Foundation First, Agents Second: What the McKinsey/Lilli Breach Pattern Reveals About Enterprise AI Security
The McKinsey/Lilli breach pattern highlights five architectural issues enterprise AI leaders should evaluate now: identity, interface discipline, containment, control-plane separation, and observability.
The Five Architectural Issues
The reported breach of McKinsey’s internal generative AI platform, Lilli, matters beyond the specifics of one incident. It reveals a pattern of architectural decisions that enterprise AI leaders should evaluate against their own deployments — regardless of vendor.
This paper examines five structural concerns:
- Identity & Access Boundaries — Whether the agent layer inherits broad access or enforces least-privilege at every request
- Interface Discipline — Whether request contracts are typed and validated or permissive and trust-based
- Containment Architecture — Whether one compromised path can cross tenants, workspaces, and data domains
- Control-Plane Separation — Whether the instructions that shape agent behavior live in a protected layer or sit beside mutable operational data
- Observability — Whether anyone can see abnormal behavior before an outsider points it out
Why This Matters for Governed AI
The agentic AI shift is more consequential than the cloud. The cloud was about WHERE to store data. Agentic AI is about WHAT RUNS your business.
Organizations deploying agentic systems without addressing these five foundations are building on sand. The governed approach — where intelligence operates within explicit boundaries, every action produces an audit trail, and the control plane is architecturally separated from the data plane — is not optional for regulated enterprises. It is the minimum viable security posture.
Key Takeaway
Foundation first. Agents second. The sequence is non-negotiable.