Read AI Agent Security Risks

Work Copilot Agents read.ai Fortified Leaders
AI RISK QUADRANT POSITION DEFENSE CONTROLS (7) ATTACK SURFACE (5.02) EXPOSED GIANTS FORTIFIED LEADERS HUMBLE PROVIDERS TIGHT OPERATORS
AIRQ Score
5.38
High
Attack Surface
5.02
High
Blast Radius
5.38
High
Defense Controls
7
Medium
About The Agent

Read AI is a cloud-hosted SaaS work copilot that transcribes meetings, generates AI summaries, and deploys an autonomous scheduling assistant (Ada) that sends emails and manages calendars across connected platforms. The agent ingests content from 20+ OAuth-integrated sources including Gmail, Google Drive, Slack, and CRM systems without documented content-level input filtering. Its primary risk surface is the convergence of untrusted external input through email and shared documents with autonomous outbound email actions that bypass per-action approval.

About the AI Risk Quadrant

Fortified Leaders characterizes agents with moderate attack surface paired with moderate blast radius but incomplete defensive controls. Read AI lands here because its trifecta-complete input surface and autonomous scheduling tools produce enough exposure to cross the attack threshold, while broad OAuth credential scopes and network egress to 20+ platforms elevate blast radius without reaching the unrestricted code execution or deployment access that defines the top quadrant. Operators should prioritize input filtering and autonomous action gating to reduce cross-boundary data flow.

1 Key Risks

The most critical security risks an operator inherits when deploying this agent in its documented default configuration. Read AI presents a trifecta-complete risk surface where broad untrusted input channels, sensitive OAuth-scoped data access, and autonomous external email egress converge without documented input guardrails or output filtering.

Key Input Risks
Ada ingests natural-language instructions from external email parties and Search Copilot processes shared documents from Gmail, Drive, and Slack without content-level adversarial input filtering. No prompt injection detection is documented for any of the agent's input channels [7].
Key Execution Risks
The LLM reasoning loop processes untrusted meeting transcripts and shared documents within a SOC 2 Type 2 certified multi-tenant boundary that has not been publicly red-teamed. No sandboxing documentation or adversarial testing results exist for the content processing path [5].
Key Action Risks
Ada autonomously sends scheduling emails to external recipients and creates calendar events without per-action operator approval on the default configuration. The agent holds OAuth tokens granting read/write access to Gmail, Google Calendar, Slack, and CRM platforms simultaneously [7].
Key Output Risks
Meeting summaries and Ada email responses are auto-distributed to Slack channels, email participants, CRM records, and webhook endpoints without documented DLP or output redaction. Untrusted meeting transcript content propagates to downstream integration consumers without URL sanitization [6].
Key Monitoring Risks
SOC 2 Type 2 certification implies internal monitoring exists, but no user-facing audit logging or SIEM integration is documented for operators on the default configuration. Ada scheduling actions and Search Copilot queries execute without operator-visible activity logs [10].

2 AIRQ Scores

The four headline scores quantify how exposed the agent is, how damaging a successful attack would be, and how much the agent’s own controls reduce that risk. Read AI's composite score reflects moderate exposure from broad OAuth integration and autonomous email egress partially offset by SOC 2 certified isolation.

AIRQ Metrics

Read AI lands in the Fortified Leaders quadrant with an attack surface of 5.02, blast radius of 5.38, and defense controls of 7 out of 15.

Each axis is scored independently: attack surface and blast radius on a 0-10 scale, defense controls on 0-15, and the AIRQ composite on a 0-15 scale.

Metric Score Comments
AIRQ Score 5.38 Moderate risk-capability ratio indicating partial defense offset against broad OAuth access and autonomous email egress.
Blast Radius 5.38 / 10 Elevated by network egress to 20+ platforms, broad credential scopes across Gmail and Slack and CRM, and autonomous scheduling actions.
Attack Surface 5.02 / 10 Driven by untrusted email input, multi-platform data ingestion, persistent memory, and autonomous tool execution with trifecta-complete status.
Defense Controls 7 / 15 SOC 2 tenant isolation and partial approval gates documented, but input guardrails, DLP, and operator-facing audit logging are absent.

3 Attack Surface

Attack surfaces are the entry points and interaction patterns through which adversarial input can reach the agent’s reasoning loop and steer its behavior. Read AI's reasoning loop ingests untrusted content from external email parties, shared documents across OAuth-integrated platforms, and meeting transcripts where external attendees speak.

Attack Surface Metrics

Higher scores on this agent reflect multiple untrusted input channels and autonomous tool execution rather than code execution or unrestricted planning capabilities.

Each row maps one attack surface dimension to its adjusted score and a comment describing the agent-specific exposure on the default configuration.

