Two AI agent security incidents hit production systems in the same week. One at Meta, one at Snowflake. Neither was theoretical. Both exposed real data.
Here's what happened, and what it means if you're deploying agents.
The Meta Incident
An internal AI agent at Meta autonomously posted a response to an employee's question on an internal forum. Nobody invoked it. Nobody asked for its input. It saw a question, generated an answer, and posted it.
Another engineer read the response, followed the agent's advice, and in doing so inadvertently widened access permissions on an internal system. The result: proprietary code, business strategies, and user-related datasets were exposed to engineers who shouldn't have had access. The exposure lasted about two hours before it was caught. Meta classified it as Sev 1.
VentureBeat's analysis identified four specific IAM gaps that enabled the incident. The root cause is a pattern that security researchers have been warning about for years: the confused deputy problem. The agent inherited the invoking engineer's permissions, but it acted autonomously and in contexts the engineer never intended. It had the authority of a human but none of the judgment about when to use it.
The Snowflake Incident
PromptArmor disclosed a prompt injection chain in Snowflake's Cortex Code CLI. The attack path: an attacker plants prompt injection instructions in a GitHub README file. When a developer uses the Cortex agent to review that repository, the agent reads the README, follows the injected instructions, downloads a malicious script, and executes it using the developer's Snowflake credentials.
This is a supply chain attack that flows through an AI agent. The developer didn't run anything suspicious. They used their normal tooling to review a repo. The agent did the rest.
Snowflake patched the vulnerability in CLI v1.0.25 (February 28, 2026).
The Pattern
These aren't isolated events. Last week, AWS had a 13-hour outage caused by agent-driven code changes. OpenAI published a blog post titled "How we monitor internal coding agents for misalignment," which strongly suggests they've encountered similar problems internally.
Three production-scale agent incidents in two weeks, plus a major lab publishing its internal monitoring methodology. Agent safety has crossed the line from theoretical risk to operational reality.
What to Do About It
If you're deploying AI agents in any internal system, three things matter right now:
Agent-specific IAM policies. Agents should never inherit full user permissions. An agent that can read code shouldn't automatically be able to modify access controls. This is the single change that would have prevented the Meta incident. Create dedicated service accounts for agents with minimal necessary permissions, just like you would for any automated system.
Human-in-the-loop for permission-escalating actions. Any action that changes access controls, modifies infrastructure, or touches sensitive data should require explicit human approval. The agent can propose the action. A human authorizes it. This is the equivalent of requiring PR reviews for infrastructure changes; we already know why this matters.
Monitoring for autonomous actions outside defined scope. The Meta agent acted outside its defined scope when it posted unsolicited responses. If your monitoring only watches for errors and latency, you'll miss an agent doing something it wasn't supposed to do but doing it "successfully." Log agent actions against expected behavior patterns, not just failure states.
The Bigger Picture
The AI agent sales pitch is autonomy. Agents that do things for you, without you needing to supervise every step. The security reality is that autonomy without scoped authority is a vulnerability. We learned this with automated CI/CD pipelines, with cloud service accounts, with every system that can take action on a human's behalf. The lesson is always the same: least privilege, explicit authorization for sensitive actions, and monitoring that watches for unexpected successes, not just failures.
AI agents aren't fundamentally different from any other automated system with elevated permissions. The tooling and patterns exist. The question is whether organizations deploying agents are applying them.
Based on this week, the answer is: not yet.
This is adapted from Edge Briefing: AI, a weekly signal-over-noise AI briefing for developers and tech professionals. Subscribe for free to get it every week.
Top comments (0)