An autonomous AI agent broke into McKinsey's internal AI platform in under two hours. It found 22 unprotected API endpoints, exploited a SQL injection vulnerability, and gained full read-write access to a production database containing 46.5 million chat messages, 728,000 files, and 57,000 user accounts. The attacker wasn't a nation-state hacking group. It was a cybersecurity startup running a red-team exercise.
That exercise — and the speed at which an agent dismantled one of the world's most sophisticated consulting firms' AI defences — captures why agentic AI security has become the conversation in enterprise technology this year.
Three alarms, one message
The warnings are coming from every direction simultaneously. In December 2025, the OWASP Foundation — the organisation whose security frameworks are treated as gospel by developers worldwide — published its first Top 10 specifically for agentic AI applications. Developed by over 100 security researchers and practitioners, the framework identifies ten critical risks unique to autonomous agents, from goal hijacking and tool exploitation to cascading trust failures across multi-agent systems.
Then in February 2026, cybersecurity startup CodeWall breached McKinsey's Lilli platform in a controlled exercise that demonstrated just how fast these theoretical risks become real. And in March, Bessemer Venture Partners published a comprehensive security framework calling AI agent security "the defining cybersecurity challenge of 2026."
The timing is not coincidental. Gartner projects that 40% of enterprise applications will embed task-specific AI agents by the end of this year, up from less than 5% in 2025 — an eightfold increase in twelve months. The agents are arriving faster than the defences to protect them.
Why agents aren't just another app to secure
The core argument running through all three warnings is the same: AI agents are not software features. They are autonomous actors, and treating them like traditional applications is a category error that will get organisations breached.
"AI agents are not just another application surface — they are autonomous, high-privilege actors that can reason, act, and chain workflows across systems," said Barak Turovsky, Operating Advisor at Bessemer Venture Partners and former Chief AI Officer at General Motors. "The core risk isn't vulnerability, it's unbounded capability."
Traditional software does what its code tells it to. An agent reasons about goals, selects tools, and decides its own execution path — and that path changes every time. As Jason Chan, cybersecurity leader and Operating Advisor at Bessemer, put it: "Much of the power that agents provide is the ability to specify an outcome without verbosely documenting every step required to achieve it. If we've learned anything from rule-based security, it's that it can and will be subverted."
OWASP's framework maps this into concrete attack categories. The top risk — Agent Goal Hijacking — occurs when attackers manipulate an agent's objectives through crafted inputs that redirect its entire planning cycle. Unlike a simple prompt injection that produces bad text, goal hijacking in an agentic system can trigger real-world data exfiltration, unauthorised financial transactions, or infrastructure destruction. The SecureCodeReviews analysis of the OWASP framework puts it starkly: "When an AI agent can execute code, call APIs, and modify databases, a prompt injection is no longer just a text manipulation — it becomes a remote code execution vulnerability."
What the McKinsey breach actually revealed
The CodeWall exercise against McKinsey's Lilli platform wasn't a sophisticated zero-day exploit. It was mundane — and that's what makes it terrifying.
The AI agent found publicly exposed API documentation, discovered that JSON field names in the user search functionality were concatenated directly into SQL queries, and exploited the resulting injection vulnerability. The most alarming finding wasn't the data exposure — it was that an attacker could have modified Lilli's system prompts through a single SQL UPDATE statement, potentially reprogramming the AI to exfiltrate data or inject misinformation into advice given to McKinsey's clients.
McKinsey patched all exposed access points within a day of notification and stated no evidence was found that unauthorised parties had accessed client data. But the lesson isn't about McKinsey specifically — it's that a well-resourced, security-conscious organisation still deployed an AI platform with basic vulnerabilities that an autonomous agent could chain together in 120 minutes.
What this means if you run a business
If you're a 20-person company exploring AI agents for customer service, document processing, or internal operations, you might think this is a big-enterprise problem. It's not.
The risk scales down with you. When you connect an AI agent to your CRM, your email, your file storage — you're granting an autonomous system access to your most sensitive business data. If that agent's prompt can be manipulated through a malicious email it processes or a poisoned document it reads, the blast radius isn't a bad chatbot response. It's your customer database, your financial records, your communications.
Steven Roosa, Head of Digital Analytics and Technology Assessment at Norton Rose Fulbright, framed the shift precisely: "When you start combining instructions with data such that data can be confused for instructions, intentionally or inadvertently, you can get unintended system behaviour." This is the fundamental problem. In an agentic system, the data your agent processes can become instructions your agent follows.
The practical implications are straightforward. If you're adopting AI agents — and with vendor-driven integration accelerating across Salesforce, Microsoft 365, and Google Workspace, you likely will be soon — you need to treat them as employees with access to sensitive systems, not as software features you toggle on.
Five things to do before you deploy
Bessemer's framework, distilled from conversations with CISOs across the industry, offers a practical starting point for organisations of any size:
Define your position first. Before buying any AI security tool, decide where your organisation stands on agents. Are you going all-in, experimenting cautiously, or waiting? Your security posture should match your deployment posture. As Jason Chan advises: "This position will help security teams align their approach with the organisation's expectations and risk tolerance."
Treat agents like infrastructure, not features. Define who owns each agent, what it's allowed to access, and what it's forbidden from doing. Set those constraints before you turn on monitoring — not after.
Start narrow and expand deliberately. Dean Sysman, co-founder of Axonius, recommends launching agents with minimum permissions for a specific task and expanding access only when there's clear evidence it's needed and safe. "An agent doesn't have the same human understanding of things that are wrong to do," he warns.
Give every agent an identity. Mike Gozzo, Chief Product and Technology Officer at Ada, is direct: "If you can't answer the questions 'What can this agent do?', 'On whose behalf?', and 'Who approved it?' the same way you can for a human employee, you're not ready for the autonomy these systems are about to have."
Audit your vendors. If you're adopting agentic AI through third-party platforms — which most SMBs will — ask hard questions about how their agents handle permissions, sandbox execution, and prevent prompt manipulation. As Norton Rose Fulbright's Marcus Evans told IT Brief Australia: "The security review is going to be intense, requiring knowledge of how the system plumbing works and understanding and imagination about how it could be weak or exploited."
The window is closing
The gap between AI agent deployment and AI agent security is the defining vulnerability of 2026. Agents are shipping inside the enterprise platforms you already use. The OWASP framework gives you a checklist. The McKinsey breach gives you a cautionary tale. The Bessemer framework gives you a playbook. The question is whether you'll use them before an incident forces the conversation.
At Heygentic, we've been implementing AI agents for clients since 2024. The capability is real and the productivity gains are substantial — but so are the risks if you skip the security foundations. The businesses that get this right won't just be more secure. They'll deploy agents faster, because they actually trust them.
Sources
- Securing AI Agents: The Defining Cybersecurity Challenge of 2026 — Bessemer Venture Partners
- OWASP Top 10 for Agentic Applications for 2026 — OWASP Foundation
- OWASP Top 10 for Agentic AI 2026: Complete Security Guide — SecureCodeReviews
- AI Agent Hacked McKinsey Chatbot for Read-Write Access — The Register
- How McKinsey's AI Platform Was Breached in 2 Hours — Red Team Partner
- Agentic AI Raises New Cybersecurity and Privacy Risks — IT Brief Australia
- 2025 Cost of a Data Breach Report — IBM
- Gartner: 40% of Enterprise Apps Will Use AI Agents by Year-End — AI News Grid
