At Black Hat USA, researchers exposed some very real vulnerabilities in today’s top enterprise AI platforms. Zenity showed how simple zero-click and one-click exploits—dubbed ‘AgentFlayer’—can be inserted into systems like ChatGPT, Copilot Studio, Salesforce Einstein, Google Gemini, and Microsoft Copilot. It’s a wake-up call if you’ve ever wrestled with the challenge of keeping tech secure.
Zenity’s co-founder, Michael Bargury, pulled back the curtain on an exploit in Salesforce Einstein. In his demo, harmless-looking CRM records contained hidden, dangerous instructions. A basic query such as, “What are my latest cases?” could prompt the AI to change customer email addresses to those controlled by attackers. Although Salesforce patched this vulnerability on July 11, 2025, the incident underlines how subtle flaws can disrupt even robust systems.
Other demonstrations included the “Ticket2Secret” attack on Cursor with Jira. Seemingly innocent Jira tickets could make the Cursor client run code to extract sensitive details like API keys. Zenity even showcased a scenario where invisible prompts nestled within Google Docs could trick ChatGPT into leaking data, exploiting the Connectors feature that links to services like Gmail. A simple request for a meeting summary could inadvertently unleash hidden commands and expose confidential information.
What this research tells us is that the standard ‘soft boundaries’—training tweaks, statistical filters, and system instructions—aren’t enough to stop these exploits. Zenity advocates for ‘hard boundaries’: technical restrictions that block risky actions outright, albeit with a potential impact on functionality. In today’s competitive market, though, vendors sometimes relax these safeguards in favour of performance and ease of use.
Broader investigations into agent-based AI security reveal similar patterns. For example, researchers have shown that Google’s Gemini can be hijacked through concealed prompts in calendar invites to commandeer IoT devices. There have also been instances of chatbots being duped into transferring money and red-teaming exercises that found systematic breaches across various AI models. If you’re responsible for managing AI-driven technologies, these examples highlight why diligent security measures are more important than ever.
In the end, robust and carefully balanced security protocols are essential as AI becomes more intertwined with our daily operations. Keeping these systems safe means not only innovating for performance but also installing the safeguards needed to ward off hidden threats.
