
McKinsey’s Lilli AI Hack: What It Signals for AI Governance, Security and Disclosure
From Compliance into the Weeds by Tom Fox
March 18, 2026 · 20 min · Episode 458
About this episode
Tom Fox and Matt Kelly discuss the implications of the recent hack of McKinsey's AI tool Lilli and its impact on AI governance and security.
The award winning, Compliance into the Weeds is the only weekly podcast which takes a deep dive into a compliance related topic, literally going into the weeds to more fully explore a subject. Looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds! In this episode of Compliance into the Weeds, Tom Fox and Matt Kelly look the recent hack of McKinsey’s AI tool Lilli. Tom and Matt discuss a Financial Times report that a white-hat hacker, Paul Price of one-person firm Code Wall, exploited flaws in McKinsey’s internal AI tool “Lilli” to access millions of internal chat messages, view sensitive client-related file names, and see the model weights used to train the system; McKinsey patched the vulnerabilities after disclosure. They argue the incident highlights emerging AI risks beyond traditional cybersecurity, including AI agents autonomously scouting for targets, the possibility of attackers altering models to change outputs and create hard-to-detect “drift,” and confusion over who inside organizations owns AI security and governance. The episode also explores the messy, inconsistent disclosure landscape for AI-related incidents and urges…
People in this episode
Hosts: Tom Fox, Matt Kelly
Topics covered
- AI governance
- cybersecurity
- compliance
- AI risks
- data disclosure
Keywords
- McKinsey
- Lilli
- hack
- white-hat hacker
- AI risks
- model drift
- disclosure
Mentioned in this episode
Products: Lilli, McKinsey Lilli
Books & works: Compliance into the Weeds, a Davey, Communicator and w3 Award
More episodes of Compliance into the Weeds
- Banking Regulators Cut Model Risk Guidance: Implications for Compliance, Audit, and AML Oversight · April 22, 2026 · 23 min
- Surveying Retaliation Against Compliance Officers · April 15, 2026 · 17 min
- Duty Owed vs. Material Nonpublic Information: Prediction Markets and Compliance · April 8, 2026 · 25 min
- AI-Driven SOC Audits and the Growing Trust Gap · April 1, 2026 · 23 min
- Balt and TradeStation: Lessons for the Compliance Professional · March 25, 2026 · 27 min
- Carrots and Sticks in Washington: Antitrust Whistleblowers and an FCPA SOL Extension · March 11, 2026 · 19 min
Explore listener stats, chart rankings, contacts and more on the Compliance into the Weeds podcast page.