AI support bots and account recovery: where should the line be?

Recent incident: [attackers took over high‑value Instagram accounts by using Meta’s AI support assistant in the recovery flow to change the account’s recovery email and then reset the password, even with 2FA enabled.](https://getaibook.com/news/hackers-bypass-instagram-2fa-via-meta-ai-prompt-injection) They didn’t break TOTP/WebAuthn; they used an over‑privileged AI agent to route verification codes to an attacker‑controlled email and complete the reset as if they were the owner. Once recovery is rewired, 2FA stops being meaningful. Should AI support/chatbots ever have the ability to change recovery email/phone or 2FA settings at all, given how easy it is to manipulate agents with prompts? If they do, how should they be treated and protected in your org, as high‑privilege identities with strict access controls and safeguards (independent policy service, proof of control of existing factors, human review for certain accounts) or mainly as a UX layer over existing tools More teams are plugging LLM agents into support, billing, and account security workflows. The way those agents are scoped and governed will decide whether they actually harden critical flows or just introduce a new class of AI‑driven account takeover.