This week, a cybersecurity startup called CodeWall pointed an autonomous AI agent at McKinsey & Company’s internal AI platform. No credentials. No insider knowledge. No human in the loop. Just a domain name and what the researchers called “a dream.”

Two hours later, the agent had full read and write access to the entire production database behind Lilli, the AI tool that 72% of McKinsey’s 43,000 consultants use every day.

The total cost? Twenty dollars in API tokens.

The basics matter more than the breakthroughs; they always have. And this McKinsey breach is one of the most important AI stories of the year. Not because the attack was clever. Because it wasn’t.

The Attack Was Embarrassingly Simple

CodeWall published the full technical writeup on their blog, and it’s worth 10 minutes of your time. But I’ll walk you through the core of it.

McKinsey launched Lilli in July 2023. It handles chat, document analysis, RAG search over decades of proprietary research, and AI-powered queries across 100,000+ internal documents. Over 40,000 employees use it. 500,000+ prompts a month.

CodeWall’s agent found publicly exposed API documentation. Over 200 endpoints, all neatly documented. Most required authentication.

Twenty-two didn’t.

One of those open endpoints wrote user search queries to the database. The values were safely parameterized (good), but the JSON keys, the field names in the request, were concatenated directly into SQL (very bad). That’s a SQL injection vulnerability. It’s been a known bug class since the 1990s. I was teaching people to watch for this when I was building ATAC Workstation in the late nineties.

The agent ran 15 blind iterations. Each error message revealed a little more about the database structure. Then production data started pouring back.

What it accessed: 46.5 million chat messages covering M&A strategy and client work. 728,000 files with confidential client data. 57,000 user accounts. 384,000 AI assistants. 94,000 workspaces. All in plaintext. Zero authentication required.

Forget the Data. The Prompts Are the Real Story.

The data leak is bad. Obviously. But the part of this story that keeps me up at night is something most people aren’t talking about yet.

Lilli’s 95 system prompts were stored in the same database.

Those prompts are the instructions that tell the AI how to behave. What questions to answer. What to refuse. How to cite sources. What guardrails to follow. And the agent had write access to all of them.

Think about that for a second. An attacker could rewrite those instructions. Silently. No code deployment. No change management ticket. No alert in any monitoring system. Just one SQL UPDATE statement in one HTTP call.

Now picture 43,000 McKinsey consultants trusting Lilli to help them build financial models and strategic recommendations for the world’s biggest companies. If someone quietly told the AI to skew its analysis, or to embed confidential data into responses that consultants then copy into client decks? Nobody would know. There’s no log trail for a modified prompt. The AI just starts behaving differently and everyone assumes it’s working fine.

CodeWall nailed it in their writeup: organizations have spent decades securing their code, their servers, and their supply chains. But the prompt layer; the instructions that control how AI actually behaves; is the new high-value target. And almost nobody is treating it that way.

The Irony Is Thick Enough to Cut

McKinsey isn’t some scrappy startup that skipped security to ship faster. They have world-class engineering teams, real security budgets, and every resource you could ask for. Their CEO has said AI advisory work accounts for about 40% of revenue. They’ve built 25,000 AI agents for their own workforce. They point to Lilli as proof they practice what they sell.

And a 30-year-old bug took them down. Their own internal scanners missed it for two years. An AI agent found it in minutes.

I tell my strategy students at BYU: watch what companies do, not what they say. McKinsey sells AI strategy to Fortune 500 boards. They tell those boards to take AI security seriously. And their own AI platform was wide open to a decades-old attack.

The moral? Speed kills when you’re not watching the basics. And the basics haven’t changed just because the technology got fancier.

The Agent Chose Its Own Target

The detail that really got my attention: CodeWall’s agent picked McKinsey on its own. The CEO, Paul Price, told The Register that the research agent cited McKinsey’s public responsible disclosure policy and recent updates to Lilli. No human selected the target.

That’s new. I can’t think of a precedent for it.

And CodeWall did it again days later. They pointed their agent at Jack & Jill, a well-funded AI recruitment platform whose clients include Anthropic, Stripe, and Monzo. The agent chained four individually harmless bugs into a complete organizational takeover in under an hour.

