The world's most prestigious consulting firm built an AI platform for 40,000 employees. It stored decades of client strategy, M&A intelligence, and proprietary research. It processed half a million prompts a month.
An AI agent cracked it in two hours. No credentials. No insider access. No human guiding the attack.
This is not a story about McKinsey's embarrassment. It is a story about governance. And it is one every board should read before their next AI update.
What Actually Happened
McKinsey built Lilli in 2023 as an internal AI platform. More than 40,000 employees use it, generating over 500,000 prompts per month. Cybernews It pulls from over 100,000 internal documents. It surfaces experts. It synthesizes strategy. It is, by every internal measure, a productivity success.
On February 28, 2026, a security startup called CodeWall pointed its autonomous offensive agent at Lilli. The process was fully autonomous from researching the target, analyzing, attacking, and reporting. DevelopmentCorporate No human selected McKinsey. The agent chose it based on McKinsey's own public responsible disclosure policy and recent platform updates.
The agent mapped the attack surface and discovered over 200 API endpoints publicly documented. While most required authentication, 22 did not. Polding
From there, the attack chain was textbook. SQL injection through unsafely handled JSON keys. Broken object-level authorization chained on top. Full read and write access to the production database in 120 minutes.
The Numbers Are the Story
The exposure was staggering: 46.5 million chat messages covering strategy, mergers and acquisitions, and client engagements. 728,000 files containing confidential client data. 57,000 user accounts. And 95 system prompts controlling Lilli's behavior. All of them writable. DevelopmentCorporate
Read that last part again. Writable.
Lilli's system prompts defined everything: how Lilli answered questions, what guardrails it followed, how it cited sources, and what it refused to do. Cybernews An attacker with write access could have changed all of it. Silently. Without touching a single line of code.
The Threat Nobody Modeled
Here is where this story becomes a governance problem, not just a security problem.
The consequences of prompt manipulation would be severe: poisoned advice through subtly altered financial models, strategic recommendations, or risk assessments that consultants would trust because it came from their own internal tool. Data exfiltration via output, by instructing the AI to embed confidential information into its responses. Guardrail removal, stripping safety instructions so the AI would disclose internal data. And silent persistence, because unlike a compromised server, a modified prompt leaves no log trail, no file changes, no process anomalies. Polding
The AI would simply start behaving differently. Nobody would know.
The prompt-layer risk is substantive. Many organizations have not explicitly modeled this threat, and prompt-layer integrity controls remain immature in many environments. Kiledjian
This is Pillar Two of how I think about modern risk: signal versus noise. The signal here is not that an AI got hacked. The signal is that the AI's instructions were stored like a database table. And nobody treated them like crown jewels.
The Deeper Problem: Governance as Afterthought
The vulnerability at the heart of this breach was SQL injection, one of the oldest and most well-documented bug classes in software security. Lilli had been running in production for over two years, and McKinsey's own internal scanners, including OWASP ZAP, never flagged the issue. Polding
Two years. Forty thousand users. Half a billion prompts processed annually. And a foundational API security failure sat undetected the entire time.
Tim Reed, CPP, is the Director of Security at Aurora Innovation and author of Signals in the Noise. He writes Northern Signal, a newsletter on AI governance and security for leaders who need clarity without the noise. Subscribe at northernsignal.com.