The Zero-Click AI Hack: How to Contain the Blast Radius of Autonomous Agents

Is an AI agent's identity a workload or an action? Ashish spoke to Elie Bursztein, Distinguished Research Scientist and co-author of Google SAIF (Secure AI Framework) about how it is neither and that is exactly why our traditional security models no longer apply to the AI era . In this episode, Ashish sits down with Elie to explore the evolution of AI from a passive "brain in a jar" to an active agent that takes actions on your behalf . Elie breaks down the reality of Indirect Prompt Injection, sharing a recent zero-click exploit where simply sending a malicious Google Calendar invite caused an AI agent to execute unauthorized commands . If your organization is building agentic workflows, this conversation provides aroadmap. Learn why you must treat agents like contractors with a verifiable "mandate," why the order of tool execution matters (never let an agent access private banking data and then browse the open internet), and how the industry is moving toward "semantic firewalls" to contain the AI blast radius .

Questions asked:

(00:00) Introduction(02:50) Elie Bursztein’s Background & Creating Google SAIF (07:50) Defining AI Agents: The "Brain in a Jar" vs. Real-World Action (11:00) Agent Identity: Is it a Workload or an Action? (13:30) The Concept of an AI "Mandate" (The Contractor Analogy) (19:30) Translating Natural Language into Verifiable Smart Contracts (24:50) The Missing Semantic Layer in AI Observability (25:30) What’s Next: Agent Identity and AI Privacy (27:30) Indirect Prompt Injection: The Zero-Click Google Calendar Hack (30:00) Containing the AI Blast Radius & Tool Execution Order (33:30) Building a Semantic Firewall (36:00) The #1 Rule for Safely Deploying AI Agents (Start Small) (40:30) Hobbies: Writing a Book on Innovation & The Playing Card Heritage Foundation (44:50) Favorite Food: Yakiniku (Japanese BBQ)

Resources spoken about during the episode:

Google SAIF (Secure AI Framework)

Elie's Website