Then it did something nobody expected. It gave itself a voice. It started a real-time conversation with the target’s AI agent. At one point, it impersonated Donald Trump and demanded access to all candidate data.

I know that sounds ridiculous. It is. But it also proves a point: autonomous AI agents don’t follow human playbooks. They improvise. They chain things together in ways you wouldn’t predict. And they do it at machine speed, continuously, without getting tired or bored or distracted.

A human pen tester might find one of those four bugs at Jack & Jill and think “interesting, but not exploitable.” The AI agent found all four and saw the connections between them.

A Billion-Dollar Market Nobody Saw Coming

If you’re reading this through a strategy lens (and you should be), the McKinsey breach is also a market signal.

The global penetration testing market sits at roughly $3 billion in 2026, growing to over $7 billion by 2034, according to Fortune Business Insights. But those numbers reflect the old model: hire a firm, run a test, get a report, file it away, repeat next year.

That model is dying.

The new model is autonomous, continuous, and AI-driven. Deploy agents that attack your own systems around the clock. The same way CodeWall hit McKinsey, but with your permission and on your schedule.

XBOW, which builds autonomous offensive security agents, has raised $117 million and is reportedly in talks for a valuation above a billion dollars. Aikido Security just became Europe’s fastest cybersecurity unicorn. Companies like Pentera, Novee, and RunSybil are all building platforms that do continuous AI-powered security testing.

For anyone thinking about where value is going to be created in the next five years: the companies that help other companies secure their AI systems are going to be enormous. The attack surface grew overnight, and the old tools can’t keep up.

What I Did After Reading the CodeWall Report

I run SWORN.ai. We build AI-powered wellness monitoring for police, fire, and first responder agencies. We process sensitive health data, biometric data from Oura rings, and agency operational data. Our infrastructure runs on AWS GovCloud.

After reading CodeWall’s writeup, I didn’t just think “that’s interesting.” I pulled up every API endpoint in my personal infrastructure and my company’s systems and ran them through the exact attack chain that hit McKinsey.

Open webhooks with no authentication? Found some. A static API token that had been pasted into conversation logs? Yep. Database access policies that were too permissive? That too.

I’m not sharing this to be self-deprecating (well, maybe a little). I’m sharing it because if someone who builds and ships AI products for a living had gaps in their own infrastructure? You probably do too.

Here’s what I’d tell any founder, CTO, or board member who’s deploying AI right now:

Count your endpoints. All of them. McKinsey had 200+ with 22 that needed no auth. Most organizations don’t even know their full API surface.

Protect your prompts like you protect your source code. If your AI’s behavior instructions sit in the same database as user data, you have the McKinsey problem. Move them. Lock them down. Version them. Monitor them for changes.

Test for AI-specific attacks. Traditional pen testing doesn’t cover prompt injection, RAG poisoning, or agent tool manipulation. You need testing that targets how the AI itself can be turned against you.

Assume machine-speed attackers. If your incident response plan assumes a human working over days or weeks, it’s not built for this. An autonomous agent can go from discovery to full database access in two hours for $20.

Rate-limit everything. McKinsey’s platform let the agent run 15 blind SQL injection attempts without throttling. Every public endpoint should have rate limiting and anomaly detection. No exceptions.

The Gap That Matters

McKinsey has more money, more engineers, and more security resources than 99% of companies deploying AI. They still got breached by a bug from the Clinton administration.

The companies that will do well in the next decade aren’t going to be the ones that deploy AI the fastest. They’re going to be the ones that deploy it the most securely. Right now, the gap between those two groups is enormous. And the attackers just got a lot faster.

Sean Bair is CEO of SWORN.ai and Professor of Strategy & Economics at BYU’s Marriott School of Business. He has built and sold AI companies for 30+ years, starting with BAIR Analytics (acquired by LexisNexis, 2015) and Nouri (acquired 2025). He’s the author of AI in Policing, Business Is Personal, and AI in Business Strategy.

Read CodeWall’s full writeup. Edward Kiledjian’s independent analysis adds good critical context. The Register’s original report by Jessica Lyons broke the story.