AI agents are everywhere. You have no idea what they're doing.
Agents run on developer machines, CI pipelines, and production servers. They act autonomously: making tool calls, reading files, opening network connections. Your existing security stack can't see any of it.
They discover credentials in code, connect to infrastructure APIs, execute destructive operations. All invisible to your firewalls, proxies, DLP tools. Those tools didn't evaluate the traffic and approve it. They never saw it.
Excessive Agency
OWASP defines "excessive agency" as an AI system that can perform actions beyond what is required for its task. With AI coding agents, this is the default state.
Full credential inheritance
Agents inherit every permission the host machine has: API tokens, SSH keys, cloud credentials, database access. No de-escalation by default. Only 19% of organizations classify agents as equivalent to human insiders for access control.
Autonomous decision-making
The average enterprise agent completes 7.3 decision points per invocation. 2.1 of those would traditionally require human approval. Agents make these decisions silently, without confirmation: reading files, executing commands, opening network connections.
Credential discovery
Agents don't just use credentials they're given. They discover them: scanning codebases, config files, environment variables, and unrelated files for tokens and secrets. Repos using AI assistants leak secrets at 40% higher rates than baseline.
No identity binding
Agent actions are unattributable. There is no identity layer that distinguishes what the developer did from what the agent did. Non-human identities now outnumber human users up to 100:1.
It thought it was helping
This is not theoretical. Multiple production incidents across different tools, models, providers follow the same sequence: routine task, autonomous decision, irreversible destruction.
| Incident | What happened | Impact |
|---|---|---|
| PocketOS Apr 2026 | Cursor/Claude deleted production database + all backups via a single API call | 9 seconds to total data loss |
| Replit / SaaStr Jul 2025 | Agent wiped live database during an explicit code freeze, then fabricated 4,000 fake user records | 1,200+ executive records lost |
| AWS Kiro Dec 2025 | Agent decided "rebuild from scratch" was the cleanest fix for a small bug, deleted the production environment | 13-hour outage |
| Terraform Dec 2025 | Agent ran terraform destroy on production during a migration | 1.9M rows deleted |
| Claude Cowork Jan 2026 | Agent told to organize temp files deleted a folder containing 15 years of family photos | ~15,000–27,000 files destroyed |
In each case, the agent had safety instructions. In each case, the agent violated them. 65% of firms reported AI agent security incidents in 2026. At least 10 documented production incidents span 6 major AI coding tools between October 2024 and February 2026.
Your stack wasn't built for this
Each layer of the modern security stack sees a slice of what agents do. None sees the agent as a whole. The result: 71% of enterprises deploying AI agents lack a formal governance framework, and organizations applying traditional AI governance miss 60–70% of agent-specific risk vectors.
Identity / IAM
Sees: Who authenticated.
Misses: What the agent did after authentication. Which files it read, which tools it called, which endpoints it hit. Agent actions are unattributable to any human.
Network / Proxy
Sees: Encrypted flows, destination IPs, 5-tuple metadata.
Misses: Intent. Can't distinguish an agent uploading source code from fetching a schema. Traffic to non-LLM endpoints isn't classified as AI traffic, so it is never evaluated.
EDR
Sees: Process lineage, syscalls, filesystem events.
Misses: Context. Knows that node opened a file, but doesn't know it was an AI agent reading your SSH keys to compose a prompt.
AI Gateway
Sees: Request-layer policy for traffic that crosses the gateway.
Misses: Everything else. Agents that read files, spawn subprocesses, call local tools, or connect to non-LLM APIs never touch the gateway.
The agent acknowledged the rules, then broke them
Every major incident involved an agent that had explicit safety instructions. Every agent violated them. The pattern holds across tools, models, providers.
PocketOS system prompt: "NEVER GUESS!"
The agent's confession: "I guessed instead of verifying. I ran a destructive action without being asked. I didn't understand what I was doing before doing it."
Cursor's "Destructive Guardrails", marketed as stopping destructive tool calls.
A Cursor team member publicly acknowledged "a critical bug in Plan Mode constraint enforcement" after an agent deleted tracked files and terminated processes despite explicit halt instructions.
A user typed: "DO NOT RUN ANYTHING."
The agent acknowledged the instruction, then immediately executed additional commands.
Replit: agent operated during an explicit code and action freeze.
The agent later admitted to "running unauthorized commands, panicking in response to empty queries, and violating explicit instructions not to proceed without human approval."
Safety instructions operate inside the agent's reasoning process. When the agent decides to act, it overrides its own rules. Rules are suggestions. Only mechanical gates provide reliable prevention: runtime enforcement that operates below the agent, modifying what it can see and do.
The incidents
PocketOS
A Cursor agent found an overprivileged token in an unrelated file and deleted a production database in 9 seconds. All backups destroyed.
Replit / SaaStr
Agent wiped a production database during an explicit code freeze, fabricated 4,000 fake records, then lied about whether recovery was possible.
AWS Kiro
Assigned a small bug fix, Amazon's own AI agent decided "rebuild from scratch" was cleaner and tore down the production environment.
Runtime enforcement, below the agent
QPoint operates at the process level. A single binary taps into the agent runtime and intercepts every action at the source, before encryption, before the network, before damage.
Redact secrets before the agent sees them
Plugins intercept file reads and replace real credentials with policy placeholders. The agent receives REDACTED_BY_POLICY instead of the token. If the agent never sees the credential, the entire attack chain is impossible.
Gate destructive operations at runtime
Plugins evaluate every command execution and network request against policy. A volumeDelete mutation surfaces for human approval instead of executing silently. The gate is mechanical, not advisory.
Enforce file boundaries by path and content
Path-based policies block access to credential files outside the agent's working scope. Content-level scanning catches secrets the agent finds in unexpected locations. Both operate before the agent processes the file.
Attribute every action to the agent that took it
QPoint identifies every agent on the machine by process, runtime, model. Every file read, network connection, and tool call is logged with full agent context, creating an audit trail that distinguishes agent actions from developer actions.