietly turned against them if not properly configured with the right permissions. Recent research by Palo Alto Networks has shown how the risk can materialize in Google Cloud's Vertex AI platform, where excessive default permissions give attackers a way to abuse a deployed AI agent and use it to steal sensitive data, access restricted internal infrastructure, and potentially execute other unauthorized actions. Excessive Permissions Google has updated its official documentation to more explicitly explain how Vertex AI uses agents and other resources after Palo Alto Networks disclosed its findings to the search and cloud giant. Google has also recommended that organizations that want to use least-privilege access in their agentic AI environment replace the default service agent on Vertex Agent Engine with their own custom dedicated service account. Related:Manufacturing and Healthcare Share Struggles with Passwords Vertex AI is a Google Cloud platform that allows organizations to build, deploy, and manage AI-powered applications. It offers an Agent Engine and Application Development Kit that developers can use to create autonomous agents for performing tasks like querying databases, interacting with APIs, managing files, and making automated decisions with minimal human oversight. Many enterprises use these agents, or similar ones on other cloud platforms, to automate workflows, analyze data, power customer service tools, and AI-enable existing cloud services, granting them wide access permissions in the process. And it's that wide access that creates opportunities for attackers to hijack those agents and turn them into double agents, doing the dirty work while appearing seemingly normal to the organizations using them, Palo Alto said in its report. On Google's Vertex AI platform, the researchers discovered a default service account tied to every deployed Vertex AI agent called Per-Project, Per-Product Service Agent (P4SA) with excessive default permissions. The researchers showed how an attacker who is able to extract the agent's service account credentials could use them to gain access to sensitive areas of the customer's cloud environment. They showed how the same credentials would allow an attacker to download proprietary container images from Google's own internal infrastructure and to discover hardcoded references to internal Google storage buckets for potential future attacks. Significant Security Risk "This level of access constitutes a significant security risk, transforming the AI agent from a helpful tool into an insider threat," Palo Alto researcher Ofir Shaty wrote. "The scopes set by default on the Agent Engine could potentially extend access beyond the GCP environment and into an organization's Google Workspace, including services such as Gmail, Google Calendar, and Google Drive." Related:Wartime Usage of Compromised IP Cameras Highlight Their Danger To demonstrate the threat, Palo Alto's researchers built a proof-of-concept Vertex AI agent, that, once deployed, sends a request to Google's internal metadata service to extract the live credentials of the P4SA service agent running underneath it. The researchers used the permissions associated with those credentials to break out of the AI agent's environment and into the customer's broader Google Cloud Project and also into Google's own internal infrastructure. Palo Alto did not respond immediately to a Dark Reading request that sought to understand if they would expect to find similarly excessive default agent permissions on AI platforms from other major cloud vendors. But Ian Swanson, VP of AI security at the company, says the broad takeaway for organization is the need for them to pay attention to the security risks that AI agents can inadvertently introduce. Related:Intermediaries Driving Global Spyware Market Expansion “Agents represent a shift in enterprise productivity from AI that talks to AI that acts," he says. And that means the risks are no longer just about data leakage but also about agents taking unauthorized action. "When deploying agents, organizations must realize that there can be no AI without security of AI. Security teams must be able to discover agents wherever they live in enterprise environments, assess potential risk before deployment, and protect agents at runtime as they enter business and operational workflows," he says. A Google spokeswoman pointed to the company's recent documentation update as a measure it has taken to make organizations more aware of the permissions that agents have on Vertex AI. "A key best practice for securing Agent Engine and ensuring least-privilege execution is Bring Your Own Service Account (BYOSA)," the spokeswoman said, quoting the Palo Alto report. "Using BYOSA, Agent Engine users can enforce the principle of least privilege, granting the agent only the specific permissions it requires to function and effectively mitigating the risk of excessive privileges." About the Author Jai Vijayan Contributing Writer Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report The ROI of AI in Security Cybersecurity Forecast 2026 ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like CYBER RISK Dark Reading Confidential: A Guided Tour of Today's Dark Web by Dark Reading Staff AUG 28, 2025 CYBER RISK 'Venom Spider' Targets Hiring Managers in Phishing Scheme by Alexander Culafi, Senior News Writer, Dark Reading MAY 05, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 CYBER RISK CISA Warns: Old DNS Trick 'Fast Flux' Is Still Thriving by Nate Nelson, Contributing Writer APR 04, 2025 Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ CYBER RISK What Orgs Can Learn From Olympics, World Cup IR Plans byTara Seals MAR 12, 2026 THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event featuring expert Briefings on the latest research, Arsenal tool demos, a vibrant Business Hall, networking opportunities, and more. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE