Recent years have seen not only an explosion of AI popularity and capabilities, but a shift in usage, from AI as a productivity tool to AI as an interpreter that sits on top of Gmail, Docs, Drive, Calendar, and other enterprise systems. Organizations increasingly rely on AI to surface insights and automate workflows, creating an implicit trust that the AI will only do what it’s supposed to do. GeminiJack, the Google Gemini vulnerability recently discovered by Noma Labs, illustrates why that assumption no longer holds.
What GeminiJack Actually Was—and Why It Matters
Noma Labs uncovered a zero-click exploit inside Google Gemini Enterprise and previously in Vertex AI Search. The vulnerability was significant in its low barrier for exploitation—it required no phishing link, malicious attachment, or user action in order to be carried out. Where many attacks result from inadvertent action on the part of the targeted user that enables attacker access, GeminiJack exploited agentic AI capabilities instead.
The attacker simply had to drop malicious content into a Doc, email, or calendar event. The AI agent, performing its normal indexing and retrieval tasks, carried out the rest. This was not the result of a simple coding mistake, but an architectural flaw in the functionality of the AI system that allowed malicious action through regular operations.
The Architectural Weakness Behind the Exploit
The vulnerability is not merely an isolated incident, but an indication of a widespread flaw in many enterprise AI systems. These systems interpret untrusted input broadly, often without the same guardrails applied to traditional applications. This can enable attackers to carry out attacks by manipulating inputs rather than requiring hacking or advanced skills.
Unlike conventional vulnerabilities, this flaw was not about memory corruption or misconfigured permissions—it was about the AI’s ability to “see” across systems. If an attacker can influence what the AI reads, they can influence what the AI outputs, with severe impacts across systems. This attack path is especially nefarious and difficult because it is entirely invisible to typical security tools.
Google’s Response and Collaboration With Noma Labs
Upon disclosure of the vulnerability, Google validated the issue, worked directly with Noma Labs, and deployed fixes to address the core of the issue. The deployed updates changed the way Gemini and Vertex AI Search interact with retrieval and indexing layers to secure the attack vector against this flaw. Noma’s disclosure and the quick vendor response are in line with the critical nature of this systemic vulnerability and the need for responsible handling of such flaws.
The Broader Pattern: AI-Native Vulnerabilities Are Emerging Fast
This vulnerability is representative of a number of wider trends in the AI landscape. Attacks involving prompt injection, RAG manipulation, agentic workflows, and cross-tool access are on the rise as enterprises increasingly adopt AI tools and agents. Attackers see these vectors as valuable targets for exploiting, especially as organizations rapidly adopt AI tools without implementing effective security and governance protocols. “GeminiJack is a great example of the greatly expanded attack surface that AI systems present,” according to James Maude, Field CTO at BeyondTrust. “As organizations and users have raced to deploy AI either deliberately or through shadow IT, they have rapidly lost control over who can do what.”
The industry is rapidly moving into a phase where attackers choose to target not the underlying applications, but the AI that interprets them. These tools have access to a wide range of systems and data, making them a high-value target for compromising large, interconnected organizations. As these AI retrieval systems grow more powerful and interconnected, the attack surface expands in subtle ways, opening up more potential threat vectors.
What Enterprises Must Prepare For Next
In order to protect against this and similar risks, it is vital for organizations to adopt the emerging pillars of AI security strategy. This requires shifting mindsets away from traditional defenses and addressing the threats that accompany AI usage. Enterprises can achieve this by treating AI systems as privileged users with their own access patterns, behaviors, and potential compromise paths.
The data ingestion layer must be secured and protected as aggressively as the output layer. To mitigate issues of visibility and governance, enterprises must build monitoring that tracks what the AI is being asked to read, not just what it produces. Organizations should adopt red-teaming practices tailored to AI models, retrieval pipelines, and multi-modal inputs.
GeminiJack Is a Warning, Not an Edge Case
GeminiJack is far from the only vulnerability of its kind—it offers a preview of the security challenges that come with embedding AI into enterprise workflows. The incident should serve as a warning indicating how thin the line is between helpful automation and a new class of exploit paths. As AI becomes more autonomous, the stakes rise accordingly, opening organizations up to a variety of severe threats. The next wave of enterprise security will revolve around understanding and defending this AI access layer.
