Agent Security Risks Rising

AI agents are starting to look like insider threats when companies give them broad cloud access by default. Google Cloud users are now being told to tighten permissions on Vertex AI agents and limit what those agents can reach. (infotechlead.com, docs.cloud.google.com) An AI agent is software that can take actions on its own, like reading data sources or calling other services, instead of just answering a prompt. Google says deployed Vertex AI agents can run with an “agent identity,” a service account, an application programming interface key, or an OAuth client ID, and that a service-account-backed agent can access whatever that account is allowed to access. (docs.cloud.google.com, docs.cloud.google.com) That design is at the center of new research from Palo Alto Networks Unit 42, published in late March and reported again on April 1 and April 13. The researchers said a compromised or misconfigured Vertex AI agent could be turned into a “double agent” that steals credentials, reads cloud storage, and plants backdoors while still appearing to do its assigned job. (unit42.paloaltonetworks.com, securityweek.com, infotechlead.com) Google’s own access docs now spell out that agents on Vertex AI Agent Engine may run under the default Artificial Intelligence Platform Reasoning Engine Service Agent or a custom service account. The same docs say teams can inspect that principal’s roles in Identity and Access Management and add or revoke roles, which is the practical lever behind least-privilege deployment. (docs.cloud.google.com, docs.cloud.google.com) Outside cloud permissions, the fraud picture is worsening at the identity layer too. Aware said on April 13 and April 14 that 44% of organizations in its survey had experienced AI-driven fraud in the past year, 56% reported revenue loss or operational disruption, and 98% said they want biometric orchestration to manage increasingly complex identity workflows. (aware.com, markets.businessinsider.com, hstoday.us) Aware’s report ties that demand to specific attack types: deepfakes, synthetic identities, and automated injection attacks aimed at getting systems to accept fake users or bad instructions. In plain terms, orchestration means one control layer that decides when to use face matching, liveness checks, device signals, or other tools instead of relying on a single checkpoint. (aware.com, hstoday.us) The warning is landing as the broader artificial intelligence supply chain is dealing with fresh breach fallout. Wired reported last week that Meta paused work with Mercor after a security incident at the data vendor raised concerns that sensitive information about how major labs train models may have been exposed. (wired.com) Google has not framed the Vertex issue as a single software bug in release notes, and the public documentation emphasizes access management rather than a patch. Unit 42 and follow-on coverage said Google responded by updating documentation and steering customers toward custom service accounts, tighter OAuth scopes, and stricter review of agent deployments. (docs.cloud.google.com, unit42.paloaltonetworks.com, securityweek.com) The immediate shift is simple: treat an AI agent less like a chatbot and more like a new employee with keys to real systems. The more autonomy companies hand over, the more those permissions, scopes, and identity checks become the story. (docs.cloud.google.com, unit42.paloaltonetworks.com, aware.com)