Vertex AI Security Flags

An artificial intelligence agent on Google Cloud can act like an insider if its permissions are too broad, and Google has updated Vertex AI guidance after new research from Palo Alto Networks’ Unit 42. (unit42.paloaltonetworks.com) (cloud.google.com) Vertex AI Agent Engine lets companies deploy software agents that can call tools, read data, and take actions across Google Cloud services. Google’s access-control docs say those agents run with service accounts and Identity and Access Management roles that determine what they can touch. (cloud.google.com 1) (cloud.google.com 2) Unit 42 said on March 31, 2026 that a deployed agent could be turned into a “double agent” if a single Google Cloud service agent was compromised and permissions were scoped too widely. The researchers said that setup could let an attacker exfiltrate data, alter cloud resources, or create persistence inside a project. (unit42.paloaltonetworks.com) (thehackernews.com) The issue was not framed as a flaw in the language model itself. It centered on identity plumbing: the service accounts and default roles that let an agent reach storage buckets, application interfaces, and other cloud services on a customer’s behalf. (unit42.paloaltonetworks.com) (cloud.google.com) Google’s updated documentation now spells out how to inspect the service account used as an agent identity and how to grant only the roles an agent needs. A new Vertex AI Agent Builder access page published about April 10, 2026 says deployed agents use a Vertex AI Reasoning Engine Service Agent role by default and points administrators to list and reduce those grants. (cloud.google.com) Google’s broader Vertex AI guidance also tells customers to use custom service accounts when they want tighter control than Google-managed service agents provide. That documentation says a user-managed account can be granted only the specific roles needed for training, prediction, or other tasks. (cloud.google.com 1) (cloud.google.com 2) Unit 42 recommended dedicated custom service accounts, stricter least-privilege settings, narrower OAuth scopes, and security reviews for agents before production deployment. Several follow-on reports published April 13, 2026 said Palo Alto Networks disclosed the findings to Google before the documentation changes. (unit42.paloaltonetworks.com) (cxotoday.com) (enterpriseitworld.com) The warning lands as cloud vendors push agentic systems that can do more than answer questions. In Vertex AI, that means the security boundary is no longer just the model output; it is also every credential, role, and service account attached to the agent. (cloud.google.com) (unit42.paloaltonetworks.com) The immediate fix is mundane but specific: check which identity a deployed agent uses, remove unused roles, and avoid letting one service account span more data and infrastructure than the job requires. That is the difference between an agent that automates work and one that inherits the keys to the project. (cloud.google.com 1) (cloud.google.com 2)