In this Black Hat USA 2025 interview, Michael Bargury, Zenity CTO, discusses his alarming"AgentFlayer" research on AI enterprise compromise methods with Dark Reading's Rob Wright, senior news director. Bargury explains that modern AI assistants have"grown arms and legs," gaining the ability to access emails, documents, and calendars and perform actions on users' behalf through integrations with enterprise environments like Microsoft, Google Workspace, and Salesforce.

The critical zero-click exploit that Bargury uncovered means external attackers need only a user's email address to completely take over enterprise AI agents, accessing sensitive data and manipulating users through what they perceive as trusted AI advisers.

Bargury also noted that current security approaches focusing on prompt injection have been largely ineffective. He compares the current state of AI security to "being back in the '90s" and that, like then,irrational exuberance for deploying the latest innovations isoutstripping enterprise security maturity. AI systems, specifically, are relying on soft boundaries (such as built-in guardrails) rather than defense-in-depth strategies. Bottom line? Organizations adopting AI agents across their enterprise must create dedicated security programs for managing ongoing risk, rather than expecting vendors to "fix" a given problem.

Related:Prompt Injections Loom Large Over ChatGPT's Atlas Browser

Full Transcript of Zenity's Michael Bargury Discussing AI Exploits & Defense

This transcript has been edited for clarity.

Rob Wright: Hi, I'm Rob Wright with Dark Reading. I'm here at the Dark Reading News Desk in Las Vegas at Black Hat USA 2025, and I am joined today by Michael Bargury, Zenity CTO. Michael, thanks for joining us.

Michael Bargury: Thank you so much for having me.

Rob Wright: So you've got some new research. Your session is calledAI Enterprise Compromise: Zero Click Exploit Methods. This sounds dangerous. This sounds unsettling. Tell me a little bit about the research.

Michael Bargury: So, the title is kind of a mouthful, but actually the thing with these AI systems, assistants, agents all around is that in the last year, they have grown arms and legs. They can act on our behalf. They can access your email. They can access your documents. They can access your calendar. They canperform actions on your behalf. The problem with that is that once an attacker gets hold of these agents, they change their goals, can be tools for the attacker's goal. So that's what we're going to show. And we're going to show that this works on all of the major AI assistants and agents, from Microsoft, Google, OpenAI, Salesforce, Carousell. It's really all around.

Related:Infamous Shai-hulud Worm Resurfaces From the Depths

Rob Wright: OK, that sounds scary. You said that they grew arms and legs. How?

Michael Bargury: In order to get those assistants and agents to be useful, they are now being integrated into enterprise environments. Your Microsoft suite, your Google Workspace, your Salesforce environment, all of those can be hooked up with a couple of clicks directly to a third-party agent or toMicrosoft Copilot or Google Gemini. Once you have that, these agents can interact with that environment like you do. So if you have a sensitive doc file, they can read it. Or if you're writing something, they can read it too. They can create a calendar invite. They can do a whole bunch of stuff.

In some cases, people are even taking these agents andhooking them up to their development environment or to their production system. So if you're using a developer agent, guess what? The development runs on your user machines with the secrets that they have there with yoursource code that you have. So it can do a whole bunch of damage with that.

Rob Wright: All right. So I promised myself going into Black Hat that I was not going to get swept up in war games, vibes about AI taking over, but this is definitely making me a little concerned. So it sounds like these agents are making us less safe then.

Related:LINE Messaging Bugs Open Asian Users to Cyber Espionage

Michael Bargury: So here's what we're going to show. An external attacker, somebody on the Internet, they don't need credentials, they don't need anything. They need to know your email address, which is pretty easy, right?

Rob Wright: Right.

Michael Bargury: That is the only thing they need to completely take over your agents and your assistants in your private sessions with them.

Rob Wright: OK.

Michael Bargury: To exploit all of the data you have there, if you're using connectors, they're going to grab all of the data you have from these connectors. But worse, they can use these agents to manipulate you as a human. Because we trust these assistants, right? You have those conversations with your AI assistant, and you areusing it as a trusted adviser to learn about new things in the world. Guess what? The trusted adviser can also guide you off a cliff. So now attackers can do that to you too.

