Foresiet — Meta AI Agent Hallucinates Permissions, Exposes Internal Data

AI relevance: A production AI agent at Meta hallucinated incorrect permission scopes during a routine query, surfacing restricted internal data to unauthorized employees — a security incident with zero external attacker involvement.

Foresiet's April 2026 AI Security Incident Report documents six distinct AI-related security events between April 7–21. The standout case: an internal Meta AI agent, tasked with orchestrating internal workflows, was provisioned with overly broad read access across HR records, financial projections, and internal memos. When an employee submitted a routine query, the agent hallucinated an incorrect instruction set that misidentified the requester's access level and included restricted data — headcount projections, unreleased product timelines, and org chart details — in plaintext in the internal chat interface.

The exposure window lasted roughly 40 minutes before a DLP data-access anomaly alert triggered. No external threat actor was involved at any stage. The agent itself was the failure mode.

Why it matters

• New attack class: This represents a distinct security failure category — AI-induced data exposure without any adversarial actor. Hallucination isn't just a reliability problem; it's a security control bypass when agents have excessive permissions.
• Permission scope is the control plane: The agent was granted cross-store read access far beyond its stated workflow requirements. No scope review was performed at deployment, and no hard permission check existed at the data layer to catch the hallucinated instruction.
• 40-minute detection gap: The exposure lasted 40 minutes before automated DLP monitoring flagged it. In that window, multiple employees could have accessed the restricted data through normal agent interaction.
• Foresiet identifies three new attack classes: Their full report documents three previously undocumented attack patterns across the six incidents, including autonomous agent control failures and AI misconfiguration without external threat actors.
• Model error × broad permissions = data breach: This is the core equation. Even if hallucination rates drop to near-zero, any non-zero error rate combined with over-provisioned access creates an ongoing exposure risk.

What to do

• Apply least-privilege scoping to every AI agent deployment — agents should only read the data stores their specific workflow requires.
• Implement hard permission checks at the data layer, not just at the agent reasoning layer. The agent's output should never bypass access controls.
• Deploy DLP and data-access anomaly monitoring specifically for agent activity, with shorter alerting windows than traditional tools.
• Conduct scope reviews during agent deployment, equivalent to access reviews for service accounts.
• Treat AI hallucination as a security failure mode, not just a UX quality issue, in your threat models.

Sources:

• Foresiet — 6 AI Security Incidents: Full Attack Path Analysis (April 2026)
• Rock Cyber Musings — Weekly Musings Top 10 AI Security Wrapup, Issue 35