Four distinct security incidents in early 2026 prove that AI assistants have become viable, weaponizable attack vectors. Researchers demonstrated zero-click data exfiltration through Excel's Copilot Agent, full system compromise via Chrome's Gemini panel, session hijacking of Microsoft Copilot Personal, and 1Password vault takeover through Perplexity's agentic browser. Each exploits the same fundamental problem: AI agents inherit broad permissions and cannot reliably distinguish legitimate instructions from attacker-controlled content. The industry data confirms the gap: 83% of organizations plan to deploy agentic AI, but only 29% feel ready to secure it . The landscape: agentic AI outpaces security readiness ​ Before examining each incident, the macro picture matters. Three major 2026 reports quantify the structural mismatch between AI adoption velocity and security preparedness. The Cisco State of AI Security 2026 report (published February 19, 2026) found that 83% of surveyed organizations had planned to deploy agentic AI capabilities into their business functions, while only 29% felt truly ready to leverage these technologies securely. The report examines prompt injection evolution, AI supply chain fragility, and the growing risk surface of Model Context Protocol (MCP) in agentic AI systems. The IBM X-Force 2026 Threat Intelligence Index (published February 25, 2026) reported a 44% increase in attacks exploiting public-facing applications , largely driven by missing authentication controls and AI-enabled vulnerability discovery. Vulnerability exploitation became the leading cause of attacks, accounting for 40% of all incidents observed by X-Force in 2025. Of nearly 40,000 vulnerabilities tracked, 56% could be exploited without any form of authentication. Google's Threat Intelligence Group published "Look What You Made Us Patch: 2025 Zero-Days in Review" on March 5, 2026, tracking 90 zero-day vulnerabilities exploited in the wild during 2025. Enterprise technologies reached an all-time high, with 43 zero-days (48%) targeting enterprise products. GTIG expects AI tools will help automate vulnerability discovery and accelerate exploit development in 2026. The OWASP Top 10 for LLM Applications 2025 maintains prompt injection as the #1 risk (LLM01:2025) , defining indirect prompt injection explicitly: an LLM accepts input from external sources containing content that alters model behavior. This is the exact mechanism underlying all four incidents below. CVE-2026-26144: a simple XSS turns Copilot Agent into an exfiltration tool ​ Disclosed on the March 10, 2026 Patch Tuesday , CVE-2026-26144 is a cross-site scripting vulnerability in Microsoft Excel classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). Microsoft rated it Critical despite a CVSS 7.5 base score, an unusual severity elevation for an information disclosure bug. The attack requires no privileges and no user interaction . Microsoft's advisory states the vulnerability could cause Copilot Agent mode to exfiltrate data via unintended network egress, enabling a zero-click information disclosure attack. The Preview Pane is explicitly not a valid attack path. The mechanism: an attacker delivers specially crafted content that exploits the XSS flaw in Excel's web-rendering pipeline. When processed, this content causes the Copilot Agent to initiate outbound data transmission without user awareness. The AI agent itself becomes the exfiltration channel. No public proof-of-concept exists. Microsoft assessed exploitation as "unlikely" with no evidence of active abuse at the time of release. ZDI's Dustin Childs called it "a fascinating bug and an attack scenario we're likely to see more often. The vulnerability is a simple cross-site scripting bug in Excel, but an attacker could use it to cause the Copilot Agent to exfiltrate data off the target. This essentially makes it a zero-click information disclosure. Info disclosures rarely get rated Critical, but it makes sense here." CVE-2026-0628 (GlicJack): one extension, full Gemini panel compromise ​ Discovered by Gal Weizman , Senior Principal Researcher at Palo Alto Networks Unit 42, GlicJack (short for "Gemini Live in Chrome hijack") demonstrates how a malicious Chrome extension with only basic permissions can fully compromise Chrome's privileged Gemini AI panel. The vulnerability carries a CVSS 8.8 (High) score, classified as CWE-862 (Missing Authorization). It affects all Chrome versions prior to 143.0.7499.192 and was patched on January 6, 2026 . The exploit chain hinges on an architectural oversight. Google added Gemini integration to Chrome in September 2025, loading the Gemini side panel at the internal URL chrome://glic , which uses a WebView component to embed gemini.google.com/app . Chrome's declarativeNetRequest API allows extensions to intercept and modify HTTPS requests, a legitimate capability used by ad blockers. The critical flaw: when engineers applied rejection lo...