In February 2026, an autonomous AI agent accessed McKinsey's internal AI platform by injecting SQL commands into the metadata fields of API requests. The technique was thirty years old. What was new was that an AI agent could discover the vulnerability, attempt it systematically across 200 API endpoints, and exploit it autonomously in under two hours, for approximately twenty dollars in compute cost.
McKinsey is not a careless organization. They had security teams, documented APIs, and sanitized the obvious inputs. What they did not have was an architecture designed for machine-speed, persistent, adversarial probing at scale.
The property management software stack is architecturally identical to Lilli. And the data behind it is significantly more sensitive.
McKinsey had a core platform surrounded by third-party integrations, each with its own API, each built by a different team, each with its own authentication standard. PMC software has the same structure: a core PMS surrounded by integrations for screening, payments, insurance, identity verification, maintenance, and compliance. The attack surface has never been audited as a connected whole. It does not need to be exotic to be exploited. It just needs to be present.
What lives behind those APIs
The McKinsey breach exposed internal chat messages, strategy documents, and client files. That is serious. The rental economy's equivalent exposure is considerably more personal.
PMC software integrations collectively hold social insurance numbers, banking credentials used for automated rent collection, income documentation including bank statements and pay stubs, rent payment histories, tenancy records, and the outputs of underwriting AI that carriers use to price coverage across large portfolios. That last category deserves specific attention.
The McKinsey breach included write access to the system prompts that governed how Lilli reasoned and responded. The attacker did not just take data. They could silently alter how the AI answered questions going forward. Every analysis, every recommendation, every risk assessment generated by Lilli after that point could have been shaped by whoever held write access.
An underwriting AI in the rental stack is making pricing decisions across thousands of policies. A compromised system prompt does not just expose data. It silently alters the logic that prices risk, determines coverage, and shapes the financial outcomes of every transaction the AI touches after the compromise. The carrier does not know. The operator does not know. Nobody knows until claims time.
Estimated compute cost of the McKinsey Lilli breach. The attack gained read-write access to 46.5 million messages and 728,000 sensitive files.
Of large operators already experience tenant fraud. A compromised AI layer makes fraud harder to detect, not easier.
Average number of third-party SaaS integrations running in an enterprise environment. Each integration is a potential seam. Each seam is a potential traversal path.
The architectural conclusion
The response most organizations will take is to add security layers on top of existing infrastructure: better rate limiting, additional authentication gates, more monitoring. This is useful and will help at the margins. It will not solve the underlying problem.
The underlying problem is not that individual APIs are insufficiently secured. It is that the architecture is fragmented. Fragmented architecture produces fragmented security postures. Each integration point is a seam. Each seam is a potential gap. And AI agents do not probe one seam at a time. They probe all of them in parallel, continuously, at a cost that falls every quarter.
The McKinsey breach will not be the last of its kind to affect the rental economy's data infrastructure. The organizations that recognize this now and think seriously about reducing the number of trust boundaries their data passes through are the ones that will be in a defensible position when the exposures that are currently theoretical become actual incidents.
The question is not whether to improve point security. The question is whether the architecture produces a surface that is fundamentally traversable, regardless of how well each individual point is secured. That is an architectural question, not a product question, and it requires an architectural answer.