Security company XM Cyber has disclosed two vulnerabilities in the Google Vertex AI platform that allow users with least privileges to access higher service agent roles. Essas flaws exploit default settings of the Google Cloud artificial intelligence tool. Google reported that the observed behavior operates in accordance with the platform’s original design.
Cybersecurity experts highlight that the problem reveals an excessive reliance on managed AI services. Service agent identities receive broad permissions to ensure functionalities function. Usuários with basic access can manipulate the system to obtain elevated access tokens.
The discovery reinforces the need to review governance practices in cloud computing environments. Empresas using Vertex AI face increased risks from insider threats without additional controls.
Details of identified vulnerabilities
The vulnerabilities reside in the allocation of privileges to roles associated with the Vertex AI. Service agents are special accounts managed by Google Cloud that access user resources to execute internal processes.
These invisible identities are granted broad project-level permissions to enable automatic operations. An attacker with minimum permissions equivalent to the role of Viewer can recover tokens from service agents under certain conditions. Essa action allows the use of elevated privileges within the project.
XM Cyber explained that failures turn managed identities into escalation vectors. Google maintained that services function as intended following responsible disclosure.
Official position of Google Cloud
Google did not provide additional comment beyond the initial response to XM Cyber. The company classified the behavior as intentional in the design of the Vertex AI platform.
Default settings prioritize convenience to enable AI features right away. Service agents operate in the background with broad access to support integrations between services.
Analysts note that this approach subordinates enterprise governance models to the provider architecture. Clientes lose full visibility over the platform’s internal components.
Magnified risks for insider threats
Malicious insiders can exploit these weaknesses to gain access beyond what is normally permitted. Manipulating service agents does not generate typical suspicious activity alerts.
Enterprise security tools rarely monitor managed identity behaviors. Abuso of these accounts appear as legitimate platform operations.
AI environments involve workloads that access multiple services and sensitive datasets. Lack of adequate insulation increases the impact radius in the event of compromise.
- Monitoring unexpected queries in BigQuery;
- Unauthorized access to data storage;
- Abnormal behaviors in API sessions;
- Changes to orchestration settings.
Context of previous issues in Vertex AI
This is not the first identification of similar flaws on the platform. In November 2024, Palo Alto Networks disclosed vulnerabilities that allowed scaling via custom jobs and model exfiltration.
Google applied fixes for those issues after release. The issues involved custom pipelines and improper access to fine-tuned machine learning models.
The recurrence of themes related to privilege suggests structural patterns in the design. Managed AI Plataformas grants elevated permissions to internal agents by default.
References to OWASP Agentic Top 10
OWASP released Top 10 for agentic applications in December 2025. Category ASI03 addresses abuse of identity and privileges in autonomous AI systems.
This classification encodes risks such as those observed in the Vertex AI. Agentes are granted access to tools and resources without sufficient granular restrictions.
Other relevant categories include tool misuse and agentic supply chain vulnerabilities. The framework serves as a reference for risk assessment on similar platforms.
Recommendations from security experts
Professionals recommend immediately implementing compensatory controls. CISOs must audit all service identities associated with AI workloads.
Specific monitoring for service agents treats these accounts as privileged employees. Alertas focus on patterns that indicate improper manipulation.
- Reduction of the scope of authentication between components;
- Introduction of robust security barriers;
- Segmentation of sensitive resources;
- Periodic review of standard permissions.
Although these measures increase operating costs, they limit the blast radius. Organizações need to balance convenience with effective control over invisible identities.
Companies adopting AI at scale review cloud postures to include internal observability. Blind trust in managed providers exposes critical gaps in modern environments.
The rapid evolution of AI tools demands constant adaptation in defense strategies. Provedores and customers share responsibility for the security of internal components.