Vertex AI Security Blind Spot: Misconfigured Agents Can Become Double Agents
Security researchers at Palo Alto Networks Unit 42 have disclosed a significant privilege misconfiguration in Google Cloud's Vertex AI platform — one that could quietly turn your own AI agents against your infrastructure. The issue centers on the Per-Project Service Agent, or P4SA, a default service account that Google assigns to AI agents built with Vertex AI's Agent Development Kit. In its default configuration, the P4SA carries far broader permissions than most developers realize, and that over-permissioning becomes a serious attack surface if an agent is ever compromised or misconfigured.
According to the disclosure, a bad actor who gains control of a Vertex AI ADK agent — whether through a prompt injection, a supply chain attack, or a misconfigured deployment — could use the P4SA's default permissions to exfiltrate sensitive data, pivot through your cloud environment, or even plant backdoors into critical systems. The permissions aren't obvious from the Vertex AI console, which is part of why Unit 42 is calling it a "blind spot." Google has acknowledged the excessive permission scoping issue following the responsible disclosure.
For any team currently deploying agents via Vertex AI ADK, the recommended action is straightforward: audit your P4SA permissions now, apply least-privilege access controls, and monitor agent activity logs for anomalous behavior. Waiting for a patched default is not a complete mitigation — the risk exists in live deployments today.