McKinsey's $20 Breach: Why Agentic AI Is 2026's Top Security Risk
An autonomous agent spent $20 over two hours to gain full read-write access to Lily — McKinsey's internal AI platform serving 70% of its 40,000 consultants. The exploit was SQL injection, first documented in 1998 and covered in every introductory web security course. The failure, argues analyst Nate B Jones in a detailed post-mortem, was not a CS 101 oversight but a procurement process designed for bounded SaaS being applied to unbounded agentic workflows. Four independent sources this week confirm it is 2026's dominant enterprise security failure mode.
What the Source Actually Says
The Codewall disclosure (incident: February 28th; responsible disclosure: March 9th) revealed 22 of Lily's 200 API endpoints shipped unauthenticated — including one with production write access. An 11% miss rate at McKinsey's engineering standard is not individual error; it is a culture and architecture pattern. Jones's core argument: the 15-year enterprise SaaS procurement sequence — strategy, then procurement, then security review, then IT, then developers build last — worked because SaaS is bounded. Vendors provide admin consoles, defined APIs, and role-based permissions. Agents are not bounded. An agent preparing a customer renewal brief must cross CRM, support tickets, contract management, product usage, and call transcript systems, each requiring tokens, scopes, and auditable permissions that compose across system boundaries. "The screen is the permissions model," Jones argues. Humans only see what they're allowed to see; agents must ask every system in code whether they may read — and that code rarely exists by default.
Experian's data confirms the pattern is sector-wide: of 5,000 data breaches the firm handled in 2025, 40% were AI-powered, and it forecasts agentic AI as 2026's leading threat vector. A parallel audit of roughly 5,000 vibe-coded apps built on Lovable, Replit, and Netlify found approximately 40% exposing auth tokens or sensitive data. The AI Corner's 2026 incident catalogue documents eight named disasters spanning Anthropic, Cursor, Replit, Amazon Q, and Google Gemini CLI — including CVE-2025-59145 (CVSS 9.6), a supply-chain exploit that silently exfiltrated secrets from private GitHub repositories via Copilot Chat.
Strategic Take
Jones's cheapest intervention is free: move architectural developer review to the front of the procurement sequence, before contract signature. Three questions expose most current vendor contracts — Does the platform distinguish human from agent identity at the permissions layer? Can it produce a per-agent audit trail regulators can read? Can someone revoke agent access in five minutes from a console? Most platforms signed last quarter cannot answer all three.
