Your AI Platform Is the Attack Surface Now
McKinsey Got Breached in 2 Hours. By a Bot.
On February 28, 2026, security startup CodeWall pointed an autonomous AI agent at McKinsey's internal AI platform, Lilli. No credentials. No insider help. No human guidance.
Two hours later, the agent had full read-write access to the production database.
The damage? 46.5 million chat messages covering strategy, M&A deals, and client engagements. 728,000 files. 57,000 user accounts. 384,000 AI assistants. 94,000 workspaces. And the real kicker: all 95 internal system prompts that govern how the chatbot behaves were stored in the same database. An attacker could have rewritten them without deploying new code or triggering a single alert.
The vulnerability? SQL injection. Not a zero-day. Not some exotic side-channel attack. SQL injection. The same class of bug we've been writing blog posts about since 2005.
McKinsey is not some startup running a side project. They are a $16 billion consultancy with a dedicated technology team. If their AI platform gets owned through a basic database flaw, what does that say about yours?
The Numbers Are Getting Worse
This is not an isolated incident. The data from Q1 2026 paints a clear picture: AI platforms are now the primary attack surface for enterprise breaches.
IBM's 2026 X-Force Threat Intelligence Index found a 44% increase in attacks targeting public-facing applications, driven by missing authentication controls and AI-enabled vulnerability discovery. Vulnerability exploitation became the leading cause of attacks, at 40% of all incidents observed in 2025.
Over 300,000 ChatGPT credential sets were found advertised on the dark web, harvested by infostealer malware. These are not just passwords. Compromised AI credentials let attackers manipulate outputs, exfiltrate training data, and inject prompts into systems that feed business decisions.
Palo Alto's 2026 Unit 42 Global Incident Response Report analyzed over 750 major incidents across 50+ countries. Identity weaknesses played a material role in nearly 90% of investigations. In the fastest cases, attackers moved from initial access to data exfiltration in 72 minutes, 4x faster than the previous year. And 87% of attacks unfolded across multiple attack surfaces simultaneously.
The pattern is clear. AI platforms inherit every security problem traditional web apps have, plus new ones specific to AI: prompt injection, model poisoning, agent hijacking. And most companies are not testing for any of them.
Why AI Platforms Break Differently
Traditional web applications have a well-understood attack surface. You know where the inputs are, where the data lives, how authentication works. Twenty years of OWASP, SAST tools, and penetration testing have given us a solid playbook.
AI platforms break that model in three ways.
First, the data surface is massive. An AI chatbot that answers questions about your company's data has implicit access to everything in its training set and retrieval pipeline. The McKinsey breach did not need to compromise individual user accounts. One SQL injection gave access to the entire knowledge graph because the AI platform was the aggregation point for all of it.
Second, system prompts are both code and data. In the McKinsey case, the 95 system prompts lived in the same database as user data. There is no separation between "application logic" and "user content" in most AI deployments. Rewriting a system prompt is equivalent to deploying new code, and it requires no CI/CD pipeline, no code review, no deployment approval.
Third, AI agents act autonomously. CodeWall's agent did not follow a script. It explored, probed, and escalated on its own. This is exactly what legitimate AI agents do too, which means you cannot distinguish malicious autonomous behavior from normal autonomous behavior using traditional monitoring. Your SIEM sees the same patterns either way.
What To Do About It
If your company deploys an AI platform, whether internal (like McKinsey's Lilli) or customer-facing, here is what needs to happen.
1. Run an AI-specific security assessment.
Not a generic penetration test. A targeted assessment that covers:
- Prompt injection (direct and indirect)
- Data exfiltration through AI outputs
- System prompt extraction and manipulation
- Agent permission boundaries
- RAG pipeline data access controls
Standard web app pentests miss all of these.
2. Separate your AI data plane from your control plane.
System prompts, model configurations, and agent instructions should never live in the same database as user data. If an attacker gets read access to user conversations, they should not also get write access to the AI's behavior.
Here is a minimal architecture check:
# AI Platform Security Checklist
data_plane:
user_conversations: "separate database, encrypted at rest"
uploaded_documents: "object storage with per-user ACLs"
retrieval_index: "read-only from application tier"
control_plane:
system_prompts: "version-controlled, deployed via CI/CD"
model_configs: "infrastructure-as-code, immutable deployments"
agent_permissions: "least-privilege, audited quarterly"
monitoring:
prompt_injection_detection: "real-time input/output scanning"
data_exfiltration: "output content classification"
anomaly_detection: "agent behavior baseline + deviation alerts"3. Treat AI credentials as tier-1 assets.
300,000 ChatGPT credentials on the dark web means your AI tools are now high-value targets for infostealer malware. Every AI SaaS login, API key, and service account needs the same protection as your production database credentials: MFA, rotation, monitoring.
4. Assume AI agents will be weaponized against you.
CodeWall proved that autonomous AI agents can discover and exploit vulnerabilities without human guidance. Your AI platform will face these attacks. Build your defenses around detection and containment, not prevention alone.
How DeviDevs Approaches This
We have been watching the AI security space since before it was cool to talk about. The McKinsey breach validated something we have been telling clients for months: your AI platform is not "just another web app." It requires a different security model.
We run AI platform security assessments that cover the full attack surface, from prompt injection to data access controls to agent permission boundaries. If you are deploying AI internally or building AI-powered products, and you have not tested specifically for these risks, you are running the same gamble McKinsey was.
The difference is, McKinsey had CodeWall show up as a friendly researcher. The next visitor might not be so polite.
The Clock Is Ticking
Every week that passes, more AI agents get deployed, more data flows through AI platforms, and more attackers learn how to exploit them. The IBM X-Force data shows this is accelerating, not stabilizing.
If McKinsey's $16 billion consultancy could not secure their AI platform against a basic SQL injection, you probably should not assume yours is safe either. Get it tested. Get it fixed. Before someone else finds out for you.
About DeviDevs: We build ML platforms, secure AI systems, and help companies comply with the EU AI Act. devidevs.com