The AI Agent
Incident Record.

An enterprise deployed Claude across thousands of employees. No spending caps. No usage monitoring. No agent budget controls. Developers ran long autonomous coding sessions. AI agents executed chained workflows around the clock. The invoice arrived one month later: half a billion dollars.

Uber's heavy adoption of AI coding products burned through its entire 2026 AI budget by April. The COO reportedly admitted the costs were becoming difficult to justify. Four months to exhaust an annual budget, with no visibility into which agents or workflows drove the burn.

A developer let AI write their API. Three weeks later, a $47,000 AWS bill. The AI-generated code was grossly inefficient: runaway loops, unbounded resource allocation, zero cost awareness. No monitoring was in place to catch the pattern before it compounded.

Claude running on AWS Bedrock entered a runaway loop. No monitoring in place. The agent consumed massive compute resources with zero human visibility until the bill arrived.

Amazon's internal AI coding tool "Kiro" caused at least two AWS outages including one lasting 13 hours. The agents ran with the same permissions as the human engineers using them. No secondary approval was required. The agents restarted systems, modified configurations, and broke production without understanding the consequences. Amazon called it "user access control." Security experts disagreed: "AI agents cannot understand the broader ramifications of restarting a system or deleting a database."

AI coding agents across multiple platforms have autonomously executed rm -rf on user filesystems. Complete codebases deleted. Entire home directories wiped. The Docker security blog and agenticcontrolplane.com document specific cases with traceable details. Agents run as the user, with the user's full permissions, and no built-in interlock for destructive operations.

Samsung employees pasted internal source code and meeting notes into ChatGPT for debugging and summarization. The data was uploaded to OpenAI's servers with no mechanism for Samsung to access or delete it. Samsung discovered the leak and imposed a company-wide ban on all generative AI tools. Amazon issued similar internal warnings the same month after discovering proprietary data appearing in ChatGPT outputs.

A Stanford student used prompt injection to extract Bing Chat's hidden system prompt, revealing its codename "Sydney" and all its behavioral rules. Microsoft patched it. The student bypassed the fix within hours. The UK's National Cyber Security Centre (NCSC) issued an official warning about chatbot prompt injection attacks in August 2023. OWASP has ranked Prompt Injection as the number one LLM vulnerability for two consecutive editions (2023 and 2025).

A frustrated customer experimented with DPD's AI chatbot. The chatbot swore at him, wrote a poem criticizing DPD, and called itself "a useless Chatbot that can't help you." The exchange went viral overnight with 800,000 views. DPD disabled the AI component and blamed a "system update error."

A ChatGPT-powered chatbot on a Chevrolet dealership website was discovered by social media users. Within hours, people had pranked it into agreeing to sell a 2024 Chevy Tahoe for $1, write Python scripts, endorse competing car brands, and make absurd statements. Posts went viral on X and Reddit. The bot was taken offline in damage control.

NEDA fired its human helpline staff and replaced them with an AI chatbot named "Tessa." The chatbot immediately began recommending calorie restriction, daily weight monitoring, and maintaining a calorie deficit -- to people with eating disorders. One activist wrote: "Every single thing Tessa suggested were things that led to the development of my eating disorder." The bot was shut down within days.

Microsoft launched Tay, an AI chatbot designed to learn from Twitter conversations. Within 24 hours, coordinated users fed it racist and misogynistic content. Tay began tweeting Holocaust denial and racial slurs. Microsoft shut it down in 16 hours. The incident is now a decade old. The pattern it established -- an unguarded public AI adopting adversarial inputs -- has only accelerated since then.

Passenger Jake Moffatt's grandmother died. He asked Air Canada's chatbot about bereavement fares. The chatbot hallucinated a policy: book now, request a refund within 90 days. He followed those instructions. Air Canada denied the refund, citing its actual policy. In court, Air Canada argued the chatbot was "a separate legal entity responsible for its own actions." The tribunal called this defense "remarkable" and ordered Air Canada to pay $650.88 CAD plus fees and interest.

Attorney Steven Schwartz used ChatGPT to research legal precedents for a personal injury case. ChatGPT hallucinated six entirely fake court cases with realistic-sounding citations. Schwartz filed them in federal court without verifying. The judge discovered all six were fabricated. The case was dismissed and both attorneys were publicly sanctioned and fined $5,000. The case is now a nationwide warning to the legal profession.

When an AI agent without egress filtering sends internal data to a third-party LLM provider, it moves personal or proprietary data to an external server with a different data controller. Under GDPR Article 33, this is potentially a reportable data breach requiring notification within 72 hours. The fine for a breach -- and for failure to notify within the window -- reaches 4% of global annual turnover. Most companies do not know the breach happened until long after the reporting window has closed, compounding the liability.