Vertex AI insider-threat warning

An artificial intelligence agent is software that can take actions on its own, and Palo Alto Networks said some Google Cloud Vertex AI agents could do that with too much access. (unit42.paloaltonetworks.com) Palo Alto’s Unit 42 published the research on March 31, 2026, focusing on Vertex AI Agent Engine, Google Cloud’s managed service for deploying and running agents in production. The researchers said a misconfigured or compromised agent could read data, alter infrastructure, and create backdoors inside a Google Cloud project. (unit42.paloaltonetworks.com) The core issue was identity and access management, the permission system that decides what software can touch inside a cloud account. Google’s documentation says deployed agents can run either as the default AI Platform Reasoning Engine Service Agent or as a custom service account chosen by the customer. (docs.cloud.google.com) Unit 42 said the default service agent carried broad permissions by design, creating what it called a path for privilege escalation if one agent was turned into a “double agent.” SecurityWeek reported Google addressed the issues after Palo Alto shared its findings. (unit42.paloaltonetworks.com) (securityweek.com) Google’s current documentation pushes customers toward narrower identities in several places. Vertex AI docs say a custom service account can give jobs and models fewer permissions than the default service agents, and Agent Engine docs now describe “agent identity” as the way to define what resources an agent can reach. (docs.cloud.google.com 1) (docs.cloud.google.com 2) That warning lands as Google is expanding Vertex AI’s role in enterprise software. GitLab said on April 14, 2026 that its Duo Agent Platform would run with Vertex AI models on existing Google Cloud infrastructure, adding another example of companies wiring autonomous tools into production systems. (tmcnet.com) Google has also been adding enterprise controls around Agent Engine, including private virtual private cloud deployment and customer-managed encryption keys in 2025 release notes. Those features reduce some exposure, but they do not replace basic permission scoping on the account an agent actually uses. (docs.cloud.google.com 1) (docs.cloud.google.com 2) The practical lesson is older than artificial intelligence: software with broad credentials can act like an insider if it is hijacked. In Vertex AI, Palo Alto’s research turned that principle into a concrete cloud security warning for companies deploying agents now. (darkreading.com) (unit42.paloaltonetworks.com)