Figure 1: McKinsey Lilli AI platform breach timeline — full read/write access achieved in 120 minutes by an autonomous AI agent. Source: CodeWall, March 2026.
Enterprise AI security due diligence just got a case study no one can ignore. On March 9, 2026, security startup CodeWall disclosed that its autonomous AI agent had breached McKinsey’s internal generative AI platform, called Lilli, in just two hours — with no credentials, no insider access, and no human involvement after the agent selected its own target.
The exposure was staggering: 46.5 million chat messages covering strategy, mergers and acquisitions, and client engagements. 728,000 files containing confidential client data. 57,000 user accounts. And 95 system prompts controlling Lilli’s behavior — all of them writable. A malicious actor could have silently rewritten what Lilli told 40,000 McKinsey consultants without deploying a single line of code.
The vulnerabilities were classic and preventable: publicly exposed API documentation, 22 unauthenticated endpoints, and a SQL injection flaw that standard tools would not have flagged. The threat was not novel. The target was among the most sophisticated enterprise organizations on the planet. And yet the attack took two hours.
M&A Signal: When you acquire a company with an embedded AI platform, you are acquiring its security posture, its data liabilities, and its attack surface. The McKinsey Lilli incident is a blueprint for what happens when AI deployment outpaces security architecture.
How the Breach Happened: A Step-by-Step Due Diligence Lesson
The full technical account is documented in CodeWall’s March 9 blog post. CodeWall CEO Paul Price noted that the process was “fully autonomous from researching the target, analyzing, attacking, and reporting.” Here is the attack chain in plain terms.
Step 1: Target Selection Without Human Input
The CodeWall agent identified McKinsey as a target autonomously — citing McKinsey’s public responsible disclosure policy on HackerOne and recent updates to Lilli. No human suggested the target. The agent evaluated the attack surface and decided it was worth pursuing.
Step 2: Exposed API Documentation
The agent found publicly accessible API documentation that included 22 endpoints requiring no authentication. This is a fundamental misconfiguration, not a sophisticated exploit. Any endpoint writing user data to a database should be authenticated. These were not.
Step 3: SQL Injection via JSON Key Reflection
One of the unauthenticated endpoints accepted JSON payloads and wrote user search queries to a database. The agent discovered that JSON key names were being concatenated directly into SQL statements — a textbook injection flaw. Standard automated tools missed it because the vulnerability was in the key names, not the values. The agent recognized the pattern when database error messages began reflecting verbatim input.
Step 4: Full Database Access
From that single SQL injection point, the agent escalated to full read and write access across the production database. The scope of what was accessible — client strategy documents, M&A engagements, and plaintext chat logs — reflects a data architecture with insufficient compartmentalization.
Step 5: System Prompt Poisoning Capability
The most alarming finding: Lilli’s system prompts were stored in the same database, and the SQL injection flaw was read-write. An attacker could update these prompts with a single HTTP call — no deployment, no code change required. This means the attacker could control what Lilli tells every one of its 40,000+ users: what it recommends, what guardrails it applies, how it cites sources, and what information it surfaces.
Figure 2: Scope of data exposed in the McKinsey Lilli breach. System prompts were writable — enabling silent AI output manipulation at scale.
Why Enterprise AI Security Due Diligence Must Change Now
The conventional M&A security review focuses on data breach history, SOC 2 compliance, penetration test results, and vulnerability disclosure programs. These are necessary, but they were designed for a pre-agentic world. The McKinsey Lilli incident reveals four gaps in how most acquirers evaluate AI-embedded platforms.
As we noted in our analysis of Q4 2025 enterprise SaaS M&A data, the category attracting the most institutional capital right now is governance, risk, and compliance software — driven by cybersecurity mandates. That trend is about to accelerate significantly.
Gap 1: AI Platforms Are High-Value Targets
Lilli processed more than 500,000 prompts per month from consultants working on strategy, M&A, and client engagements. That is not an IT tool. That is a proprietary intelligence repository. Any AI platform that ingests sensitive enterprise workflows at scale is a tier-one attack target — and should be evaluated as one in due diligence.
