McKinsey Scores 56/95 on AI Presence. Their AI Platform Got Hacked in 2 Hours.

The $100B consulting firm that charges $500K for strategic analysis couldn't parameterize a SQL query.

On February 28, 2026, security startup CodeWall deployed an autonomous AI agent against McKinsey's internal AI platform, Lilli. No credentials. No human intervention. Within two hours, the agent had full read-write access to the database.

What it found:

• 46.5 million plaintext chat messages

• 728,000 files (192K PDFs, 93K spreadsheets)

• 57,000 employee accounts

• 384,000 AI assistants and 94,000 workspaces

• 3.68 million RAG document chunks

• 95 system prompts controlling 12 AI model types

• 1.1 million files via external APIs and 266,000+ OpenAI vector stores

The vulnerability? SQL injection. Field names concatenated directly into queries. Database error messages reflected input verbatim. Twenty-two unauthenticated API endpoints sitting in the open.

This is not 2006. This is 2026. And it happened to the company that invented modern management consulting.

We Already Had the Number

We ran McKinsey through our AI Presence Monitor (AIPM) — the same tool that audited 46 of the biggest names in cybersecurity and cloud infrastructure earlier this month.

McKinsey.com scored 56 out of 95.

The breakdown:

GPT-4o, Claude, and Gemini all know who McKinsey is (85 awareness). Mistral and DeepSeek scored them 25. Accuracy was flat 50 across the board — the AI models can describe McKinsey but can't verify their claims.

An NPS of -40 means more AI models would actively discourage recommending McKinsey than would promote them.

For context: a well-optimized cybersecurity company scores 75-85. A company with proper LD-JSON structured data, consistent messaging, and verifiable claims scores 80+. McKinsey — a firm that sells strategic advice to Fortune 500 companies — scores lower than most of our STIX feed customers.

The Irony Is Structural

McKinsey charges between $500,000 and $3 million for a typical engagement. Their AI platform Lilli was supposed to be the future — an internal tool that lets consultants query institutional knowledge using AI.

• SQL injection in 2026

• Unauthenticated API endpoints

• Error messages that leaked database structure

• Plaintext chat storage

These are OWASP Top 10 vulnerabilities that junior developers learn to avoid in their first week. An autonomous AI agent found them in two hours. CodeWall didn't need a team of consultants. They needed one script.

What This Means

The CodeWall disclosure validates something we've been saying since we launched AIPM: if you can't see yourself the way AI sees you, you can't secure yourself the way AI attacks you.

McKinsey's score of 56 isn't about their marketing. It's a signal. Companies with low AI presence scores tend to have low AI security maturity. The correlation isn't causal — it's structural. If you haven't thought about how AI perceives your brand, you probably haven't thought about how AI perceives your attack surface.

An AIPM audit takes 15 seconds and costs nothing. McKinsey's Lilli hack took 2 hours and exposed 46.5 million messages.

One of those is preventive. The other is what happens when you skip prevention.

Check Your Score

We audit any domain, free, in 15 seconds: aipmsec.com

The STIX feed is at analytics.dugganusa.com/stix/pricing. The IOCs are real. The scores are real. The SQL injection was real too.

DugganUSA LLC is a cybersecurity threat intelligence company based in Minneapolis. We index 1M+ IOCs, audit AI presence across 5 models, and publish a free STIX 2.1 feed. We are not McKinsey. We charge less and parameterize our queries.