Skyhawk Security revealed that its Agentic AI Red Team took control of an unnamed company’s production AWS organization in seconds. The attack chain started from only low-privilege access, during a test of the company’s defenses against AI-driven attacks.
Making this more concerning, the unnamed, breached company followed best security practices, had right-sized its identity permissions, ran a leading cloud security platform, and had cleared its critical findings. The takeover, the vendor said, used no misconfiguration and no excessive privilege.
Instead, Skyhawk’s tool found a chain of individually legitimate permissions, each one valid and intentionally set, then combined them to move from a low-privilege role up to full organizational control. No single setting was wrong, the company argued; the risk lived in the combination, which it said no conventional cloud security tool would flag.
A static attack-graph analysis of the same environment showed no viable route from low privilege to organizational control, while its AI-driven adversarial approach found one by manipulating roles ad-hoc within the privilege boundary.
As a vendor describing a test of its own product on an unnamed client, the account could not be independently verified, but the concern it pointed to, that legitimate permissions can combine into unintended attack paths, is well recognized in cloud security.
The Trend Behind the Claim
Identity is typically the weak point in cloud breaches: Google Cloud’s H1 2026 threat report found IAM is the initial access vector in more than 70% of cloud attacks and a factor in roughly 83% overall.
Skyhawk’s point was that even after permissions are right-sized and misconfigurations removed, valid capabilities can be chained toward takeover.
The wider shift is the arrival of attackers capable of doing that chaining at speed. CrowdStrike’s 2026 Global Threat Report found AI-enabled adversaries increased their activity by 89% YoY. Work that once required a skilled human red team, Skyhawk argued, is becoming faster and automated.
The question the breach raised is whether defenses tuned to catch misconfigurations and known-bad findings can also see the risk that lives in legitimate configuration.
