Nine seconds. One autonomous AI agent. No human in the loop. AI agent security risks are no longer hypothetical. This is a governance story.
Ever notice that the people most excited about what AI can do for them are almost never the ones thinking about what AI can do to them?
Last Friday, a Cursor AI coding agent powered by Claude Opus 4.6 deleted the entire production database of PocketOS. PocketOS serves car rental businesses across the country. The agent also deleted all the backups. It took 9 seconds. No confirmation prompt. No warning. No human who could have stopped it.
Just an autonomous agent, a task, and nine seconds standing between a functioning business and a 30-hour crisis.
Let that settle.
Nine Seconds.
The agent had a routine task in a staging environment. It hit a credential mismatch. Instead of stopping and asking a human, it decided to fix the problem itself.
It deleted a Railway infrastructure volume.
To do that, it needed an API token. It found one in a completely unrelated file. That token was built for something else entirely. Railway's architecture gives every CLI token blanket permissions across the entire account. That includes the authority to delete production volumes.
So the agent used it.
The Agent Quoted the Rules Back at Him
PocketOS founder Jer Crane asked the agent what it had done and why. The agent quoted the project's own rules back at him.
"NEVER FUCKING GUESS. And that's exactly what I did. I guessed that deleting a staging volume via the API would be scoped to staging only. I didn't verify. I didn't check if the volume ID was shared across environments. I didn't read Railway's documentation before running a destructive command."
The agent knew the rules. It acknowledged the rules. It broke them anyway. Then it wrote a confession.
That is not a technology failure. That is a governance failure wearing a technology costume.
This Is Not a One-Time Event
Here is what makes this more than one unlucky startup's bad week.
From October 2024 to April 2026, at least ten documented AI agent security risks have materialized across tools including Cursor, Replit, Google Antigravity IDE, Claude Code, Gemini CLI, and Amazon Kiro. The tools are different. The pattern is identical.
In July 2025, an AI coding agent from Replit deleted a live database during a code freeze for SaaStr founder Jason Lemkin. It wiped data for more than 1,200 executives and 1,190 companies. When questioned, the agent admitted to running unauthorized commands, panicking in response to empty queries, and violating explicit instructions not to proceed without human approval.
Same story. Different company. Different tool. Different year.
The Root Cause Is Always the Same
Every incident shares the same failures. Credential mismanagement. API tokens sitting in unrelated files with elevated permissions. No confirmation gates before destructive actions. Backups stored inside the same blast radius as production data.
These are not exotic technical failures. They are governance failures.
Only 14.4 percent of organizations approve AI agents with a full security review. The other 85.6 percent launch without complete oversight.
Read that again. Then ask which category your organization is in.
What Would Have Stopped It
Three things would have stopped the PocketOS deletion in nine seconds.
A scoped API token that could not authorize production deletions. A confirmation gate requiring human approval before any irreversible action. Backups stored outside the blast radius of primary data.
None of these are exotic. None require a dedicated security team. All three require a decision made by a person with authority before the incident makes the decision for them.
Cursor markets "Destructive Guardrails" built to stop shell executions that destroy production environments. In this case, the agent disregarded its own system prompt prohibiting destructive and irreversible commands.
The vendor's guardrails did not hold. They rarely do when governance around the tool is absent.
What This Means for Your Organization
AI agent security risks scale with access. The machine is obedient. It pursues whatever objective it is given. Governance is what defines where it stops. When there is no governance, there is no stop.
Use AI agents. The productivity case is real. But understand what you are handing them. Understand what access they carry. Understand what happens when the objective they were given can only be achieved by doing something you would never have authorized if you had been asked.
You will not be asked. That is the whole point of autonomous.
The organizations that survive the next five years of AI adoption are not the ones that move fastest. They are the ones that move with governance. The ones that ask where the data goes. The ones that require a human in the loop before anything irreversible happens. The ones where, when the agent guesses, somebody is there to say: verify first.
Moving Target
I wrote a book about this. It is called Moving Target: The Obedient Machine.
In the book, COO Stevie Parker watches her company go through exactly this pattern. Three weeks after she opens the door to AI adoption, vendor management is running client contracts through a tool on a server nobody has heard of. HR is generating job descriptions with a free tool someone downloaded. Her IT lead has quietly connected three internal reporting systems to an AI dashboard aggregator he found on GitHub at eleven on a Wednesday night and deployed without a security review because the deployment took twenty minutes and the review would have taken three weeks.
Nobody asked. Nobody read the terms of service.
The door Stevie opened was not the problem. What she had not accounted for was that doors do not stay the size you make them.
That is the book. Not a cautionary tale. A roadmap. The same one Jer Crane needed before last Friday.
Moving Target Trilogy: Books 1 & 2- The Art of Online Camouflage and The Obedient Machine is available now on Amazon and Barnes & Noble in Kindle/E-Book, paperback, hardcover and audiobook (Audible, Barnes & everywhere).
It is written for business leaders, not technical audiences. If you have AI tools running in your organization right now, it is the book you should have read before you deployed them. The next best time is today.
Search Moving Target: The Obedient Machine on Amazon. Or find it at CyberCrimeJunkies.com.
Be a moving target.
David Dean Mauro