Inside the Wiz Attack: What SAP AI Core Teaches Us About AI Security Gaps

Read full article here: https://corsha.com/blog/5-takeaways-from-the-wiz-attack-of-sap-ai-core/?utm_source=nhimg

In a recent report, Wiz researchers detailed how they gained unauthorized access within a customer tenant of SAP AI Core, uncovering sensitive AI data, credentials, and secrets across the shared SaaS environment. The incident exposed critical vulnerabilities in multi-tenant AI architectures, Kubernetes configurations, and machine identity management — ultimately revealing how a single misconfiguration could lead to cross-tenant data exposure.

The attack began when Wiz exploited Kubernetes and Istio configurations to retrieve an access token to the Istiod server. This token provided a foothold to explore the cluster, revealing Loki configurations with AWS S3 secrets, EFS instances with full access to AI data, and even a deprecated Helm Tiller server that allowed write-level access to deploy arbitrary workloads.

While SAP acted swiftly to remediate the vulnerabilities and rotate credentials, the findings serve as a critical reminder: machine-to-machine authentication and Zero Trust principles must extend beyond human users — especially in complex AI and SaaS ecosystems.

5 Key Takeaways for Security Teams

1. Zero Trust Must Be Enforced at Every Layer - Network proximity is not trust. The Wiz team accessed EFS volumes simply by being on the same network. Zero Trust principles — “never trust, always verify” — should apply equally to machines and workloads, not just humans.

2. Single-Factor Authentication Is an Attack Vector for NHIs - Secrets like access tokens, API keys, and S3 credentials are often treated as trusted by default. As shown in this case, single-factor machine credentials can lead to supply-chain attacks, model poisoning, or cross-tenant breaches. Machine MFA is no longer optional.

3. AI Automation Requires Stronger IAM Controls - AI platforms demand deep and continuous access to sensitive data sources. Each integration must be evaluated through an identity and access management (IAM) lens, ensuring strict authorization, token hygiene, and contextual validation.

4. Multi-Tenant SaaS Isn’t Always Isolated - Shared infrastructure often hides weak boundaries between customers. Misconfigurations or shared credentials can lead to data exposure across tenants. Enterprises should assess how their SaaS providers handle tenant isolation and secrets management.

5. Deprecated Tools Create Hidden Attack Paths - The presence of Helm’s deprecated Tiller server exemplifies how outdated tools with permissive defaults remain a high-risk target. Regular version audits and dependency reviews are vital to prevent legacy vulnerabilities from resurfacing.

Why This Matters

As AI and automation platforms become core to enterprise workflows, attacks like this highlight a crucial shift: non-human identities (NHIs), service accounts, API tokens, and machine credentials, are now prime targets for lateral movement and privilege escalation. Applying Zero Trust, multi-factor authentication, and continuous verification to these entities is essential for safeguarding AI workloads and customer data.