AI Agent Breaches McKinsey’s Lilli Chatbot in Under Two Hours

The rapid deployment of generative AI tools within enterprise environments has introduced unprecedented efficiencies, but it has also opened the door to entirely new vectors of cyberattack. This reality was starkly illustrated when researchers from security startup CodeWall successfully breached McKinsey’s internal AI platform, Lilli. Using an autonomous AI agent, the red team gained full read-write access to the system in less than two hours, exposing millions of sensitive records.

This incident serves as a critical wake-up call for project delivery professionals, IT leaders, and corporate boards alike. The rush to integrate AI must be balanced with a rigorous understanding of the unique security vulnerabilities these systems introduce. The threat landscape is no longer defined solely by human hackers executing manual scripts; we are now facing autonomous, machine-speed intrusions that can map, probe, and exploit vulnerabilities faster than any human security team can respond.

McKinsey rolled out its generative AI platform, Lilli, in 2023. It quickly became a cornerstone of the firm’s operations, with over 70 percent of its employees, upwards of 43,000 people, using the chatbot to process over 500,000 prompts monthly. The system was designed as a comprehensive knowledge repository, enabling consultants to query decades of proprietary research, financial models, and strategic frameworks.

The attack by CodeWall was initiated not by a human operator, but by an autonomous offensive security agent. "So we decided to point our autonomous offensive agent at it," the researchers noted, emphasising that the agent possessed no prior credentials for McKinsey’s assets or insider knowledge. The agent operated independently, scanning the external attack surface for potential entry points.

Within a mere two hours, the agent identified and exploited a vulnerability, achieving full read and write access to the entire production database. The scope of the exposed data was staggering: