Imagine building a digital fortress for 43,000 employees, investing millions in security, hiring the best experts in the field \u2014 and still having an autonomous AI agent fully compromise it in less time than it takes to finish a work meeting.<\/p>\n\n\n\n
That is exactly what happened to McKinsey & Company.<\/p>\n\n\n\n
On February 28, 2026, cybersecurity startup CodeWall pointed its autonomous offensive AI agent at Lilli \u2014 McKinsey’s internal AI platform used by more than 40,000 consultants. No credentials. No insider knowledge. No human in the loop. Just a domain name.<\/p>\n\n\n\n
In two hours, the agent had full read and write access to the entire production database. The numbers are staggering: 46.5 million chat messages covering strategy, mergers and acquisitions, and client engagements; 728,000 confidential files; 57,000 user accounts; and 95 system prompts controlling Lilli’s behavior \u2014 all exposed. Most alarming of all: every single one of those prompts was writable. A malicious actor could have silently rewritten the instructions guiding Lilli without deploying a single line of code.<\/p>\n\n\n\n
What makes this incident even more unsettling is that the exploited vulnerability was not some revolutionary technical feat. It was an SQL injection \u2014 one of the oldest attack techniques in the book, known since the 1990s.<\/p>\n\n\n\n
Lilli had been running in production for over two years. McKinsey’s internal security scanners never found it. Why? Because the CodeWall agent does not follow checklists. It maps, probes, chains findings, and escalates \u2014 exactly like a highly skilled human attacker, but continuously and at machine speed. The agent found the API documentation publicly exposed with over 200 endpoints. Most required authentication. Twenty-two did not. One of those unprotected endpoints wrote search queries to the database, and JSON field names were concatenated directly into the SQL. In 15 blind iterations, the agent extracted more and more information until live production data started flowing.<\/p>\n\n\n\n
This incident reveals something few organizations are taking seriously: the prompt layer \u2014 the instructions that govern how an AI system behaves \u2014 is the new high-value target.<\/p>\n\n\n\n
Companies have spent decades securing their code, their servers, and their supply chains. But the prompts controlling their AI assistants are being treated as secondary data, without the access controls, integrity monitoring, or audits they deserve. In Lilli’s case, an attacker could have subtly altered financial models, strategic recommendations, or risk assessments \u2014 all without triggering a single security alert. No deployments. No code changes. Just a single UPDATE statement wrapped in a single HTTP call.<\/p>\n\n\n\n
McKinsey is not a careless startup. It is one of the most sophisticated consulting firms in the world, and the fact that this happened to them should be a wake-up call for any organization deploying AI in production.<\/p>\n\n\n\n
In the AI era, speed changes everything. What used to take weeks of human reconnaissance now takes minutes. Organizations that fail to adapt their security posture to this new reality will become the next headline.<\/p>\n\n\n\n