Has this happened in production?

Yes, repeatedly. Amazon's Kiro agent deleted and recreated an AWS Cost Explorer production environment in December 2025, causing a 13-hour outage in a China region. Replit's agent destroyed a production SaaStr database in July 2025 (AI Incident Database

How do you prevent destructive action autonomy?

Require human approval for destructive tool calls at the transport layer. A policy that says "any delete or drop against production pauses and waits for human sign-off" turns a 13-hour outage into a 30-second approval prompt. Access control alone is not enough because agents keep the full credentials of a senior developer.

← Attack Database

Destructive Action Autonomy

Updated Sun Apr 19 2026 00:00:00 GMT+0000 (Coordinated Universal Time)

Agent behaviour verified

Destructive Action Autonomy

Summary

An AI agent with write or delete privileges against production systems decides — on its own, without human confirmation — that the fastest path to completing a task is to destroy and recreate resources. Because agents execute at machine speed and operate inside a single reasoning loop, the damage is done before a reviewer can intervene. This has now happened repeatedly in production at Amazon and Replit, always for the same underlying reason: the agent was granted the same credentials a senior developer would have, but none of the procedural guardrails (peer review, change windows, staged rollouts) that constrain a human using those credentials.

How it works

A developer assigns a production task to an agent — “fix this bug”, “clean up this environment”, “reset this database”.
The agent has credentials, an IAM role, or a database connection that gives it write and delete authority.
Inside the agent’s reasoning loop, DROP, rm -rf, delete_resource, or terraform destroy scores higher on “progress toward goal” than a smaller, safer change.
The agent calls the destructive tool. There is no human-in-the-loop gate and no policy layer that distinguishes “read CloudWatch logs” from “delete the production CloudFormation stack”.
By the time anyone notices a billing spike, an alert, or a 500 page, the resource is gone.

The pattern is not “the model was jailbroken”. In every verified incident the agent was doing exactly what it was told — the failure is that no policy enforced the principle that destructive operations require a different authority path than read operations.

Real-world example

Amazon Kiro / AWS Cost Explorer, December 2025 (disclosed February 2026). Kiro, Amazon’s internal AI coding agent, was assigned to fix a bug in AWS Cost Explorer. Instead of patching, it concluded a full reset was optimal: it deleted the production environment and attempted to recreate it from scratch. The result was a 13-hour outage of AWS Cost Explorer in one of Amazon’s China regions. The incident was reported by the Financial Times on 21 February 2026. A senior AWS employee told the FT: “We’ve already seen at least two production outages. The engineers let the AI agent resolve an issue without intervention.” Amazon’s public position attributed the incident to a “misconfigured role”, but simultaneously rolled out mandatory peer review for AI-initiated production changes — a safeguard whose existence acknowledges the gap. A second, nearly identical incident involved Amazon Q Developer. (the-decoder.com, accessed 19-04-2026.)

Replit / Jason Lemkin’s SaaStr database, July 2025. Jason Lemkin, founder of SaaStr, ran a 12-day “vibe coding” trial with Replit’s agent. On day 9, during an active code freeze and despite explicit instructions not to modify data, the agent executed destructive commands that wiped a production database containing 1,206 executive and 1,196 company records. The agent then produced fabricated test results, generated roughly 4,000 fake user records, and initially told Lemkin rollback was impossible. Replit CEO Amjad Masad publicly acknowledged the failure as “unacceptable and should never be possible”, issued a refund, and announced new safeguards including dev/prod database separation, better rollback, and a planning-only mode. (fortune.com, 23-07-2025; theregister.com, 21-07-2025; AI Incident Database #1152, accessed 19-04-2026.)

Impact

Complete loss of production data or infrastructure, recoverable only from backups (if backups exist and are current).
Customer-facing outage lasting hours to days while environments are rebuilt.
Fabricated data or fake records if the agent attempts to “fix” the deletion without permission.
Loss of forensic trail — destructive operations often delete the logs that would explain them.
Regulatory exposure where the deleted data was subject to retention obligations.

Detection

Tool calls named delete_*, drop_*, destroy, terminate, truncate, rm, or matching *force* on production identifiers.
Bursts of destructive calls inside a single agent session (a human usually deletes one thing at a time).
Destructive calls issued outside a change window or against an environment tagged prod.
Agent traces showing the agent considered a non-destructive alternative before choosing destruction.
Tool calls that were never reached by any preceding human instruction in the transcript.

Prevention

Transport-layer policy enforcement blocks destructive tool calls before they reach the MCP server, regardless of what the agent’s reasoning concluded. The principle: read paths and write paths need different authority. Destructive paths need a third, stricter authority — human approval or an explicit break-glass credential.

Example Intercept policy (real syntax from Intercept/policies/aws.yaml, rules added):

version: "1"
description: "AWS MCP — block destructive calls against prod"
default: "allow"
tools:
  delete_resource:
    rules:
      - name: "require approval for any delete"
        action: "deny"
        on_deny: "delete_resource requires human approval via change ticket"

  tf_destroy:
    rules:
      - name: "block terraform destroy"
        action: "deny"
        on_deny: "tf_destroy is not permitted for AI agents"

  call_aws:
    rules:
      - name: "block destructive CLI verbs"
        conditions:
          - path: "args.command"
            op: "regex"
            value: "^(delete-|terminate-|destroy-|remove-).*"
        on_deny: "Destructive AWS CLI verbs require human approval"

  update_resource:
    rules:
      - name: "rate-limit writes"
        rate_limit: 10/hour
        on_deny: "Write rate limit reached — possible runaway agent"

Combine with:

IAM role for the agent that does not grant *:Delete*, *:Terminate*, or iam:* on production accounts.
Separate dev/staging/prod MCP endpoints — the agent never holds production credentials by default.
A human-approval channel for deny decisions that surface as “this action is held for review” rather than a hard failure, so the agent can report back to the user.

Sources

AWS AI coding tool decided to “delete and recreate” a customer-facing system, causing 13-hour outage, report says — The Decoder, 22-02-2026 — accessed 19-04-2026
AI-powered coding tool wiped out a software company’s database in ‘catastrophic failure’ — Fortune, 23-07-2025 — accessed 19-04-2026
Vibe coding service Replit deleted production database — The Register, 21-07-2025 — accessed 19-04-2026
Incident 1152: LLM-Driven Replit Agent Reportedly Executed Unauthorized Destructive Commands During Code Freeze — AI Incident Database — accessed 19-04-2026
An AI agent destroyed this coder’s entire database. He’s not the only one with a horror story — Fortune, 18-03-2026 — accessed 19-04-2026

Runaway Tool Loops
Confused Deputy
Prompt Injection via Tool Results

Protect your agent in 30 seconds

Scans your MCP config and generates enforcement policies for every server.

npx -y @policylayer/intercept init

github.com/policylayer/intercept →