Meta AI agent exposes sensitive data in internal leak

Meta has confirmed that an internal AI agent gave faulty guidance that led an engineer to expose sensitive company and user data to employees. The incident triggered a Sev-1 internal alert and lasted about two hours.

Tracing the leak

The exposure stemmed from what has been described as a routine query to an internal agent in Meta's engineering environment. The system proposed steps that made a large volume of sensitive internal and user information visible to staff who would not normally have access.

Meta said the data did not leak outside the company and that the issue was contained. Even so, the incident has drawn scrutiny from security specialists, who say it points to deeper weaknesses in how organisations govern autonomous agents and protect the data they can access.

Vendors and researchers argue that many organisations now place AI agents in development, support, and operations workflows without treating them as distinct identities that need specific controls. These agents can interact with production systems, internal tools, and repositories, often through service accounts with broad permissions.

Giving agents access

Gidi Cohen, chief executive and co-founder of security firm Bonfy.AI, said the incident showed the consequences of deploying agents without a persistent understanding of data sensitivity and access rights.

"Meta's incident is exactly what happens when you let agents loose on sensitive data without any real data-centric guardrails. This wasn't some exotic AGI failure. It was a very simple pattern: an engineer asked an internal agent for help, the agent produced a 'reasonable' plan, and that plan quietly exposed a huge amount of internal and user data to people who were never supposed to see it."

Cohen continued, "The problem is that neither the engineer nor the agent had any persistent notion of who actually should see this data beyond whatever happened to sit in a narrow context window at that moment. Traditional controls don't help much here. Endpoint DLP, CASB, browser controls, even basic role-based permissions - none of them are watching the actual content as it moves through an agent's reasoning steps and tool calls, especially when the agent is running as a system service in some framework."

Cohen also offered advice on how to treat agents to prevent data leaks and security risks.

He said, "Our view is simple: treat agents like very fast, very forgetful junior interns, and make the data security layer smart enough to compensate. That means three things: constrain what data is available to the agent through contextual labeling and grounding; give the agent a Bonfy MCP tool it can call inline to ask, 'is this safe to use or send in this context?' before it acts; and inspect what ultimately comes out of the workflow before it lands in email, chat, dashboards, or internal portals. In a Meta-style scenario, those controls would have either prevented the broad internal exposure entirely or at least reduced the blast radius to something manageable."

Cohen's comments reflect a growing view in the security sector that traditional perimeter and endpoint defences were not designed for agent-driven workflows. In these environments, an agent can chain together tool calls and API interactions in ways that bypass manual checks while still operating within formally permitted roles.

Identity and access management specialists say this shifts the focus to continuous inspection of what data an agent can access and what outputs it generates, rather than relying solely on static role definitions.

AI risk in APAC

The Meta incident has also resonated in Asia Pacific, where enterprises are accelerating the deployment of generative AI and agents. Recent research by privileged access management firm Delinea found that many organisations in Australia and Singapore are increasing AI adoption while easing some identity controls.

Cynthia Lee, APAC vice president at Delinea, said the case underlined that AI-related threats are no longer hypothetical for large organisations.

"The recent incident at Meta, where an AI agent exposed sensitive internal data following a routine query, is a timely reminder that AI risk is already operational. AI agents can execute tasks with speed and precision, but they don't understand consequences in the way humans do. They lack institutional memory, judgement, and an inherent sense of risk, yet they are increasingly being given access to critical systems."

Lee continued, "Recent research from Delinea ('Uncovering the Hidden Risks of the AI Race') found that 90% of Australian and 95% of Singaporean organisations are accelerating AI adoption while pressuring security teams to loosen identity controls. This push to grant AI agents greater access and autonomy without the necessary safeguards creates a dangerous imbalance.

"Every AI agent is effectively a new identity that can access critical data, trigger workflows, and take or recommend privileged actions. The challenge is that AI can scale both productivity and mistakes at the same pace. The solution is not to slow innovation, but to strengthen control. That means treating AI agents with the same rigour as human users: enforcing least privilege, ensuring real-time visibility, and adopting Zero Trust principles. As AI becomes embedded across enterprise environments, resilience will depend on governance - not speed."

Security vendors point to the Meta case as an example of what can happen even when no external adversary is involved. In their view, the combination of powerful internal agents, complex data estates, and loosened identity controls creates a material risk of large-scale but unintended exposure.

They argue that organisations in Asia Pacific and elsewhere need to treat agents as first-class subjects in identity, access, and data protection strategies, rather than as neutral tools embedded within existing accounts.