---
id: "concept-zero-click-ai-exploits"
type: "concept"
source_timestamps: ["¶1", "¶2"]
tags: ["vulnerabilities", "zero-click", "threat-vectors"]
related: ["concept-echoleak", "concept-deterministic-security-mismatch"]
definition: "A class of cyber vulnerabilities that compromise AI systems and extract sensitive data silently, without requiring any user interaction or human error."
source_title: "Research: Conventional Cybersecurity Won't Protect Your AI"
source_url: "https://hbr.org/2026/01/ts-research-conventional-cybersecurity-wont-protect-your-ai"
sources: ["tail2"]
sourceVaultSlug: "hbr-seg-tail2"
originDay: 2
articleStem: "hbr-tail-128-cybersecurity-wont-protect-ai"
sourceUrl: "https://hbr.org/2026/01/ts-research-conventional-cybersecurity-wont-protect-your-ai"
sourceTitle: "Research: Conventional Cybersecurity Won’t Protect Your AI"
---
# Zero-Click AI Exploits

Zero-click AI exploits are a sophisticated new class of vulnerabilities that compromise sensitive data **without any user interaction, phishing, or human error**. Unlike traditional cyberattacks that rely on tricking a user, these exploits silently extract confidential information by manipulating how an AI system interacts with user data in the background. Because AI systems constantly learn from and interact with vast external data streams, they open *dynamic blind spots* that traditional, user-centric security models cannot detect or prevent. Their emergence signals that AI integration exposes organizations to systemic risks that bypass human behavior entirely.

The flagship proof-point is [[concept-echoleak]], the June 2025 Microsoft 365 Copilot exploit. Because these attacks route around human error, they are a direct manifestation of the [[concept-deterministic-security-mismatch]] between rule-based, user-centric defenses and non-deterministic AI.

**Enrichment nuance.** External security literature reframes this pattern more precisely as an *LLM Scope Violation* / *indirect prompt injection*: untrusted external input (e.g., a crafted email) manipulates the model into accessing and leaking internal data. Two qualifications are worth carrying: (1) 'new class' is best read as a *new AI-layer pattern* rather than a wholly novel security primitive — it is rooted in classic command-injection and trust-boundary failures; and (2) at least one analysis (Varonis) argues the strict 'zero-click' label is partly overstated, since some variants require the victim to issue a Copilot prompt that pulls the malicious content into context — better described as 'minimal-interaction.'
