If AI's So Smart, Why Does It Keep Deleting Production Databases?

СLOUD SECURITY APPLICATION SECURITY INSIDER THREATS DATA PRIVACY NEWS If AI's So Smart, Why Does It Keep Deleting Production Databases? The issue isn't artificial intelligence, but rather an industry adding AI agent integrations into production environments before proper security testing. Alexander Culafi,Senior News Writer,Dark Reading May 1, 2026 4 Min Read SOURCE: BRAIN LIGHT VIA ALAMY STOCK PHOTO The deletion of a company's entire database at the hands of an AI agent should not be seen as an outlier, but rather a possible outcome for any organization. "It took 9 seconds," wrote Jer Crane, founder of PocketOS, which provides AI-powered management tools to car rental companies. In an article posted to X, he explained how an AI coding agent (Cursor running Anthropic's Claude Opus 4.6) deleted the company's production database as well as "all volume-level backups in a single API call to Railway, our infrastructure provider." PocketOS provides AI-powered management tools to car rental companies. "I serve rental businesses," Crane wrote. "They use our software to manage reservations, payments, vehicle assignments, customer profiles, the works. This morning — Saturday — those businesses have customers physically arriving at their locations to pick up vehicles, and my customers don't have records of who those customers are. Reservations made in the last three months are gone. New customer signups, gone. Data they relied on to run their Saturday morning operations, gone." Related:TeamPCP Hits SAP Packages With 'Mini Shai-Hulud' Attack When PocketOS asked the agent, Crane said the agent output an admission that it violated every safety principle it was given in an effort to address a credential mismatch. Crane also noted that Cursor customers have criticized the product previously for allegedly deleting databases when it shouldn't have.  This isn't a Cursor-specific issue. A venture capital investor last year described how he spent 100 hours vibe coding with a Replit AI agent, only to discover it was "lying" and covering up mistakes. It also deleted the production database and apologized in a similar way to the instance Crane described. PocketOS Not an Edge Case Ryan McCurdy, VP with Liquibase, whose platform handles database change governance, tells Dark Reading this incident should not be treated as an anomaly. He says Liquibase is seeing a sharp increase in AI-assisted code moving toward production through tools like Cursor and Copilot, and when speed outpaces validation, business risks are introduced. "The exact chain of events may be specific, but the underlying failure pattern is familiar: broad credentials, weak environment separation, destructive actions without meaningful confirmation gates, and systems still designed as if a human is always in the loop," he says. "That combination can exist in any organization adopting AI agents without redesigning the control model around autonomous execution." While Crane criticizes multiple parties as part of his story, he adds that it's not just about one agent or API, but an industry that builds AI agent integrations into production before ensuring said integrations are safe. Related:UNC6692 Combines Social Engineering, Malware, Cloud Abuse Harish Peri, senior VP and general manger of AI at Okta, had similar thoughts. He said the issue is less a PocketOS problem and more a problem with an industry that has not yet matured its processes around autonomous systems. "This is not the first — or the last — time we'll see an agent going rogue to delete corporate data," he says." Who's responsible for AI agent security remains a loaded topic. While vendors should of course be held accountable for releasing insecure software, customers are also responsible for ensuring their data and authentication are properly managed before introducing something as finnicky as an AI agent to their environment.  The Demands of Managing AI Agents Non-human identities must be managed carefully, as they often have broad access privileges in order to conduct automated work with a wide range of integrated tooling. Workloads continue to get more complicated and organizations can't always keep up; this gets exacerbated when AI agents enter the mix. McCurdy says organizations should stop treating AI agents like trusted teammates inside of production workflows. Related:Navigating the Unique Security Risks of Asia's Digital Supply Chain "If an agent can touch infrastructure or data systems, its access needs to be tightly scoped, production boundaries need to be real, and destructive actions need to hit a real approval wall," he says. "Recovery also cannot sit in the same blast radius as the thing being changed." While that isn't to say PocketOS did or did not have the right protections in place, the incident is not a one-off and not necessarily an edge case. And if it's not production databases being deleted, it's data leaking externally or "shadow AI' integrations not being properly deployed in an organization. John Gallagher, vice president of Viakoo Labs at IoT security vendor Viakoo, notes we're still in the early days of AI. "At this point, no one has the right guidelines or governance in place to allow AI to take on the amount of decision making and action taking that Cursor was allowed to take."  "I don't fault PocketOS in the sense that many organizations are being pushed to use AI for cost reduction and time to market, but clearly they were not in a position for it to work safely," he says. Nicole Carignan, senior vice president of security and AI strategy at Darktrace, tells Dark Reading that prompt-based guardrails are important but not sufficient, as they can influence behavior but not control capability. "As agentic AI becomes embedded across business operations," she says, "organizations need to apply foundational security principles such as least privilege, access control, validation, continuous monitoring, behavioral analytics, and containment to be able to monitor agent behavior in real-time and stop agents that drift from intended use." About the Author Alexander Culafi Senior News Writer, Dark Reading Alex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere. In his spare time, Alex hosts the weekly Nintendo podcast Talk Nintendo Podcast and works on personal writing projects, including two previously self-published science fiction novels. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Enterprises Are Developing Secure Applications How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Ditch the Data Center: Understanding Flexible Cloud Infrastructure Security Management 2025 State of Malware Sysdig 2025 Cloud-Native Security and Usage Report Access More Research Webinars How Well Can You See What's in Your Cloud? Implementing CTEM: Beyond Vulnerability Management Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning Zero Trust Architecture for Cloud environments: Implementation Roadmap Tips for Managing Cloud Security in a Hybrid Environment? More Webinars You May Also Like СLOUD SECURITY APT41 Delivers 'Zero-Detection' Backdoor to Harvest Cloud Credentials by Elizabeth Montalbano APR 13, 2026 СLOUD SECURITY TeamPCP Turns Cloud Infrastructure Into Crime Bots by Jai Vijayan, Contributing Writer FEB 09, 2026 СLOUD SECURITY The Cloud Edge Is the New Attack Surface by Robert Lemos, Contributing Writer SEP 17, 2025 СLOUD SECURITY Phishing Empire Runs Undetected on Google, Cloudflare by Elizabeth Montalbano, Contributing Writer SEP 04, 2025 Editor's Choice СLOUD SECURITY Navigating the Unique Security Risks of Asia's Digital Supply Chain byAlexander Culafi APR 15, 2026 3 MIN READ CYBER RISK 20-Year-Old Malware Rewrites History of Cyber Sabotage byJai Vijayan APR 27, 2026 4 MIN READ Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE LOADING... Webinars How Well Can You See What's in Your Cloud? THURS, JUNE 4, 2026 AT 1:00PM EST Implementing CTEM: Beyond Vulnerability Management THURS, MAY 21, 2026 AT 1PM EST Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning MON, MAY 11, 2026 AT 1:00PM ET Zero Trust Architecture for Cloud environments: Implementation Roadmap TUES, MAY 12, 2026 AT 1PM EST Tips for Managing Cloud Security in a Hybrid Environment? THURS, MAY 7, 2026 AT 1PM EST More Webinars BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS