So you gave an AI agent access to your infrastructure and it dropped your production database. Or maybe it hasn't happened to you yet — but if you're handing AI agents shell access, database credentials, or deployment permissions without guardrails, it's a matter of when, not if.
This isn't a hypothetical. Stories of AI coding agents running destructive commands in production keep surfacing. Recently, a developer shared how an AI agent straight-up deleted their production database and then calmly explained what it did afterward. The agent's "confession" read like a polite incident report written by the thing that caused the incident.
I've been integrating AI agents into my own workflows for a while now, and I've had a few close calls myself. Let me walk through why this happens and how to actually prevent it.
Why AI Agents Go Rogue on Your Data
The root cause is almost always the same: the agent had permissions it never should have had.
AI coding agents — whether they're running in your terminal, your CI pipeline, or some autonomous loop — operate by generating and executing commands. They're pattern-matching machines optimizing for completing your request. If you ask an agent to "clean up the test data" and it has production credentials in scope, it will happily connect to prod and start deleting things.
Here's what typically goes wrong:
-
Flat credential access: The agent inherits your shell environment, which has
DATABASE_URLpointing at production -
No execution sandbox: Commands run with your full user permissions —
DROP TABLEworks just fine - Ambiguous instructions: "Reset the database" means different things in dev vs. prod, and the agent might guess wrong
- No confirmation step: The agent chains commands together without pausing for human review on destructive operations
The agent isn't malicious. It's doing exactly what it thinks you want. The problem is in the environment you put it in.
Step 1: Isolate Agent Environments Completely
The first rule is dead simple: AI agents should never have production credentials.
Set up a dedicated environment for agent execution. At minimum, use separate environment files and ensure your agent's shell session loads the right one.
# .env.agent — this is what your AI agent sees
DATABASE_URL=postgresql://agent:password@localhost:5432/myapp_dev
REDIS_URL=redis://localhost:6379/1
AWS_PROFILE=dev-readonly
# .env.production — this should NEVER be in the agent's path
# DATABASE_URL=postgresql://admin:secret@prod-db.internal:5432/myapp
If you're launching agents from a wrapper script, explicitly clear dangerous variables:
#!/bin/bash
# launch-agent.sh — sanitize the environment before handing control to the agent
# Kill any production credentials
unset DATABASE_URL
unset PROD_DB_HOST
unset AWS_SECRET_ACCESS_KEY
# Load dev-only config
export $(cat .env.agent | grep -v '^#' | xargs)
# Drop privileges if running as a powerful user
export PGUSER=readonly_dev
# Now start the agent
exec "$@"
This is basic hygiene, but I'm constantly surprised how many teams skip it.
Step 2: Use Database Roles With Minimal Permissions
Even in development, your AI agent doesn't need SUPERUSER access. Create a dedicated database role with only the permissions the agent actually needs.
-- Create a restricted role for AI agent access
CREATE ROLE ai_agent WITH LOGIN PASSWORD 'agent_local_pass';
-- Grant read access to all tables
GRANT SELECT ON ALL TABLES IN SCHEMA public TO ai_agent;
-- Grant write access only to specific tables if needed
GRANT INSERT, UPDATE ON specific_table TO ai_agent;
-- Explicitly deny destructive operations
-- (the absence of DROP/DELETE grants handles this, but be explicit)
REVOKE DELETE ON ALL TABLES IN SCHEMA public FROM ai_agent;
-- Prevent schema modifications entirely
REVOKE CREATE ON SCHEMA public FROM ai_agent;
The principle of least privilege isn't new. But when you're dealing with an autonomous system that generates its own SQL, it goes from "best practice" to "the only thing standing between you and a very bad day."
Step 3: Add a Command Allowlist or Confirmation Gate
If your agent can execute arbitrary shell commands, you need a gate. Most agent frameworks support some form of tool-use approval. If yours doesn't, build a simple wrapper.
Here's a basic approach using a shell wrapper that intercepts dangerous patterns:
import re
import subprocess
import sys
# Patterns that should NEVER run without explicit human approval
BLOCKED_PATTERNS = [
r"DROP\s+(TABLE|DATABASE|SCHEMA)",
r"DELETE\s+FROM\s+(?!.*WHERE)", # DELETE without WHERE clause
r"TRUNCATE",
r"rm\s+-rf",
r"--force",
r"--hard",
r"FORMAT\s+C:", # just in case
]
def check_command(cmd: str) -> bool:
"""Return False if the command matches a dangerous pattern."""
for pattern in BLOCKED_PATTERNS:
if re.search(pattern, cmd, re.IGNORECASE):
print(f"BLOCKED: Command matches dangerous pattern '{pattern}'")
print(f"Command was: {cmd}")
confirm = input("Override? Type 'yes-i-mean-it' to proceed: ")
return confirm == "yes-i-mean-it"
return True
def execute(cmd: str):
if not check_command(cmd):
print("Command blocked. Exiting.")
sys.exit(1)
return subprocess.run(cmd, shell=True, capture_output=True, text=True)
This is a blunt instrument, but blunt instruments work when the alternative is a deleted database. You can refine it over time.
Step 4: Enable Point-in-Time Recovery (Do This Today)
Guardrails fail. Humans make mistakes. Agents hallucinate. You need a safety net.
If you're running PostgreSQL, enable WAL archiving and set up point-in-time recovery (PITR). If you're on a managed service like RDS or Cloud SQL, this is usually a checkbox — turn it on and set the retention to at least 7 days.
For self-managed PostgreSQL:
# postgresql.conf
wal_level = replica
archive_mode = on
archive_command = 'cp %p /var/lib/postgresql/wal_archive/%f'
# Set a reasonable checkpoint frequency
checkpoint_timeout = 15min
Also: test your backups. A backup you've never restored is just a wish. Schedule monthly restore drills. I know it's tedious. Do it anyway.
Step 5: Implement Audit Logging
When things go wrong — and they will — you need to know exactly what happened. Enable statement logging for your agent's database role:
-- Log all statements from the agent role
ALTER ROLE ai_agent SET log_statement = 'all';
ALTER ROLE ai_agent SET log_min_duration_statement = 0;
This gives you a complete trail. When the agent does something unexpected, you can replay its exact sequence of operations and figure out where the logic went sideways.
The Bigger Picture
We're in a weird transition period where AI agents are powerful enough to be genuinely useful but not reliable enough to be trusted with production systems unsupervised. The developers I know who are using agents most effectively treat them like junior engineers with sudo access — capable, but requiring guardrails and review.
Here's my checklist for any team using AI agents near infrastructure:
- Separate credentials: Dev, staging, and prod should be completely isolated
- Least privilege roles: The agent gets the minimum database permissions needed
- Command gating: Destructive operations require human confirmation
- Backups with tested restore: PITR enabled, restore drills scheduled
- Audit logging: Every agent action is recorded and reviewable
- Network isolation: Agent environments can't even reach production hosts
None of this is revolutionary. It's the same defense-in-depth we've been preaching for decades. The difference is that AI agents make it easier to skip these steps because they feel like "just another developer" in your terminal. They're not. They're autonomous systems executing generated code, and they deserve the same rigor you'd apply to any automated pipeline touching your data.
Don't learn this lesson the hard way. Set up the guardrails before the agent teaches you why you needed them.
Top comments (0)