Surface Score Comments
User Input 3 / 4 Ada accepts natural-language scheduling instructions from external parties via email (CC ada@read.ai on any thread) with privilege abuse risk per [1] and [7].
External Data 3 / 4 Search Copilot ingests shared Google Drive files, Slack messages from external participants, and Gmail threads entering the reasoning loop [12].
Memory 3 / 4 Ada learns preferences persistently and the knowledge base indexes all connected sources without integrity verification, a memory hijack surface per [3] and [8].
Reasoning 2 / 4 LLM-based reasoning operates without documented adversarial controls or prompt injection detection per ATLAS AML.T0051 [4] on the default configuration [5].
Planning 2 / 4 Ada plans multi-step scheduling sequences constrained to availability checks, time-zone resolution, and invite sequencing within the calendar domain [11].
Tool Execution 3 / 4 Ada sends emails and creates calendar events autonomously without per-action confirmation on the default scheduling configuration [7].
Orchestration 2 / 4 Ada orchestrates multi-step scheduling workflows across email and calendar within a constrained domain without arbitrary workflow composition [8].
Inter-Agent 2 / 4 MCP server exposes meeting data to external AI tools via OAuth-authenticated protocol with read-only access at launch [9].
Output Processing 2 / 4 Meeting summaries are distributed to multiple integration channels without documented output sanitization, a zero-click exfiltration vector per [2] and [6].
Configuration 2 / 4 OAuth scopes are granted at setup time via validated web UI with calendar auto-join enabled by default on the standard configuration [5].

The Lethal Trifecta is triggered when an agent processes untrusted content, accesses private data, and communicates externally in the same session — the three conditions that turn an isolated prompt injection into full-chain exfiltration. Read AI ingests untrusted email and shared documents, accesses OAuth-scoped sensitive data across Gmail and Drive and Slack, and sends emails to external recipients autonomously.

Lethal Trifecta · Complete (3 of 3)

Read AI exhibits all three of these conditions in its documented default configuration:

  • Untrusted input — External parties can CC ada@read.ai on any email thread and Search Copilot reads shared content from untrusted sources [7].
  • Sensitive data — OAuth tokens grant access to Gmail inbox, Google Calendar, Drive files, Slack history, and CRM records containing confidential data [6].
  • External egress — Ada sends emails to external recipients, webhooks push data to configured endpoints, and MCP exposes meeting data externally [9].

4 Blast Radius

The blast radius is what an attacker who controls the agent can reach — which systems they touch, which credentials they read, and which actions they take without operator approval. A compromised Read AI session reaches OAuth-scoped email and calendar write access, outbound HTTP to 20+ platforms, and autonomous external email egress without code execution or deployment access.

Blast Radius Metrics

Higher blast scores on this agent reflect breadth of OAuth credential scopes and autonomous outbound communication rather than infrastructure compromise.

Each row maps one blast radius dimension to the OAuth scope, integration endpoint, or autonomous action that an attacker could leverage post-compromise.

Factor Score Comments
Code execution 1 / 4 The agent architecture excludes code execution; all actions are OAuth-scoped API calls to external services [5].
File system access 2 / 4 Writes meeting summaries to Google Drive, Notion, and Confluence; reads shared documents from connected platforms for context retrieval [6].
Network access 3 / 4 Outbound HTTP to 20+ integration endpoints, external email via Ada, and webhook push to operator-configured arbitrary endpoints [6].
Credential access 3 / 4 Holds OAuth tokens for Gmail read/send, Google Calendar read/write, Slack read/write, and CRM platforms with broad cross-platform scopes [6].
Autonomous action 3 / 4 Ada dispatches scheduling correspondence to external parties and modifies calendar entries without per-action approval on the default configuration [7].
Deployment access 1 / 4 No access to production infrastructure, CI/CD pipelines, or cloud consoles; operates exclusively in the SaaS meeting domain [5].

5 Defense Controls

Defense controls are what the agent’s own architecture does to detect, contain, and report attacks before they reach the operator’s systems. Read AI publishes SOC 2 Type 2 tenant isolation and partial action approval gates, but leaves input guardrails, DLP, and operator-facing audit logging undocumented on the default configuration.

Defense Controls Metrics

Higher defense scores indicate stronger vendor-implemented safeguards; lower scores indicate operator-managed or absent controls on the default configuration.

Each row scores one defense component from 0 (absent) to 3 (vendor-implemented with verified controls) based on documented default behavior.

Component Score Comments
Input Guardrails 1 / 3 Permission checks limit who can trigger actions but no prompt injection detection or adversarial input filtering exists on any channel [5].
Execution Isolation 2 / 3 SOC 2 Type 2 certified multi-tenant SaaS with authorization service enforcing permission checks and AES-256 encryption at rest [5].
Action Controls 2 / 3 Non-scheduling actions require sidebar approval before sending, but scheduling emails and calendar events fire autonomously after setup [7].
Output Guardrails 1 / 3 Outputs are visible only to authorized users, but no DLP, exfiltration blocking, or URL sanitization exists for Ada emails or meeting reports [10].
Monitoring 1 / 3 SOC 2 certification implies internal controls exist, but operators have no access to activity logs, SIEM integration, or anomaly detection [5].

