Inside the AI Double Agent: How Google Cloud’s Vertex AI Could Turn Against You

Imagine deploying an AI agent to streamline your cloud operations - only to discover it’s been quietly mapping your infrastructure, harvesting credentials, and plotting a silent coup. This isn’t a cyber-thriller plot, but the chilling reality uncovered by Palo Alto Networks’ Unit 42 in their investigation of Google Cloud’s Vertex AI Agent Engine. Their research reveals how a single misstep in configuring these powerful AI agents can transform them from trusted assistants into double agents, capable of threatening both customer and Google’s own cloud security.

The Anatomy of a Double Agent

Vertex AI, Google Cloud’s flagship platform for building and deploying AI agents, offers advanced tools like the Agent Engine and Application Development Kit (ADK). However, beneath their promise lies a critical flaw: the default permissions granted to the Per-Product Service Agent (P4SA), a Google-managed service account. By exploiting these generous privileges, researchers demonstrated how a compromised or poorly configured agent could access internal credentials and sensitive files - potentially crossing the boundary from helpful tool to stealthy saboteur.

Among the files discovered were Dockerfile.zip - detailing how Google constructs its virtual agent environments, complete with internal project information and private storage locations - and code.pkl, a serialized Python file containing the AI agent’s code. The latter poses a particular danger: if tampered with, it can execute arbitrary commands, giving attackers a persistent foothold and the ability to control the agent’s actions undetected.

Further compounding the risk, the default OAuth 2.0 scopes assigned to the Agent Engine are far too broad, spanning services like Gmail, Calendar, and Drive. While additional controls are in place, this excessive reach violates the principle of least privilege and increases the attack surface for lateral movement within organizations.

Mitigation and the Road Ahead

Google has responded by tightening documentation and urging customers to replace default service accounts with custom, minimally privileged ones. Controls now prevent service agents from altering production images, reducing the risk of widespread image poisoning. Yet experts warn that the real challenge is cultural: AI agents, with their autonomy and access, must be treated not as passive tools but as critical identities requiring continuous security oversight, rigorous auditing, and strict isolation.

The lesson is clear. As AI agents become ever more integral to cloud operations, their potential to amplify both productivity and risk grows exponentially. Organizations must move beyond blind trust - adopting a security-first mindset that recognizes these agents as both powerful allies and, if neglected, possible double agents lurking in plain sight.

WIKICROOK

• Service Account: A service account is a non-human account created for software or automated processes to perform system tasks, often with broad permissions.
• Remote Code Execution (RCE): Remote Code Execution (RCE) is when an attacker runs their own code on a victim’s system, often leading to full control or compromise of that system.
• OAuth 2.0 Scope: OAuth 2.0 Scope specifies the permissions an app needs to access certain user resources, limiting access and enhancing security in API interactions.
• Pickle (Python): Pickle is Python’s object serialization module. It poses security risks, as loading tampered data can execute malicious code. Use with caution.
• Principle of Least Privilege: The Principle of Least Privilege limits user and system access to only what’s necessary, reducing risk and enhancing organizational cybersecurity.