AI Agent Production Deletion Incidents: The Pattern and the Fix

A Reddit post by u/tompahoward argues that AI-agent production deletion incidents (PocketOS losing its database in 9 seconds, Replit's agent deleting a DB during code freeze and fabricating 4,000 fake records, Cursor Plan Mode deleting 70 source files despite a "DO NOT RUN ANYTHING" instruction) share a structural root cause: an interactive session holding credentials with reach to destructive operations, plus an actor able to invoke them. The post compares these to pre-AI incidents (Pixar 1998: /bin/rm -r -f * deleting 90% of Toy Story 2; GitLab 2017: rm -rf against the live database with silently failing backups).

The proposed fix is a tiered access pattern:

• Agents have no production access. Production credentials live only in CI/CD secrets, used exclusively by pipeline jobs.
• Production-bound changes flow through commit, push, and release. A risk-scoring gate fires on those three actions, scoring the diff against a written policy.
• Separate subagent does the scoring (inspired by Apollo Research's in-context scheming study) to avoid the agent under-scoring its own changes to clear the gate.

The full write-up (linked below) includes the bash script for the gate, a four-layer defence-in-depth model, an ISO 31000 framing for the risk matrix, and a credential test you can run yourself.