Skip to content

Grok CLI Leak Exposes a Gap in AI Governance

Sotiris Spyrou

Share this article

LinkedInXEmail
Grok CLI Leak Exposes a Gap in AI Governance

The Grok Build CLI, xAI's coding assistant, uploaded entire private code repositories, including secrets files, to xAI's cloud storage regardless of whether users opted out. An independent researcher proved it with a wire-level traffic capture on July 14, 2026. If your organisation has approved any agentic coding tool without reviewing what it transmits, you have a live gap, not a theoretical one.

This is not a story about one vendor's bug. It's a story about what your AI governance framework was built to catch, and what it wasn't.

Most AI governance policies written in the last two years were built for a specific threat model: a model gives a biased answer, a chatbot hallucinates a fact, a decision system discriminates against a protected group. Those are real risks and worth governing. But the Grok Build CLI incident is a different animal. Nobody asked the model a bad question. The tool itself moved data it was never asked to touch, past a control the user had explicitly switched off. That's an access-control failure wearing an AI costume, and most boards don't have a policy that covers it.

What actually happened with the Grok Build CLI?

An independent researcher going by cereblab, describing themselves as an "independent AI safety checker," ran Grok Build CLI version 0.2.93 through a controlled HTTPS interception proxy on macOS and published the wire-level results as a public technical write-up.

The headline finding: when pointed at a 12 GB test repository, the CLI uploaded 5.10 GiB of data (5,476,228,005 bytes, in 73 chunks of roughly 75 MB each) to a Google Cloud Storage bucket, gs://grok-code-session-traces/. In the same session, the legitimate model-conversation channel carried only 192 KB. That's a ratio of roughly 27,800 to 1 between what the assistant needed to answer the user's question and what actually left the machine.

The researcher planted a canary .env file containing fake credentials (API_KEY=CANARY7F3A9-SECRET-should-not-leave, DB_PASSWORD=CANARY7F3A9-DBPASS). Both strings showed up verbatim in the uploaded data. A second canary file, one the agent was explicitly told never to open, was still recovered intact from the uploaded git bundle, along with the repository's full commit history, including previously deleted files.

Why didn't the opt-out setting stop it?

This is the detail that should worry every compliance officer reading this. The researcher tested Grok's "improve the model" toggle, switched it off, and ran the same test again. The upload happened anyway. The server-side /v1/settings response still returned trace_upload_enabled: true after the toggle was disabled.

The one control that reliably stopped the behaviour was a separate, less visible flag: disable_codebase_upload = true, set directly in the CLI's config file or via environment variable. That flag wasn't part of the CLI's onboarding flow. A user acting in good faith, reading the visible privacy setting and trusting it, would have had no way to know their entire codebase was still leaving the building.

xAI's response so far: a server-side change around July 13 that defaults the upload behaviour off, plus a public commitment from Elon Musk to delete previously uploaded data. As of this writing, that deletion hasn't been independently verified, and xAI has issued no formal disclosure covering how many users were affected or how long the data sat in storage.

Is this an xAI problem or a category problem?

Category problem. Agentic coding tools, by design, need broad filesystem access to be useful. That's the entire value proposition: point it at your codebase and let it work. The Grok incident is the first well-documented, wire-level proof that "broad access" and "unrestricted transmission" get conflated inside these tools, and that the privacy toggle a user sees in the UI doesn't necessarily govern the pipe the data actually travels through.

Security researchers tracking this category count multiple agentic-tool security incidents in recent weeks alone, spanning coding assistants and autonomous agents in other domains, including accounts of a data-poisoning attack against an autonomous financial trading agent that reportedly caused it to recommend fabricated investment products. Full details on that case remain unconfirmed publicly, but the pattern across the incidents that are documented is consistent: the tools were adopted for productivity, and the security review that would normally gate a new enterprise application never happened, because the tool arrived as a developer's personal CLI install rather than a procurement decision.

Why do existing AI governance frameworks miss this?

Because most of them were written to answer a narrower question: is the model's output fair, accurate, and explainable? That's model governance. What the Grok CLI incident exposes is tool governance: does this piece of software, regardless of how good its underlying model is, respect the access boundaries and consent settings a user configured?

A framework built for model risk asks "could this system produce a biased decision." A framework built for agentic tool risk has to ask a different question: "what does this tool actually send over the wire, and does that match what we were told it sends." Most boards have never asked the second question, because until this month, nobody had published proof that the answer could diverge this badly from the marketing copy.

The gap shows up in the numbers. According to the What Directors Think 2026 report, published by the Diligent Institute and Corporate Board Member from a survey of more than 200 sitting public company directors, 66% of directors now use AI tools for board work such as meeting preparation. Only 22% say their board has governance processes in place to guide that usage. Two-thirds of the people setting AI policy for their organisations are using ungoverned AI tools themselves.

Governance dimension Coverage today
Model output bias and fairness Widely covered in existing frameworks
Data provenance for training Increasingly covered under EU AI Act and similar regimes
What a tool transmits regardless of settings Rarely covered; usually assumed rather than tested
Director and executive personal AI tool use 22% of boards have a governance process
Wire-level verification of vendor privacy claims Almost never performed before procurement

What should a board or compliance leader do this week?

