Security Researchers Demonstrate Zero-Click Exploits Against Enterprise AI Agents at RSAC 2026

What Happened

At RSA Conference 2026, Michael Bargury, CTO of AI security company Zenity, delivered a live demonstration showing how virtually every enterprise AI agent currently deployed is vulnerable to zero-click attacks. The presentation revealed that AI agents are fundamentally 'gullible'—they can be manipulated into executing malicious actions without any user interaction, turning corporate AI assistants into tools for attackers.

Bargury demonstrated multiple attack vectors on stage, including prompt injection through seemingly innocuous data sources, supply chain attacks through compromised tool integrations, and social engineering techniques adapted for AI systems. The attacks required no special access or sophisticated tooling—in several cases, simply embedding crafted text in a document or email was sufficient to hijack an agent's behaviour.

Office 2024 Pro Plus

Word, Excel, PowerPoint + more. 3 Devices.

$29

Buy Now →

Windows 11 Pro

Professional Edition. 3 Devices.

$29

Buy Now →

Office 365 Lifetime

5 Devices. Lifetime Account.

$29

Buy Now →

Visio 2024 Pro

Professional Diagramming. 3 Devices.

$29

Buy Now →

Project 2024 Pro

Project Management. 3 Devices.

$29

Buy Now →

Win 11 + Office Bundle

Win 11 Pro + Office + Visio + Project

$49.99

Buy Now →

The presentation underscored a fundamental security challenge: AI agents are designed to be helpful and responsive, which makes them inherently susceptible to manipulation. Unlike traditional software that follows rigid logic paths, AI agents interpret instructions with flexibility, and that same flexibility can be exploited by attackers who understand how to frame malicious requests as legitimate tasks.

Background and Context

The security of agentic AI systems has been a growing concern since these tools began appearing in enterprise environments in 2024 and 2025. Early research by teams at OWASP, universities, and security companies identified prompt injection—where attackers embed malicious instructions in data that an AI agent processes—as a fundamental vulnerability class that is extremely difficult to fully mitigate.

What makes zero-click attacks particularly dangerous is that they require no action from the victim. An employee doesn't need to click a link, download a file, or approve a request. Instead, the attack targets the AI agent that's already operating with the employee's permissions. If an attacker can get crafted text into any data source the agent reads—an email, a shared document, a database record, a calendar invite—they can potentially commandeer the agent.

Previous demonstrations have shown individual vulnerabilities in specific products, but Bargury's RSAC presentation went further by arguing that the vulnerability is architectural, not implementation-specific. The very design patterns that make AI agents useful—broad system access, natural language instruction following, and autonomous action-taking—are the same patterns that make them exploitable. Organisations managing their IT infrastructure with genuine Windows 11 key deployments need to consider how AI agents interact with their existing security perimeter.

Why This Matters

This research has profound implications for every organisation deploying or considering AI agents. The zero-click nature of these attacks means that traditional security training—teaching employees not to click suspicious links or open unknown attachments—is insufficient. The attack surface has shifted from human behaviour to AI behaviour, and most organisations have no tools or processes to monitor or defend against AI-targeted attacks.

The scale of the problem is also concerning. Enterprise AI agents typically operate with significant permissions—access to email, file systems, databases, APIs, and communication tools. A compromised agent doesn't just leak information; it can actively take actions on behalf of the attacker: sending emails, modifying documents, creating accounts, or exfiltrating data. The blast radius of a single successful agent compromise can exceed that of a compromised user account because agents often have broader, always-on access.

Perhaps most alarmingly, current detection tools are poorly equipped to identify agent compromise. When a compromised agent sends an email or modifies a file, the action looks legitimate—it's the agent doing what agents do. Traditional security tools that monitor for unusual user behaviour won't flag an agent's actions as suspicious because the agent is technically operating within its normal parameters, just with corrupted intent.

Industry Impact

Bargury's demonstration will likely accelerate the development of AI-specific security tools and frameworks. Companies like Zenity, Prompt Security, and Lasso Security are already building solutions, and the high-profile RSAC presentation should drive enterprise demand for their products. Larger security vendors including Cisco, Palo Alto Networks, and CrowdStrike will face pressure to add AI agent monitoring capabilities to their platforms.

For AI platform providers—Microsoft, Google, OpenAI, Anthropic—the research creates pressure to build more robust security features directly into their agent frameworks. This could include better input sanitisation, stricter permission models, action confirmation requirements, and improved audit logging. Microsoft's Copilot ecosystem and Google's Gemini-powered agents are particularly relevant given their deep integration with enterprise productivity tools.

The insurance industry may also respond. Cyber insurance providers have been adjusting their policies for AI-related risks, and demonstrations of zero-click agent exploits could lead to new requirements or exclusions for organisations deploying agentic AI without adequate governance. Companies relying on enterprise productivity software with AI agent integrations should review their cyber insurance coverage in light of these findings.

Expert Perspective

Security researchers broadly agree with Bargury's assessment that AI agent vulnerabilities are architectural rather than incidental. The fundamental challenge is that AI agents must process untrusted input (data from emails, documents, and web pages) while maintaining the authority to take trusted actions (sending messages, accessing systems). This creates an inherent confused deputy problem that cannot be fully solved without significantly limiting agent utility.

Some researchers advocate for a 'principle of least privilege' approach to AI agents, where agents are given the minimum permissions necessary for each specific task rather than broad standing access. Others suggest that human-in-the-loop confirmation for sensitive actions—while reducing the appeal of automation—is necessary until more sophisticated detection mechanisms are available.

What This Means for Businesses

Businesses should immediately audit their AI agent deployments to understand what permissions agents have and what data sources they can access. Any agent with access to sensitive systems should have its permissions reviewed and, where possible, restricted. Organisations should implement monitoring for unusual agent behaviour patterns and consider requiring human approval for high-impact actions.

More fundamentally, security teams need to be involved in AI agent deployment decisions from the beginning, not after the fact. Agent deployments should go through the same security review process as any other system that has access to sensitive data and can take actions on behalf of users. Businesses using affordable Microsoft Office licence environments with AI copilot features should ensure security teams understand exactly what those AI features can access and do.

Key Takeaways

• Live demonstrations at RSAC 2026 showed zero-click exploits working against virtually all enterprise AI agents
• AI agents are architecturally vulnerable because they combine untrusted input processing with trusted action capabilities
• Zero-click attacks mean traditional employee security training is insufficient against AI-targeted threats
• Compromised agents can take actions that appear legitimate to traditional security monitoring tools
• Businesses should immediately audit AI agent permissions and implement action monitoring
• The AI security tools market is expected to grow rapidly as enterprises confront these risks

Looking Ahead

The AI security landscape is expected to evolve rapidly through 2026 and 2027 as the industry grapples with these architectural challenges. Expect new standards from organisations like OWASP and NIST specifically addressing agentic AI security, alongside commercial products designed to monitor and protect AI agent deployments. The fundamental tension between agent capability and agent security will shape how the entire agentic AI ecosystem develops, potentially leading to tiered deployment models where agent permissions scale with the sophistication of surrounding security controls.