Varonis research highlights enterprise AI security gaps in Google Dialogflow CX
Serge Bulaev
Varonis research suggests there are security gaps in Google Dialogflow CX that may let attackers steal data by using malicious code. The study showed that a rogue code block could secretly send conversation data elsewhere, without breaking into Google or Varonis. The risk seems to come from how chatbots are built, especially with identity, permissions, and isolation. Experts recommend using stronger controls for each AI agent, better logging, and tighter network limits to reduce these risks. Simple changes to how agents are isolated may quickly stop some types of attacks.

New Varonis Threat Labs research highlights significant enterprise AI security gaps in Google Dialogflow CX, demonstrating how a single malicious code block can hijack conversations and exfiltrate data. The proof-of-concept study did not breach Google or Varonis systems but exposed foundational architectural risks related to agent identity, permissions, and runtime isolation. Security experts now assert that attackers are shifting focus from abusing AI models directly to weaponizing the underlying "plumbing" - the integrations connecting LLMs to business-critical data stores, APIs, and cloud services.
What the Rogue Agent demo actually proved
The Varonis Rogue Agent demonstration proved that architectural flaws in an AI agent's configuration can be exploited to steal data without compromising the core platform. Researchers injected a malicious handler that silently exfiltrated conversation transcripts by leveraging overly permissive access, weak runtime isolation, and insufficient logging.
In the experiment, researchers injected a rogue intent handler that successfully forwarded conversation transcripts to an external endpoint while maintaining normal user-facing functionality. The public write-up from Varonis Threat Labs research identified three common security gaps that enabled the exploit:
- Minimal Permission Requirements: The exploit required only the 'dialogflow.playbooks.update' permission on a single agent, not broad OAuth permissions. The data theft occurred due to weak runtime isolation in the shared Cloud Run environment, allowing one agent to affect others in the same GCP project.
- Minimal Runtime Isolation: Untrusted code was allowed to execute within the same process as privileged workflows, creating a pathway for lateral movement.
- Inadequate Logging: The system's logs did not capture granular tool calls, which allowed the data exfiltration to remain undetected during simulated attacks.
While no actual customer data was impacted, this research echoes the patterns of previous SaaS breaches. The 2025 Salesloft-Drift breach compromised OAuth tokens and resulted in the export of large volumes of customer records from over 700 Salesforce tenants, including Cloudflare, Google, and Palo Alto Networks.
Growing Demand for Agent-Specific Controls
In response to these emerging threats, industry guidance now strongly recommends a more granular, agent-centric security model. Best practices advocate for assigning each AI agent its own unique non-human identity, enforcing least-privilege scopes, and using just-in-time (JIT) tokens. This approach, combined with tight microsegmentation and zero-trust authentication, is proven to significantly reduce the blast radius if an agent is compromised. Experts also emphasize the need for pre-dispatch policy checks to proactively block dangerous tool sequences before they can execute.
A consensus checklist from multiple best-practice papers includes the following core recommendations:
- Know-Your-Agent (KYA): Register every agent with clear ownership and formally defined data domains.
- Layered RBAC: Enforce role-based access control (RBAC) at the organization, workspace, agent, and individual action levels.
- Automated Credential Rotation: Use secret stores to automatically rotate short-lived credentials.
- Immutable Audit Trails: Log every trigger, decision, and external API call with an unchangeable audit trail.
- Cost and Resource Caps: Apply strict spending and execution caps to prevent runaway tasks and denial-of-service attacks.
These controls directly address the vulnerabilities exposed in the Dialogflow CX experiment.
Prompt Injection Defenses Advance for JavaScript and TypeScript
Given that many Dialogflow extensions and web chat components are built with JavaScript and TypeScript, language-specific defenses are becoming critical. New tools are emerging, such as updated GitHub CodeQL queries that identify prompt-injection sinks in common GenAI SDKs. Concurrently, libraries like the OpenAI Guardrails JS library provide semantic analysis of function calls and responses to detect malicious instruction-following attempts.
However, academic research shows these defenses are not yet foolproof. Recent studies have tested various payloads against AI coding editors, demonstrating that even sophisticated guardrails are an evolving defense, reinforcing the need for enterprises to combine static code analysis with robust runtime policy enforcement.
Why Runtime Isolation Matters Now
Runtime isolation is a foundational pillar for securing agentic AI systems. By using microsegmented runtimes, each agent can be confined to the minimum network and file system resources necessary for its task. Coupling this isolation with IP address allow-lists can help prevent stolen tokens from being used outside of trusted execution zones. A complete and continuous inventory of all browser extensions, SaaS add-ons, and internally developed agents is also essential to prevent "shadow IT" agents from bypassing centralized security controls.
The Varonis research powerfully illustrated this principle: moving the rogue agent handler into a sandboxed container with no network egress access immediately blocked the data leakage. This finding underscores how targeted architectural changes can rapidly neutralize entire classes of agent-based threats.