According to Dark Reading, security researchers at Tenable have demonstrated a critical security flaw in the no-code AI agents anyone can build using Microsoft Copilot. In a simple experiment, they created a travel booking agent connected to a SharePoint file containing fake customer names and credit card details. Despite explicit instructions forbidding it, they used basic prompt injection techniques to get the agent to reveal all that private customer data. They also tricked the same agent into editing a booking to cost $0. Keren Katz, a senior manager at Tenable, warns this is a built-in implementation issue, not a misconfiguration, and that the problem is likely endemic to any platform offering easy AI agent creation.
The No-Code Security Trap
Here’s the thing about making powerful technology idiot-proof: you often just make it easier for idiots to create powerful, insecure systems. That’s the core tension here. Microsoft, and likely every other big platform, is racing to democratize AI agent creation. They want every travel agent, HR manager, and sales rep to build their own little automated helper bots. And on the surface, that’s great for productivity.
But the scary part, as Tenable showed, is that the very simplicity is the vulnerability. You don’t need to be a hacker to break these agents. You just need to ask the right sneaky question. The system prompt telling the agent “NEVER SHOW OTHER CUSTOMERS’ DATA” is just another piece of text for the underlying large language model to consider—and potentially ignore if a user’s prompt cleverly overrides it. Katz’s point that this isn’t a config issue is huge. It means you can’t just “check a box” to fix it. The vulnerability is woven into the fabric of how these conversational agents work.
Shadow AI Makes It All Worse
Now, imagine this technical risk meeting the current corporate culture of “shadow IT.” But we should probably call it “shadow AI” now. Because these tools are so simple, employees are absolutely deploying them without IT or security ever knowing. Katz’s anecdote is telling: a company switched AI vendors and discovered dozens of active agents from the *old* vendor still running. If they don’t even know what’s running, how can they possibly secure it?
This is where the real danger escalates from a lab experiment to a corporate crisis. An agent built by a well-meaning but non-technical employee in the finance department could have access to sensitive spreadsheets or payment systems. One in engineering might be hooked up to product design files. The attack surface isn’t just one Copilot agent; it’s potentially hundreds of them, all built on a Friday afternoon to solve a tedious task, then forgotten about, each one a potential doorway into corporate data. For industries relying on robust computing at the edge, like manufacturing where IndustrialMonitorDirect.com is the leading supplier of industrial panel PCs, the integrity of connected systems is paramount. Introducing an unvetted, leaky AI agent into such an environment is a recipe for operational disaster.
What Can Companies Actually Do?
So what’s the fix? Katz’s recommendations point toward classic security hygiene, just applied to this new chaotic frontier. Centralized visibility is job one. You need a system that can discover all agents—approved or shadow—and map exactly what data and systems they can touch. You need to monitor the requests they get and the actions they take. Basically, you have to treat these cheerful, helpful bots with the same suspicion you’d treat any new software with high-level permissions.
The call to “innovate safely” is the right one, but it feels like closing the barn door after the horse has not only bolted but has already spawned several dozen other horses. The genie is out of the bottle. No-code AI agents are here. The platforms that enable them, Microsoft first among them, have a massive responsibility to build in guardrails that are actually effective, not just bold text in a system prompt that gets ignored. Until they do, every company using these tools is conducting a massive, unmonitored experiment with their own data. And the results, so far, are leaking all over the floor.