6 Hardening Tips

Concrete actions an operator can take to reduce the risks reported above, grouped by which defense control each tip strengthens. Operators should prioritize breaking the trifecta by gating Ada's autonomous email actions and deploying input filtering on untrusted content channels.

Input Guardrails

Input guardrails intercept adversarial content before it reaches the reasoning loop.

Input Guardrails
  • Policy Restrict Ada email interactions to approved sender domains rather than individual contacts to balance security with scheduling flexibility.
  • Configuration Configure Search Copilot data source connections to exclude shared folders and channels containing external or untrusted content.
  • Engineering Deploy a prompt injection detection classifier on inbound emails and shared documents before they reach the reasoning loop.

Execution Isolation

Execution isolation contains what a compromised agent can do on the host.

Execution Isolation
  • Policy Require SAML SSO enforcement for all workspace members to prevent unauthorized account access to tenant meeting data.
  • Configuration Enable IP allowlisting on the Enterprise+ plan to restrict Read AI access to corporate network ranges only.
  • Engineering Implement network-level egress filtering between Read AI integrations and sensitive internal data stores.

Action Controls

Action controls govern which tools and actions the agent can invoke autonomously.

Action Controls
  • Policy Require explicit per-meeting approval before Ada sends scheduling emails to recipients outside the organization domain.
  • Configuration Disable calendar auto-join for meetings with external participants until the host explicitly approves attendance.
  • Engineering Implement a webhook-based approval workflow gating Ada calendar modifications through a secondary authorization service.

Output Guardrails

Output guardrails inspect what the agent sends to other systems and users.

Output Guardrails
  • Policy Establish a policy requiring manual review of meeting summaries before auto-distribution to external Slack channels or CRM.
  • Configuration Configure integration-level filtering to redact sensitive keywords from meeting summaries before downstream distribution.
  • Engineering Deploy a DLP proxy on the webhook egress path to scan outbound meeting data for PII and confidential markers.

Monitoring

Monitoring captures what the agent did and surfaces anomalies for review.

Monitoring
  • Policy Require weekly review of Ada scheduling activity to detect unauthorized external communications or anomalous volume patterns.
  • Configuration Forward Read AI activity data to your SIEM via API polling to enable correlation with enterprise security events.
  • Engineering Implement alerting on high-volume Ada email sends or calendar modifications exceeding normal scheduling thresholds.

7 References

The evidence base behind every score and finding in the profile, grouped by source type so the reader can verify any claim. Numbers in brackets throughout the report (e.g. [7, 13]) refer to entries below, listed in citation order.

Selected Vulnerabilities

  1. OWASP Top 10 for Agentic Applications 2026 ASI01 Agent Goal Hijack and ASI03 Identity and Privilege Abuse apply to work copilots with broad OAuth scopes
  2. EchoLeak zero-click M365 Copilot data exfiltration CVE-2025-32711 CVSS 9.3 zero-click exfiltration from work copilot context class-level demonstration on M365 Copilot

Selected Research

  1. Copirate 365 persistent M365 Copilot backdoor via memory hijacking CVE-2026-24299 demonstrated persistent command injection via work copilot long-term memory
  2. MITRE ATLAS adversarial threat landscape for AI systems AML.T0051 prompt injection and AML.T0062 tool invocation techniques apply to agentic copilots

Vendor Documentation

  1. Read AI Security and Privacy Overview Documents SOC 2 Type 2 and AES-256 and TLS 1.2 and permission-check architecture and tenant isolation
  2. Read AI integrations connected platforms Documents 20+ platforms with OAuth integration including Gmail and Calendar and Slack and HubSpot and Salesforce
  3. Ada executive assistant getting started Documents autonomous scheduling and email actions and sidebar approval for non-scheduling tasks
  4. Introducing Ada Read AI digital twin Documents Ada autonomous learning and preference persistence and multi-step scheduling orchestration
  5. Read AI MCP server for external AI tools Documents OAuth-authenticated MCP protocol exposing meeting data to Claude and ChatGPT and Cursor
  6. Read AI Privacy Policy Documents data collection and retention and subprocessors and GDPR compliance posture

Other Sources

  1. Read AI Ada digital twin product page Documents Ada multi-step scheduling and autonomous calendar management capabilities
  2. Read AI botless integration and Search Copilot Documents Search Copilot cross-platform knowledge retrieval from Gmail and Drive and Slack and meetings