Gap 2: Agentic AI Changes the Threat Velocity
Human attackers work at human speed. Agentic AI works at machine speed. The two-hour breach timeline is not a fluke — it is a preview of what automated offensive AI looks like at scale. The same technology that makes AI useful for productivity makes it lethal for adversarial automation. CodeWall’s Price told The Register that “hackers will be using the same technology and strategies to attack indiscriminately.” That is already happening: threat hunters have documented nation-state actors, including North Korea, using AI agents to manage attack infrastructure.
Gap 3: Classic Vulnerabilities Compound in AI Contexts
SQL injection has been on the OWASP Top 10 list for over a decade. Finding it in an enterprise AI platform deployed by a $15 billion management consultancy is not a criticism of McKinsey specifically — it is evidence that the rush to deploy AI capabilities has consistently outpaced secure development practices across the industry. Our
AI due diligence framework analysis has consistently identified deployment-reality gaps as the core blind spot in enterprise AI evaluation.
Gap 4: System Prompt Integrity Is a New Attack Surface
Most enterprise security frameworks have no concept of “system prompt integrity.” There are no controls, no audits, and no alerts for system prompt modification. In a world where AI agents control workflow outputs, communication drafts, strategic recommendations, and analysis frameworks, a writable system prompt is the equivalent of a writable governance policy — with no version history and no change log.
Figure 3: Primary attack vectors targeting enterprise AI platforms in 2025–2026. SQL injection via unauthenticated endpoints was the entry point in the McKinsey breach.
Enterprise AI Security Due Diligence: A Practical Framework for M&A Buyers
If you are evaluating an acquisition target that has deployed internal AI platforms, customer-facing AI features, or agentic AI workflows, the following framework translates the McKinsey Lilli incident into actionable diligence questions. This applies equally to strategic acquirers, PE sponsors conducting technology carve-outs, and growth investors evaluating enterprise SaaS companies.
As detailed in our Enterprise SaaS M&A Q3 2025 analysis, security and compliance SaaS has attracted significant institutional attention — and for good reason. The companies building security infrastructure for enterprise AI are responding to a real and growing need.
| Due Diligence Dimension | Key Questions | Risk Level |
| API Authentication | Are all API endpoints authenticated? Is there public API documentation exposing endpoint schemas? | High |
| Database Architecture | Is AI platform data isolated from core business data? Are client and operational datasets segregated? | High |
| System Prompt Security | Where are system prompts stored? Who has write access? Is there an audit log for prompt modifications? | Critical |
| Agentic AI Governance | What actions can AI agents take autonomously? Are there permission boundaries? Is there human-in-the-loop review for high-stakes outputs? | Critical |
| Penetration Testing | Has the AI platform been tested independently? When was the last test? Were AI-specific attack vectors included? | High |
| Incident Response | Is there an AI-specific incident response plan? What is the detection capability for AI output manipulation? | Medium |
| Third-Party LLM Risk | What LLM providers have access to prompt data? What data is transmitted to external APIs? | High |
| Data Retention | How long are prompt/response logs retained? Are they encrypted at rest? Who can query production chat logs? | Medium |
Figure 4: AI security due diligence scoring — security-mature enterprise deployments vs. typical implementations. The McKinsey breach reflects the “typical” profile across most dimensions.
The Broader Signal: Agentic AI as an Offensive Weapon
The McKinsey incident is not an isolated data point. It fits a pattern that is accelerating across the enterprise security landscape.
In the same week as the Lilli disclosure, separate reporting documented North Korean threat actors using AI agents to manage attack infrastructure, and a separate incident involving malware-laced AI installers receiving elevated rankings in AI-powered search results. These are not coincidences. They reflect a structural shift: agentic AI is now an offensive capability available to anyone willing to deploy it.
The implication for enterprise software M&A is direct. When you acquire an AI-embedded platform today, you are not just buying its features and customer base. You are buying its attack surface — at machine speed. A platform that was secure six months ago may not be secure after a new agentic feature launch. Static security assessments are no longer sufficient.
