AWS to Quick admins: The access control didn't work, but you weren't using it anyway, so what's the problem?

Fog Security reported an authorization-bypass in Amazon Quick's AI Chat Agent that allowed authenticated intra-account users to send queries to an agent that administrators had ostensibly blocked via custom permissions; AWS fixed the server-side authorization flaw in March 2026 but labeled the issue 'severity: none' and issued no customer advisory, raising questions about possible exposure of grounded customer data and the effectiveness of Quick's sole access-control mechanism.