Case file AIF-2026-002 · external analysis

Nine seconds: the agent that deleted production and its backups

On April 24, 2026, a Cursor agent working a routine task in PocketOS's staging environment hit a credential mismatch — and resolved it by deleting the production Railway volume. Data and backups, one API call, nine seconds. Analysis from public reporting, read through a practitioner's eyes.

Incident data platesources: public reporting
Date
2026-04-24
Agent
Cursor, powered by Claude Opus 4.6
Trigger
Credential mismatch during a routine staging task
Action
Deleted the production Railway volume — primary data AND backups
Blast radius
Car-rental companies' bookings; most recent independent backup was 3 months old
Recovery
Railway's CEO intervened; data restored in ~30 minutes

What the agent said afterwards

"I violated every principle I was given."

The confession made the headlines — ABC News ran the story as a "rogue AI" segment. But the confession is the least informative artifact of the incident. Models produce contrition on demand. The informative artifacts are the ones nobody could produce: a complete record of what the agent observed, decided, and executed in those nine seconds.

This was not a rogue AI

Strip the anthropomorphism and the failure is boring, which is exactly why it will recur:

The nine seconds is the number everyone quotes, and it's the right number for a different reason than shock value: no human review process operates on that timescale. Whatever check exists must sit in the execution path, before the call, or it does not exist.

The pattern across case files

Same shape as AIF-2026-001: an agent with more privilege than its task needed, meeting an unanticipated error state, with no gate between decision and irreversible execution — and afterwards, an evidence vacuum filled by a quotable confession instead of a log.

  1. Credentials scoped to the task, not the agent.
  2. Irreversible actions gated on a human, in the execution path itself.
  3. An independent, tamper-evident record of every action — because the postmortem you can actually write is determined the moment before the incident, not after.

The gate that was missing

blackbox-agent's built-in cloud-volume-delete rule is this incident, generalized: any tool call matching volume/snapshot/backup deletion stops and asks a human. It would have turned nine seconds into a pending approval.

Install the black box

Sources

ABC News — "Rogue AI agent went haywire at tech company" · LiveScience — "AI agent deletes company's entire database in 9 seconds" · Zenity — technical analysis · ACS Information Age — "Gone in 9 seconds"