TL;DR

• An autonomous AI agent breached McKinsey’s internal AI platform in under two hours.

• It selected the target, mapped APIs, and executed an attack.

• The breach exposed millions of records and writable system prompts.

• The biggest risk wasn’t the model; it was the APIs and integrations around it.

• This marks a shift: AI is no longer just a tool. It can now be an attacker.

  ---

The Moment AI Became an Attacker

For years, we’ve talked about AI as a productivity tool. It writes. It summarizes. It helps.

But in March 2026, something different happened. An AI didn’t assist a human attacker. It was the attacker. A security startup called CodeWall built an autonomous agent. They didn’t tell it to target McKinsey. It chose McKinsey on its own. It found their internal AI platform, Lilli. It explored it. And within two hours, it broke in.

How the Attack Actually Worked

What makes this incident unsettling isn’t just the breach. It’s how methodical the AI was.

The attack followed a clear chain:

• Step 1: Target Selection
  The agent scanned for organizations with public disclosure policies and recent updates. It picked McKinsey as a viable target.

• Step 2: API Reconnaissance
  It mapped the system and discovered 200+ API endpoints, and 22 of them had no authentication.

• Step 3: Exploitation
  It found a flaw where JSON inputs were directly inserted into SQL queries, a classic injection point, but subtle enough to evade tools.

• Step 4: Iteration
  Through 15 blind attempts, it used error messages to reverse-engineer the system.

• Step 5: Full Access
  Eventually, it gained read and write access to the production database.

  ---

What the AI Accessed

The scale of access is where this becomes serious:

• 46.5 million chat messages

• 728,000 private files

• 3.68 million RAG document chunks

• 57,000 user accounts

• 384,000 AI assistants

• 95 system prompts controlling AI behavior

This wasn’t just data exposure. It was control over how the AI system thinks and responds.

Why This Happened (And Why It Will Happen Again)

It’s tempting to blame the AI model. But the model wasn’t the problem.

The weakness was in the action layer, such as APIs, integrations, data pipelines, and prompt storage.

This is where most enterprise AI systems are fragile today. Because while companies focus on model performance, attackers focus on everything around the model. And now, attackers can be AI too.

My Perspective

This is not just another security incident. It’s a shift in the threat model.

We’re moving from humans using tools to attack systems to AI systems independently finding and exploiting weaknesses. That changes everything about defense, because now:

• Attacks can scale infinitely

• Discovery is faster than patching

• Systems are tested continuously by autonomous agents

The old model of perimeter security doesn’t hold.

What matters now is real-time governance at the interaction level:

• Monitoring inputs and outputs

• Securing APIs and integrations

• Protecting system prompts

• Detecting abnormal behavior instantly

Because if one AI can attack, another AI has to defend.

AI Toolkit

• Groops — AI landing pages for authors, built for SEO and lead capture

• Seo Juice — Automates internal linking to boost SEO effortlessly

• Reply.io — AI-powered outreach that finds leads and books meetings

• CodeThreat — Fast, accurate AI code security scanning with low false positives

• GitLab Code Suggestions — AI-assisted coding inside your existing workflow

  ---

Prompt of the Day

You are an enterprise AI security strategist.

Explain how organizations should defend against autonomous AI attackers targeting enterprise AI systems.

Your response should include:

• How autonomous AI agents conduct attacks
• Why APIs and integrations are the weakest layer
• The risks of system prompt manipulation
• How real-time monitoring and governance can prevent breaches
• A practical architecture for AI-native security

Write the response as a strategic memo for CISOs and AI leaders.