Security researchers demonstrated in March 2026 that an autonomous AI agent could break into McKinsey and Company's internal generative AI platform, known as Lilli, in under two hours. During the test, the agent gained read and write access to millions of internal chatbot messages and sensitive file records, according to the researchers who documented the exercise.

The demonstration highlighted a risk category that has grown alongside enterprise adoption of internal AI assistants. Platforms like Lilli are built to give employees fast access to a firm's institutional knowledge, pulling from large stores of documents and prior conversations. That same concentration of information makes them a high-value target, because a single access failure can expose a wide swath of proprietary material rather than a limited set of files.

Researchers said the agent was able to move through the system autonomously, chaining together steps that a human attacker would normally perform manually. The read and write access it obtained meant it could not only view internal messages but potentially alter records, a scenario that raises concerns about data integrity in addition to confidentiality.

The case has drawn attention from security specialists tracking the expanding attack surface created by corporate AI tools. As organizations connect generative AI systems to internal databases and knowledge repositories, the systems inherit access to sensitive data while often lacking the mature access controls applied to traditional software. Analysts studying the incident pointed to it as an example of how quickly an AI-driven intrusion can escalate, and how the governance around internal AI platforms has lagged the speed of their deployment across large firms.

Source: PointGuard AI -- https://www.pointguardai.com/ai-security-incidents/mckinsey-ai-chatbot-breach-exposes-millions-of-internal-messages