Vertex AI agent misconfiguration risk

Google Cloud customers using Vertex AI Agent Engine are being warned that a bad identity setup can turn an autonomous agent into a cloud insider with access it was never meant to have. (unit42.paloaltonetworks.com) Vertex AI Agent Engine is Google’s managed service for deploying and scaling artificial intelligence agents in production. Google says the service can run agents with service accounts or with a newer per-agent identity model now in preview. (cloud.google.com 1) (cloud.google.com 2) In Google Cloud, a service account is the machine identity that lets software call storage, databases, and other services. Google’s documentation says deployed agents can access every resource their service account is allowed to reach. (cloud.google.com) Palo Alto Networks Unit 42 said on March 31 that it built and deployed a test agent and found the Google-managed service agent tied to Vertex AI had excessive default permissions. The researchers said they could abuse that access to move from the agent’s runtime into customer project resources. (unit42.paloaltonetworks.com) (securityweek.com) Unit 42 said its proof of concept reached privileged data in a consumer project and also accessed restricted container images and source code in a Google producer project. SecurityWeek reported Google addressed the issues after the disclosure. (unit42.paloaltonetworks.com) (securityweek.com) Google’s current documentation now pushes a narrower model called agent identity. The company says agent identity gives each deployed agent a unique identity, supports least-privilege access, and uses certificate-bound tokens so stolen credentials cannot be replayed outside the trusted runtime. (cloud.google.com) Google also says customers can inspect the roles attached to a deployed agent and add or revoke access in Identity and Access Management. That puts day-to-day permission scoping on the customer side of the shared-responsibility line. (cloud.google.com 1) (cloud.google.com 2) The timing matters because Google is expanding agent features across Vertex AI. The Agent Engine overview page lists runtime, memory, code execution, observability, and a preview threat-detection feature inside Security Command Center. (cloud.google.com) The practical lesson is older cloud mistakes are showing up in agent software with more autonomy attached. If an agent can read files, call application programming interfaces, and act on its own schedule, the permissions behind that agent become the real security boundary. (cloud.google.com) (unit42.paloaltonetworks.com)