An autonomous offensive agent breached McKinsey & Company's internal AI platform Lilli in just two hours, gaining full read-write access to production databases without credentials or insider knowledge. The agent mapped over 200 API endpoints, found 22 unprotected routes, and exploited a SQL injection vulnerability that standard security tools missed. This wasn't a startup's system — Lilli serves 43,000+ employees and processes 500,000+ prompts monthly.

Inside the breach: 46.5 million chat messages, 728,000 files, and 57,000 user accounts were exposed. The agent discovered system prompts controlling AI behavior stored in the same database, meaning an attacker could silently rewrite how Lilli responds to consultants. Beyond the SQL injection, the agent found 95 AI model configurations, 3.68 million RAG document chunks containing proprietary research, and cross-user data access through chained vulnerabilities. The breach revealed decades of McKinsey's intellectual property sitting unprotected.

The attack demonstrates how AI agents are changing cybersecurity. Traditional tools like OWASP ZAP failed to detect the vulnerability, but the autonomous agent continuously probed, mapped, and escalated access like a real attacker would. McKinsey patched the endpoints within days of responsible disclosure, but the incident shows that even sophisticated organizations with world-class technology teams remain vulnerable to SQL injection — one of the oldest bug classes. The prompt layer, which controls AI behavior, has become the new high-value target that most organizations aren't protecting.