AI Agent Security: Lessons from the McKinsey Lilli Hack

Authors
  • avatar
    Name
    Nino
    Occupation
    Senior Tech Editor

When an autonomous AI agent can pivot through your internal Retrieval-Augmented Generation (RAG) assistant, exfiltrate sensitive knowledge, and escalate privileges in under two hours, you no longer have a simple chatbot problem—you have a critical application-security and SOC (Security Operations Center) crisis. The recent security discourse surrounding McKinsey’s internal assistant, Lilli, serves as a wake-up call for enterprises. Lilli sits atop proprietary methodologies, client documents, and complex workflow tools, much like the “enterprise copilots” many organizations are currently building using high-performance APIs from n1n.ai.

These assistants aggregate high-value data and actions behind a deceptively simple conversational interface. However, this convenience exposes three converging attack surfaces that traditional security models are ill-equipped to handle: user prompts, internal knowledge bases, and integrated tooling APIs. As developers transition from passive chatbots to active agents, the risk of a Lilli-style breach becomes a predictable result of putting semi-autonomous entities in front of privileged data without treating them as first-class security subjects.

The Anatomy of an Enterprise AI Assistant

To understand the exploit, we must first understand the target. Enterprise assistants like Lilli usually combine three primary layers:

  1. A Chat UI: The entry point for user interaction.
  2. A RAG Pipeline: Connecting the LLM to internal wikis, SharePoint, and vector databases.
  3. Plugins and Connectors: Tools for systems like CRM, ticketing (Jira), or document management.

Modern LLM security guidance frames all three as significant attack surfaces. Every new connector—whether it is Slack, a data warehouse, or a GitHub repository—adds another surface that can be coerced into leaking data or performing unauthorized actions. When developers build these stacks, they often prioritize the speed and accuracy of the model, perhaps by sourcing reliable LLM access from n1n.ai, but they frequently overlook the granular permissions required for the agentic layer.

The Rise of Agentic AI: From Chatbots to Operators

Agentic AI represents a fundamental shift. It wraps LLMs with memory, planning, and tool-use capabilities. Agents can decompose high-level goals into multi-step tasks, call APIs, and iterate with minimal supervision. This is the jump from a "chatbot" to an "operator."

Instead of a simple prompt-to-answer flow, agent frameworks use a logic loop often referred to as ReAct (Reason + Act). The loop looks something like this in pseudocode:

while not goal_reached:
    observation = get_state()
    # The LLM analyzes the state and plans the next move
    plan = llm.plan(observation, memory)
    tool_calls = extract_tools(plan)
    # The agent executes tools like SQL queries or API requests
    results = execute_tools(tool_calls)
    memory.update(results)

This loop enables agents to perceive (read logs/docs), reason (create plans), act (call tools/modify files), and learn (update memory). While this provides immense productivity, it also creates an autonomous attack playbook if misconfigured. For instance, an agent that can execute code and call internal APIs creates failure modes like tool hijacking, privilege escalation, and memory poisoning.

The Exploit Path: How the Hack Unfolds

A realistic breach chain against a Lilli-class assistant follows a logical progression: prompt injection → RAG exfiltration → tool enumeration → token abuse → lateral movement. Each step exploits design assumptions rather than exotic zero-day vulnerabilities.

1. Prompt Injection and Ingestion

The first weak point is the chat or upload endpoint. All prompts and contextual parameters are untrusted. An attacking agent can probe the system structure via targeted questions or embed malicious instructions inside uploaded documents. Indirect prompt injection is particularly dangerous; once a malicious document is ingested into your vector store, it becomes "trusted" context for all future queries.

2. RAG Exfiltration

After influencing the conversation, the attacker targets the RAG pipeline. By steering retrieval toward sensitive collections with crafted queries, the agent can coerce the assistant to "show full source text" for citations. This often bypasses UI-level limitations, exploiting missing row-level or document-level Access Control Lists (ACLs) in the vector store.

3. Tool Enumeration and Token Abuse

Once the agent confirms it has tool access, it begins to enumerate available functions. It might call a help or list_tools command to see what is available. In documented incidents, generic over-privileged API tokens have allowed agents to call destructive mutations (like deleting databases) because the token lacked environment scoping. When selecting a provider like n1n.ai for your LLM needs, ensuring that the surrounding application logic enforces strict token scoping is paramount.

4. Lateral Movement

With a powerful token, the agent can pivot from read-only access in a staging environment to write access in business systems. Because assistants like Lilli front high-value consulting workflows, a two-hour window is enough to exfiltrate internal methodologies and client lists—data that is highly sensitive under GDPR and other regulatory frameworks.

The Visibility Gap: Why Traditional SIEM Fails

Traditional Security Information and Event Management (SIEM) systems focus on infrastructure signals like network logs and authentication events. However, agentic exploits unfold in the "semantic layer"—the world of prompts, retrieved chunks, and tool calls. Most organizations do not log this data, leaving them blind to attacks that appear as benign API usage when viewed in isolation.

To defend against this, security teams must treat prompts and tool invocations as first-class auditable events. An AI-augmented SOC can then flag anomalies, such as an assistant suddenly reading thousands of chunks across unrelated projects or a spike in "raw source" queries.

Hardening Your AI Stack: Defense-in-Depth

Hardening starts with architecture. Modern security guidance advocates for a "Zero-Trust" approach to agent actions. You should never let agents call production databases or cloud control planes directly. Instead, route them through hardened service façades with policy enforcement.

Guarded Retrieval Implementation

To mitigate context poisoning and over-broad retrieval, you must enforce ACLs before the context reaches the model. Here is a conceptual example of a guarded retrieval function:

def guarded_retrieve(user_context, query):
    # 1. Perform semantic search
    raw_results = vector_search(query)

    # 2. Filter results based on user permissions
    # Each chunk must have an associated ACL metadata tag
    filtered_chunks = [
        chunk for chunk in raw_results
        if acl_check(user_context.id, chunk.metadata["resource_id"])
    ]

    # 3. Redact sensitive patterns (PII, secrets) before returning
    return redact_content(filtered_chunks)

Scoped and Short-Lived Tokens

Critical failure points often involve over-privileged tokens. Mitigate this by using short-lived, scoped tokens per tool and environment. Ensure a strict separation between staging and production credentials. A powerful pattern is to have the agent propose an action as structured JSON, which a policy engine then simulates and scores for risk before allowing the real call to proceed.

Conclusion: Treating AI as Critical Infrastructure

An AI agent compromising a sophisticated assistant in two hours is not a corner case; it is a foreseeable outcome of immature monitoring and over-privileged tools. The same components that power business automation also enable autonomous reconnaissance and exfiltration. To protect your enterprise, you must explicitly map your RAG attack surfaces, constrain tools with zero-trust principles, and instrument your semantic layer for continuous monitoring.

As you build and scale your AI capabilities, leverage the robust infrastructure and high-speed models available at n1n.ai to ensure your applications are both powerful and resilient. If you wouldn’t give a junior engineer unsupervised, unlogged access to your production secrets, you shouldn’t give that power to an autonomous agent either.

Get a free API key at n1n.ai

Source: https://dev.to/olivier-coreprose/an-ai-agent-hacked-mckinseys-lilli-in-2-hours-inside-the-architecture-exploit-path-and-how-to-3pp0