Vertex AI agent‑insider risk flagged

Google Cloud customers using Vertex AI agents are being told to recheck permissions after Palo Alto Networks researchers showed a misconfigured agent could behave like an insider with broad cloud access. (securityweek.com) Vertex AI Agent Engine is Google Cloud’s managed runtime for AI agents, which are software systems that can call tools and reach other services on their own. Google’s documentation says deployed agents can run either with a Google-managed service account or a customer’s custom service account. (docs.cloud.google.com 1) (docs.cloud.google.com 2) A service account is the cloud equivalent of a staff badge for software, and whatever that badge can open, the agent can open too. Google says agents deployed with service accounts have access to all resources that account is allowed to use. (docs.cloud.google.com) Unit 42, Palo Alto Networks’ research team, said in a report published in late March 2026 that it weaponized a Vertex AI agent by exploiting default permission scoping and a compromised service agent. The firm said the result could be access to sensitive data, infrastructure abuse, and persistence inside a Google Cloud environment. (unit42.paloaltonetworks.com) Google did not announce a product patch in the materials reviewed, but it updated Vertex AI documentation in April 2026 to spell out how service accounts, agent identity, and permissions work. New and refreshed pages now emphasize listing an agent’s roles, using custom service accounts, and applying least-privilege access. (docs.cloud.google.com 1) (docs.cloud.google.com 2) (docs.cloud.google.com 3) Google’s newer “agent identity” option is designed to narrow that risk by giving each agent its own identity instead of sharing a broad service account. The company says this per-agent identity is tied to the agent lifecycle and is “a more secure principal than service accounts,” with credentials bound to the intended runtime environment. (docs.cloud.google.com) The same Google guidance warns that predefined roles often include more permissions than teams need. Its access-control documentation recommends custom roles, and gives an example of granting only prediction rights without control over an endpoint. (docs.cloud.google.com) Google’s custom service account guide also says the default Vertex AI service agent has access to BigQuery and Cloud Storage, and says user-managed accounts are the way to give jobs or models fewer permissions. That matters for companies connecting agents to internal data stores, code repositories, and third-party tools. (docs.cloud.google.com) Google’s agent identity page separately says teams can connect agents to third-party services through delegated OAuth, which is a consent-based sign-in flow, and its connector documentation tells users to select only the required OAuth 2.0 scopes. Restricting those scopes limits what an agent can do even after it is authenticated. (docs.cloud.google.com 1) (docs.cloud.google.com 2) The immediate fix is not to stop using agents, but to treat them like privileged production software. In Vertex AI, that means checking which identity an agent runs as, cutting its roles to the minimum, and avoiding broad default access where a narrower custom account or per-agent identity will do. (docs.cloud.google.com) (docs.cloud.google.com)