Vertex AI agent misconfig warning

An artificial intelligence agent on Google Cloud can inherit enough access to reach data and code it was never meant to touch if permissions are left too broad. (unit42.paloaltonetworks.com) Vertex AI Agent Engine is Google Cloud’s managed service for running autonomous software agents in production, and Google says it handles the runtime, scaling, logging, and security features for those agents. Google’s documentation now also says deployed agents can run with either a Google-managed service account or a customer’s custom service account. (docs.cloud.google.com 1) (docs.cloud.google.com 2) Palo Alto Networks’ Unit 42 published its findings on March 31, 2026 after deploying an agent with Google Cloud’s Agent Development Kit and tracing the permissions attached to the service agent behind it. The researchers said the Per-Project, Per-Product Service Agent had excessive permissions by default and could be abused after a single agent compromise. (unit42.paloaltonetworks.com) In plain terms, the risk starts with identity: the credentials that tell Google Cloud what an agent is allowed to do. If an attacker can steal or misuse those credentials, Unit 42 said the agent can stop acting like a helper and start acting like a trusted insider with access to storage, code, and infrastructure. (unit42.paloaltonetworks.com) Unit 42 said it used stolen credentials to read all Google Cloud Storage buckets in the customer project where the agent was deployed. The same path also exposed restricted container images and source code in a Google-controlled producer project tied to the service. (unit42.paloaltonetworks.com) (thehackernews.com) Google did not announce a product recall or shutdown. Instead, Unit 42 said it reported the issue to Google, and Google revised its documentation to spell out more clearly how Vertex AI uses resources, service accounts, and agents. (unit42.paloaltonetworks.com) Those documentation changes are visible in Google’s current guidance. One page says agents deployed with service accounts can access anything that account can access, while another introduces “agent identity” in preview as a per-agent identity designed for least-privilege access and protected by Context-Aware Access policies. (docs.cloud.google.com 1) (docs.cloud.google.com 2) Google’s broader Identity and Access Management guidance already recommends custom roles over broad predefined roles because predefined roles often include more permissions than needed. That advice matters more for agents because they can take actions automatically, at machine speed, once they are deployed into business workflows. (docs.cloud.google.com) The immediate fix Unit 42 and follow-on coverage point to is tighter scoping: bring your own service account, review every granted role, and avoid letting a default Google-managed identity become a skeleton key. The warning is not that every Vertex AI agent is compromised, but that an autonomous agent with sloppy permissions can become one. (unit42.paloaltonetworks.com) (securityweek.com)