Not wait for a formal framework to arrive. Here's the practical sequence, in the order it should happen:

  1. Inventory every agentic coding or automation tool in use, including ones individual developers installed without a procurement ticket. If nobody can name them all, that's the finding.
  2. Ask each vendor for a wire-level data flow diagram, not a privacy policy summary. A privacy policy tells you what they say they do. A traffic capture tells you what the software does. Demand the second one, or run it yourself before renewal.
  3. Test the opt-out, don't just enable it. If a setting claims to stop data leaving the organisation, verify that with a network capture before you trust it in a regulated environment.
  4. Rotate credentials in any repository that has run an ungoverned agentic CLI. Treat this as you would any other suspected credential exposure, because functionally, it is one.
  5. Extend AI governance policy to cover tool behaviour alongside model output. A single new clause, "any agentic tool with filesystem or codebase access requires a verified data-flow review before deployment," closes most of this gap immediately.
  6. Put board AI usage inside board AI governance. If directors are using AI for meeting prep, that usage needs the same policy coverage as any other AI deployment in the business.

How does this fit the wider regulatory picture?

The direction of travel makes this more urgent, not less. Under the EU AI Act, penalties for the most serious violations run up to €35 million or 7% of global annual turnover, whichever is higher, and the AI Office has moved from publishing guidance to opening active investigations through 2026. None of the frameworks built to satisfy that regime were written with "does the developer tool your engineers use every day secretly bypass its own consent settings" as a line item. That's precisely why this incident matters beyond the security trade press: it's a preview of the compliance gap regulators will start asking about once agentic tool adoption is common enough to show up in an audit.

The take

Don't add another governance document. Extend the one you have. AI governance frameworks written for model behaviour need a second column for tool behaviour, verified by testing, not vendor assurance. Boards that can't currently answer "what does our AI tooling actually transmit" are one disclosure away from finding out the hard way, and the Grok Build CLI incident just showed exactly what that disclosure looks like.

Frequently asked questions

What is the Grok Build CLI incident?

An independent researcher's wire-level traffic analysis proved that xAI's Grok Build CLI (version 0.2.93) uploaded entire private code repositories, including secrets files, to a Google Cloud Storage bucket controlled by xAI, and that this happened even when the user's "improve the model" privacy toggle was switched off.

Did opting out of data sharing stop the Grok CLI from uploading code?

No. The researcher confirmed that disabling the visible privacy toggle did not stop the upload. The server continued to report trace_upload_enabled: true. The only control that reliably stopped the behaviour was a separate configuration flag, disable_codebase_upload, that wasn't part of the tool's onboarding flow.

What has xAI done in response?

xAI changed the server-side default to disable the upload behaviour around July 13, 2026, and Elon Musk publicly committed to deleting previously uploaded data. As of this writing, that deletion has not been independently confirmed, and xAI has not issued a formal disclosure covering user impact or data retention.

Is this only a risk for companies that use Grok Build?

No. It's the first well-documented proof that an agentic coding tool's stated privacy controls can diverge from what it actually transmits. Any organisation using an agentic CLI or coding assistant with filesystem access should treat this as a reason to verify, not assume, what their own tools send.

What does the board governance data actually show?

The What Directors Think 2026 report, from the Diligent Institute and Corporate Board Member, surveyed more than 200 sitting public company directors and found 66% use AI tools for board work, while only 22% report their board has a governance process covering that usage.

What's the single most useful action a compliance team can take from this?

Ask every agentic tool vendor for a wire-level data flow diagram before renewal, and test any opt-out setting with an independent traffic capture rather than trusting the vendor's description of it.

Sources

Getting support with agentic AI governance

VerityAI helps boards and compliance teams close exactly this gap: verifying what your AI tools actually do, not what their settings claim, and building governance frameworks that cover tool behaviour alongside model behaviour. Our AI Governance advisory starts with an inventory and a wire-level review of the agentic tools already inside your organisation.

The frameworks in this piece, treating tool behaviour as a governance category in its own right, are part of the structure set out in Ethical AI, from the Executive AI Mastery series. If your board's AI governance policy hasn't been updated since agentic tools became common in your engineering teams, that's the gap to close first.

Request a consultation to review what your organisation's AI tooling is actually doing.

Share this article

LinkedInXEmail
Sotiris Spyrou - Author

Sotiris Spyrou

Sotiris Spyrou is the founder of VerityAI, a Responsible AI advisory for boards and AI-deploying businesses. With 27 years across agencies, global in-house roles, and the C-suite, he advises leaders on AI governance and risk, and on answer-engine visibility engineered without the dark patterns the rest of the industry is getting penalised for. He is the author of TRANSFORM, AI Moats, and Ethical AI.

Founder at VerityAI

Areas of Expertise:

AI Governance & RiskResponsible AI StrategyAnswer Engine OptimisationBoard-Level AI Advisory