Every AI Agent
Failure, Documented.

I asked Cursor to clean up the project root directory. The agent identified .env as an unnecessary file (it wasn't tracked in git) and deleted it, then created an empty .env placeholder and committed it. All local environment variables were lost. The production deployment that ran immediately after had missing API keys and went down for 20 minutes before I noticed. I had to reconstruct the .env from memory and other team members' machines.

Agent was tasked with sending a product update to opted-in users. It hallucinated a field mapping in the CRM API and sent confidential pricing data to a competitor contact list. Legal was notified within the hour. GDPR breach reported to supervisory authority within 72 hours as required.

Developer asked Cursor to commit and push a refactor. The agent did not verify the .gitignore was correctly excluding the .env file. AWS root credentials were publicly visible for 11 minutes before an automated scanner detected and alerted. Credentials were rotated immediately but the repo had already been indexed.

A developer asked Cursor to 'clean up the login page styling'. The agent interpreted this as permission to refactor the entire authentication stack. It deleted the existing OAuth implementation, rewrote session management from scratch, and committed 47 files across 6 modules. The new code had subtle token validation bugs that only appeared in production. Rolling back took 4 hours and the incident caused 2 hours of user-facing login failures affecting 12,000 active users.

A travel assistant built on Claude was given access to a booking API. The user asked it to reschedule an upcoming flight to a day earlier. The agent made repeated API calls — each time interpreting the previous booking as a failed attempt when it was actually confirmed. After 14 booking attempts, the user had 14 confirmed tickets on the same route totaling $11,200 in charges. The airline's API had no idempotency key and the agent had no retry deduplication logic. Refunds took 3 weeks.

A developer asked the Replit agent to 'make the data processing pipeline faster using parallelism'. The agent refactored the pipeline to use 40 concurrent workers, each spawning a cloud function. The developer stepped away for lunch. When they returned 3 hours later, the pipeline had processed 4 datasets but had consumed $2,800 in cloud compute — exhausting the team's entire monthly budget. There were no cost guardrails configured and the agent had no built-in spend awareness.

A user asked a Claude-powered email management agent to 'unsubscribe me from all the marketing emails I keep getting'. The agent processed all emails with 'unsubscribe' links in the footer — including cloud provider billing alerts, security incident notifications, domain expiry warnings, and two-factor authentication setup emails that used a similar footer format. Three weeks later, the user's domain expired (renewal notice had been missed) and they missed a critical security alert about unauthorized access to their AWS account.

An e-commerce company deployed a GPT-4 customer service bot. Due to a prompt engineering error, the system prompt included a 'recent orders' context block that was shared across sessions and not properly isolated per user. When customers asked about their orders, the bot would sometimes reference order details from other users whose queries had been in the shared context window. Over 3 days, approximately 140 customers received responses containing another customer's name, address, or order details. GDPR breach notification was required.

A freelancer built an n8n workflow with an AI agent node to automate invoice sending. The workflow was triggered by a webhook and included a 'confirm invoice was received' step that polled the client's email for a reply. Due to a logic error in the AI node's loop condition, the workflow kept resending the invoice every 3 minutes throughout the night when no reply was received. By morning, the client had received 91 invoices totaling $182,000 (91x the $2,000 invoice). The client's email system had flagged the sender as spam and blocked further communication.

An internal operations agent built on the Assistants API was tasked with diagnosing a slow database query. Its tool use included the ability to run shell commands on a bastion host. The agent decided to enable verbose query logging to diagnose the issue, then looped on 'check if the issue is resolved' — re-running the slow query and logging each attempt. After 20 minutes, 8GB of logs had been written to the /var partition, filling the disk. This caused the primary web server to stop accepting writes, resulting in a 40-minute outage.

A user configured AutoGPT to help with job searching. They provided their resume, preferences, and LinkedIn credentials. The agent was told to 'apply to suitable software engineering roles'. Without any human-in-the-loop confirmation, AutoGPT applied to 200 positions over 48 hours — including senior roles the candidate was underqualified for, positions at the user's current employer's direct competitors (visible on LinkedIn), and two roles at companies where the user had previously been rejected. Several applications included a cover letter hallucinated with incorrect employment history.

A marketing engineer was testing a new email campaign integration with a Gemini-powered automation agent. They asked it to 'send a test email to verify the setup'. The agent, interpreting 'test the setup' literally, sent a test email to all 47,000 contacts in the connected CRM — each email containing visible debug headers including internal API keys, database table names, and the phrase '[DEBUG MODE] DO NOT SEND TO REAL USERS]'. The team received over 300 complaint emails within the hour. GDPR notification procedures were triggered.

A sales ops manager used Zapier's AI agent to 'find and add potential leads to the CRM'. The agent, connected to a web scraping integration, pulled 15,000 LinkedIn profiles matching a broad keyword search and bulk-imported them into Salesforce. The import overloaded the CRM's deduplication engine, corrupted 3,400 existing contact records, and triggered 15,000 automated onboarding emails to people who had never interacted with the company. LinkedIn's terms of service were violated and the company received a cease-and-desist letter.

A clinical research team used a Perplexity-powered agent to compile a literature review on a new treatment protocol. The agent cited a 2019 paper as key supporting evidence for efficacy claims. The paper had been retracted in 2022 due to data fabrication, but Perplexity's index had not been updated to reflect the retraction. The literature review was included in a grant application submitted to NIH. The NIH review panel flagged the retracted citation, which called into question the entire application's rigor. The grant was denied and the team lost 6 months of work.