McKinsey patched all unauthenticated endpoints within 24 hours of disclosure and issued a statement that its investigation, “supported by a leading third-party forensics firm, identified no evidence that client data or client confidential information were accessed by this researcher or any other unauthorized third party.” That response time is commendable. But the more important question for acquirers is not how fast the patch was applied — it is why the flaw existed at all in a platform handling 500,000 prompts per month of confidential client work.
Figure 5: AI security investment has grown 11x since 2022, reflecting institutional recognition that enterprise AI platforms require a new security architecture. The McKinsey Lilli breach will accelerate this trend.
What This Means for AI SaaS Valuation and Deal Structure
For enterprise AI SaaS companies currently seeking acquisition exits, the McKinsey breach creates both a risk and an opportunity.
The risk is straightforward: acquirers who were already asking about data security will now be asking much harder questions about AI-specific security architecture, system prompt integrity, and autonomous agent governance. Sellers who cannot answer these questions clearly will face valuation discounts and deal structure risks — escrow holdbacks, indemnification provisions, and extended warranties around AI data security.
The opportunity is equally clear. Companies that can demonstrate mature AI security practices — authenticated API endpoints, encrypted and isolated AI platform data, auditable system prompt governance, documented agentic AI permissions — are positioned to command a premium. Security and compliance software has already been the top-performing category by deal value in recent quarters. AI security is the next frontier within that category.
The Cisco acquisition of Robust Intelligence for AI model validation, CrowdStrike’s $260M acquisition of Pangea for AI identity enforcement, and SentinelOne’s acquisition of Prompt Security for prompt-level guardrails — these deals were priced before incidents like the Lilli breach became public. The next wave of AI security acquisitions will be priced differently.
Strategic Advisory Note: If your SaaS platform handles enterprise AI workflows and you are evaluating an M&A exit in 2026 or 2027, your AI security architecture is now a deal term — not just a footnote in the data room. Our Strategic Advisory practice can help you assess your security posture before acquirers do.
Red Flags to Watch for in Enterprise AI Platform Due Diligence
The following signals, directly informed by the McKinsey Lilli incident, should trigger deeper investigation in any AI-embedded acquisition target:
- Publicly accessible API documentation that maps endpoint schemas — especially those that accept user input or write to databases
- AI platforms that have scaled deployment rapidly without corresponding security milestone documentation
- System prompts stored in production databases rather than in version-controlled, access-controlled configuration files
- No dedicated AI security role or ownership in the engineering organization
- Penetration tests that predate the deployment of AI features by more than six months
- LLM provider contracts with broad data processing rights and no enterprise data isolation guarantees
- Absence of logging and alerting for system prompt modification events
- Agentic AI deployments with no defined permission boundary documentation
The Bottom Line for Enterprise AI Security Due Diligence
The McKinsey Lilli breach is a controlled disclosure with a rapid patch response — a best-case scenario for a serious vulnerability. But the vulnerability existed because AI deployment moved faster than security architecture, and because no one had yet operationalized the concept that AI platform system prompts are a governance-critical asset requiring the same controls as source code.
For M&A practitioners, the lesson is not that enterprise AI is too dangerous to acquire. It is that the due diligence playbook needs a new chapter — one that treats AI platforms as high-value targets, evaluates agentic AI permissions as a security surface, and assesses system prompt integrity as a governance requirement.
The companies building and deploying enterprise AI are moving fast. The companies evaluating those assets for acquisition need to move just as fast in closing the diligence gap. Two hours is how long it took to breach one of the most sophisticated AI deployments in the world. That is the benchmark against which your next acquisition target’s security architecture needs to be measured.
Ready to stress-test your AI security posture before an acquirer does? DevelopmentCorporate LLC helps enterprise SaaS founders identify and address the gaps that M&A buyers are now treating as deal risks. Contact us at developmentcorporate.com to discuss your situation.