Rob Wright: OK, I was hoping you were going to reassure me, but this isn't going in the direction I was hoping. So what do we do about it then? Like, how do you get these agents that are growing their own arms and legs and doing things on your behalf and opening up an attack surface? How do we address it?

Michael Bargury: So, first I want to say, I'm using AI every day. OK. I'm not saying you should not use AI, but you should be aware that this is anentirely new attack surface. And one of the things that we have seen is that the security industry has been focused in the last year or so onprompt injection.

Rob Wright: Yes.

Michael Bargury: And our solution to prompt injection is to draw the parallel to SQL injection, which is why we know how to fix technically and not operationally. So what do you do? You sanitize the data. You try and separate data from instructions. But I want to be very, very clear: We have not seen any progress in trying to address prompt injection. Most of the vendors just put known malicious prompts into a giant list of bad prompts.

The good news is that instead of focusing on AI guardrails, which are soft boundaries that attackers can maneuver around, you can create hard boundaries. You can design your system in a more secure way to reduce the impact of an attack, thanks to defense in depth. So the way forward is not something new. We just need to assume breaches. We need to understand that somebody is going to find that malicious prompt, and you need to take a step back. Apply defense in depth. Apply the lessons we've learned, andstop trying to build the perimeter.

Rob Wright: Sure, but I'm going to take a wild guess here that maybe not a lot of organizations are doing that.

Michael Bargury: I think we are at a stage right now where we are back in the '90s. It's the '90s again. It's really easy to hack everything, but we are trying this out in the largest enterprises in the world, and the moment after it hits [shelves]. That's what we are. We need to evolve really, really, really quickly, and we are constantly figuring out more ways to mitigate stuff.

Right now, most organizations believe that they can go to the vendor that gave them the assistant or the agent and say, Hey, fix it. And the vendor is going to scramble around and try to fix it, but it's not a problem that the vendors can solve because this is not a vulnerability to fix. It's aproblem for us to manage.

So the parallel I try to do always with malware. Every time we find a new malware variant, people don't go out to Microsoft and say, Hey, please fix this vulnerability in Windows, right? We have entire programs. We do defense in depth. We understand that this is our responsibility as an industry. Everyone, including Microsoft. So with AI vendors, it's the same thing. They need to take their part and they're trying, but it's not a solvable problem. It's a manageable problem.

Rob Wright: So it sounds like we're making the problem worse. I mean, I like your point about the '90s. There are a lot of good things about the 90s, some fun times, but that we're collectively not doing the things that we need to do to make AI more secure. So are you hopeful that that's going to change?

Michael Bargury: So, I'm seeing the AI vendors trying, and they are being engaged with the community. The vendors that are really at the forefront of this are happy to collaborate and find mitigations together. But it's not only about the vendors. It's about everyone. We're still in the position where we feel like, Hey, it's somebody else's job to fix this.

If you're a Fortune 500 and you've decided toadopt agents across the organization, you buy a whole bunch of licenses. And you have custom agents everywhere. You need to create a security program for that. If you haven't done that, you are late to the game because it's already being exploited: exploiting this means sharing a file, sending an email, sending a calendar invite. That's very easy.

Rob Wright: Yeah. Sounds scary. Well, I appreciate you. I mean, not appreciating you frightening me, but sharing the research that you did, and looking forward to your session. Thanks, Michael, I appreciate it.

Michael Bargury: Thank you so much. I really enjoyed this.

Rob Wright: And thank you for watching this segment of the Dark Reading news Desk. I'm Rob Wright with Dark Reading, and we'll see you next time.

• How Malware Authors Are Incorporating LLMs to Evade Detection

  Nov 26, 2025
  |

  4 Min Read

• Hack the Hackers: 6 Laws for Staying Ahead of the Attackers

  Nov 21, 2025
  |

  2 Min Read

• With AI Reshaping Entry-Level Cyber, What Happens to the Security Talent Pipeline?

  Nov 21, 2025
  |

  5 Min Read

• Securing the Win: What Cybersecurity Can Learn From the Paddock

  Nov 20, 2025
  |

  5 Min Read