Security gaps in Vertex AI agents

An artificial intelligence agent is software that can call tools and cloud services on its own. Palo Alto Networks’ Unit 42 said a compromised agent on Google Cloud Vertex AI could use default credentials to reach data and systems it was not meant to touch. (unit42.paloaltonetworks.com) Google Cloud’s Vertex AI Agent Engine lets developers deploy those agents in production, and Google’s documentation says deployed agents run with either a Google-managed service account or a custom service account. The default Google-managed identity is the Artificial Intelligence Platform Reasoning Engine Service Agent. (docs.cloud.google.com 1) (docs.cloud.google.com 2) Unit 42 published its findings on March 31, 2026, after building and deploying a test agent with Google Cloud’s Agent Development Kit. The researchers said the per-project service agent tied to that deployment had excessive permissions by default. (unit42.paloaltonetworks.com) In the researchers’ test, stealing that service agent’s credentials let them access Google Cloud Storage data inside the customer project. Unit 42 also said it reached restricted container images and source code in a separate Google-controlled producer project used by the service. (unit42.paloaltonetworks.com) The issue sits in identity and access management, the cloud system that decides who can do what. Google’s Vertex AI access-control guidance says predefined roles often contain more permissions than teams need and recommends custom roles for least-privilege access. (docs.cloud.google.com) Google changed its documentation after the disclosure. Current Vertex AI Agent Engine pages now spell out how deployed agents inherit permissions, how to inspect the roles attached to an agent, and how to grant or revoke access after deployment. (unit42.paloaltonetworks.com) (docs.cloud.google.com) Google also now documents “agent identity,” a preview feature that gives a deployed agent its own identity instead of relying only on a shared service account. The feature page says administrators can grant or deny that identity access to Google Cloud tools and review the agent identity in logs across services. (docs.cloud.google.com) The practical fix is narrower permissions. Google’s documentation says teams can configure a custom service account for Vertex AI workloads, and its Vertex AI access guide says custom roles are the preferred way to limit access to only the permissions a workload actually requires. (docs.cloud.google.com 1) (docs.cloud.google.com 2) The finding lands as cloud providers push agents from demos into production systems that can read files, call application programming interfaces, and trigger workflows. In that setup, the agent is only as contained as the identity behind it. (docs.cloud.google.com 1) (docs.cloud.google.com 2)