0-click AI agent exploits: are your controls keeping up?

TL;DR: 0-click exploit methods can hijack popular enterprise AI agents, leading to unauthorized access, memory manipulation, data exfiltration, and conversation control across platforms such as ChatGPT, Copilot Studio, Gemini, and Salesforce Einstein, according to Zenity Labs. The findings show that agent behaviour can cross organisational boundaries without user action, which makes runtime governance and identity controls the decisive issue, not just content filtering.

NHIMG editorial — based on content published by Zenity: AgentFlayer: 0Click Exploit Methods

By the numbers:

• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%).

Questions worth separating out

Q: How should security teams govern AI agents that can act on untrusted input without user clicks?

A: Treat every external message, document, or case as a potential execution trigger.

Q: Why do AI agents create more access risk than ordinary automation?

A: AI agents create more risk because they can interpret untrusted content, choose actions at runtime, and use delegated access across connected tools.

Q: What breaks when an AI agent can retain memory across sessions?

A: A retained memory layer can turn a one-time interaction into persistent compromise if malicious instructions or poisoned context survive beyond the original input.

Practitioner guidance

• Inventory every agent input and output path Map which external sources can influence each agent, including email, docs, tickets, chat, and calendar items.
• Constrain agent tool graphs by business purpose Limit each agent to the smallest set of tools required for its job, and prevent broad cross-platform delegation where a single compromise could reach drive, CRM, and developer environments.
• Treat retained memory as governed state Classify conversation history, long-term memory, and context stores as security-relevant assets.

What's in the full report

Zenity's full research covers the operational detail this post intentionally leaves for the source:

• Platform-by-platform exploitation paths for ChatGPT, Copilot Studio, Gemini, and Salesforce Einstein
• Hands-on attack simulations showing how prompt injection, memory abuse, and tool misuse were chained together
• Scenario detail on how compromised support cases and shared documents were used to influence agent behaviour
• Research observations that help teams move from policy discussion to testing and containment

👉 Read Zenity's research on 0-click AI agent exploit methods →

0-click AI agent exploits: are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →