Thoughtworks' Global Marketing AI team encountered serious security vulnerabilities while scaling a video assembly prototype built with Gemini, Replit AI, and Claude AI. The project aimed to create on-brand videos for 10,000 employees, but two critical incidents halted progress immediately.

The AI suggested making storage buckets publicly accessible, which could have exposed unreleased brand assets to the internet. When challenged, it justified this as standard practice. A second incident involved assigning excessive token permissions that would allow lateral movement through cloud workspaces if compromised.

These findings align with industry research showing 25% of AI-generated code contains confirmed vulnerabilities and a 44% year-over-year increase in application attacks. The root problem is that AI tools follow the path of least resistance, not necessarily the secure path.

Thoughtworks recommends implementing 'harness engineering' with feedforward controls that guide AI behavior and feedback sensors that catch errors. Business functions must embed security rules from the first prompt and validate outputs through deterministic checks rather than relying solely on AI prompts.