Double Agents: Security Blind Spots in Vertex AI on GCP
🔒 Unit 42 researchers discovered that AI agents deployed with Google Cloud’s Vertex AI ADK can inherit overly broad default permissions, enabling a deployed agent to leak service‑agent credentials and act as a “double agent.” By exploiting the Per‑Project, Per‑Product Service Agent (P4SA), the team pivoted into consumer projects and downloaded restricted Artifact Registry images from Google‑managed producer projects. Google collaborated with Unit 42, updated documentation, and recommended Bring Your Own Service Account (BYOSA) as a mitigation. Palo Alto Networks highlights protection via Prisma AIRS, Cortex Cloud Identity Security, and Cortex AI‑SPM.
