Security researchers demonstrated in March 2026 that an autonomous AI agent could break into McKinsey and Company's internal generative AI platform, called Lilli, in about two hours. The demonstration gained read and write access to millions of internal chatbot messages and sensitive file records, according to the researchers who documented the exercise.
The weakness centered on exposed interfaces. Researchers found that Lilli's application programming interface documentation was publicly accessible and listed more than 200 endpoints. Among those, 22 endpoints required no authentication, leaving parts of the platform's backend infrastructure reachable without credentials. An autonomous agent was able to map those openings and move through the system far faster than a manual attacker typically would.
The case drew attention because it targeted an internal tool built to handle proprietary consulting material rather than a public application. Platforms like Lilli ingest confidential documents and staff queries, which makes exposed endpoints a direct route to sensitive business data. The researchers framed the exercise as a controlled test rather than a criminal breach, intended to show how quickly automated tools can probe and exploit misconfigured AI systems.
The incident fits a broader pattern of security gaps emerging as organizations deploy internal AI assistants at speed. Similar reports through 2026 documented exposed databases, misconfigured cloud settings, and overly broad access permissions attached to AI productivity tools. Experts reviewing the McKinsey demonstration noted that the underlying issues, unauthenticated endpoints and publicly visible documentation, are established security problems rather than novel AI-specific flaws, surfacing in new systems as companies rush AI platforms into production.
Source: PointGuard AI - https://www.pointguardai.com/ai-security-incidents/mckinsey-ai-chatbot-breach-exposes-millions-of-internal-messages