Google Vertex AI Security Permissions Could Amplify Insider Threats

The rapid adoption of managed AI platforms like Google Vertex AI has introduced a new class of cloud identities—service agents—that operate behind the scenes with broad project permissions. Vendors often bundle these identities into default roles to simplify deployment, but this convenience sidesteps traditional least‑privilege principles. As enterprises layer AI workloads across storage, BigQuery, and APIs, the attack surface expands, and the shared‑responsibility model shifts more risk onto customers who assume the cloud provider secures every component.

XM Cyber’s research shows that a user with merely Viewer rights can extract the access token of a high‑privilege service agent, effectively turning that agent into a conduit for privilege escalation. Because the service agent performs legitimate platform actions, its activity blends with normal operations, evading conventional logging and alerting. This invisible risk is especially acute for insider threats, where a malicious employee can leverage the hijacked token to traverse data stores, modify models, or exfiltrate sensitive information without triggering typical user‑behavior analytics.

To mitigate this emerging threat, organizations must treat AI service agents as privileged accounts, implementing zero‑trust controls, token‑lifetime limits, and dedicated monitoring for anomalous service‑agent behavior. Auditing role bindings, tightening IAM scopes, and deploying behavior‑based detection—such as unexpected BigQuery queries or storage accesses originating from service agents—are essential steps. As cloud providers continue to defend “working as intended” positions, the onus now lies with CISOs to enforce granular governance and build compensating controls that protect AI workloads from both external attackers and insider misuse.