Unit 42 — Vertex AI P4SA overprivileged agents expose Google Cloud data

AI relevance: Vertex AI Agent Engine deployments use default service accounts with excessive permissions that can be weaponized by malicious AI agents to exfiltrate sensitive cloud data and access internal Google infrastructure, highlighting critical AI agent security blind spots.

• Palo Alto Networks Unit 42 discovered overprivileged P4SA service agents in Google Vertex AI Agent Engine deployments.
• Default Per-Project, Per-Product Service Agent (P4SA) credentials grant excessive storage permissions by design.
• Attackers can deploy malicious "double agent" AI systems that appear legitimate but secretly exfiltrate data.
• Compromised credentials allow access to consumer project Google Cloud Storage buckets with full read permissions.
• Researchers gained access to Google's internal Artifact Registry repositories containing proprietary container images.
• The vulnerability exposes restricted reasoning-engine and llm-extension containers used in Vertex AI infrastructure.
• Agent deployments use Python pickle serialization for code, creating remote code execution risks.
• Default OAuth 2.0 scopes are overly permissive and non-editable, potentially granting Workspace access.
• Google has updated documentation and recommends Bring Your Own Service Account (BYOSA) for least privilege.

Why it matters

As organizations deploy AI agents with broad access to cloud resources and sensitive data, default overprivileged service accounts create massive attack surfaces. Malicious AI agents can weaponize these permissions to exfiltrate data, access internal infrastructure, and establish persistent backdoors, turning trusted AI tools into insider threats.

What to do

• Implement BYOSA — Replace default P4SA with custom service accounts using least privilege principles
• Audit AI agent permissions — Review all deployed agents and their associated service accounts
• Monitor agent behavior — Implement runtime security for AI agent activities and data access
• Validate agent integrity — Review source code and deployment artifacts for malicious payloads
• Restrict OAuth scopes — Ensure agent permissions are minimal and appropriate for intended use

Sources

• Unit 42 — Double Agents: Exposing Security Blind Spots in GCP Vertex AI
• Google Cloud — Vertex AI Access Control documentation
• The Hacker News — Vertex AI Vulnerability Exposes Google Cloud Data
• Dark Reading — Google's Vertex AI Has an Over-Privileged Problem