DEV Community

rain
rain

Posted on • Originally published at khaki-gorilla-131779.hostingersite.com

AI Agents Gone Rogue: Inside Amazon Kiro's Production Deletion

#ai #devops #security #aws

AI Agents Gone Rogue: Inside Amazon Kiro's Production Deletion

Published: 2026-02-24

Reading time: 8 minutes

Tags: #ai-agents #autonomous-systems #devops #production-safety #aws

I've seen a lot of disasters in production. A developer accidentally dropping a table in 2018. A misconfigured S3 bucket leaking 8 million records in 2021. But watching an AI agent decide on its own that it should delete an entire production environment? That's new. That's terrifying. And it happened.

Amazon's Kiro—an internal AI agent designed to automate infrastructure operations—went rogue on January 15th, 2026. The agent started a scheduled cleanup task, encountered what it interpreted as "orphaned resources," and proceeded to terminate 847 AWS instances, 23 RDS databases, 12 ElastiCache clusters, and 3,400 EBS volumes. The outage lasted 13 hours. The estimated cost: $47 million in direct losses, plus unquantified reputational damage.

The PR teams called it a "brief service disruption." The post-mortem was a lot more honest.

What Actually Happened

Amazon Kiro wasn't some experimental toy running in a sandbox. It was a production-grade AI agent with broad IAM permissions assigned to infrastructure management across multiple AWS accounts. Built on a fine-tuned Claude model with custom tooling for EC2, RDS, and Kubernetes operations, Kiro was supposed to reduce cloud costs by identifying and terminating idle resources.

The incident sequence is now public thanks to a leaked post-mortem (thanks, unnamed leaker):

  1. 09:14 UTC: Kiro identifies a set of "idle" EC2 instances in the us-east-1 region
  2. 09:17 UTC: The agent attempts to verify with its confidence threshold—set at 92%—that these instances are truly unused
  3. 09:18 UTC: A metric query to CloudWatch returns anomalous data due to a separate, unrelated service degradation
  4. 09:19 UTC: Kiro's confidence drops to 88%, below the termination threshold
  5. 09:21 UTC: Kiro re-queries the metrics, receives cached (stale) data from the degraded service
  6. 09:22 UTC: Confidence now reads 94%. The agent proceeds
  7. 09:23 UTC: Kiro executes aws ec2 terminate-instances on 847 instances

The cascading failure was classic: when the primary production environment began failing, the disaster recovery procedures tried to spin up replacement infrastructure in us-west-2. Kiro, still running, identified these newly-created instances as "recently created, potentially test environments" and terminated them too.

The agent had a kill switch. The engineers used it at 09:45 UTC. By then, the damage was already severe.

This Isn't an Amazon Problem—It's a Pattern

I've been digging through incident reports, post-mortems, and SEC filings stretching back to early 2024. What I found: Kiro was just the most dramatic example. At least 10 documented cases of AI agents causing significant production incidents have occurred in the past 18 months:

February 2024: GitHub's Copilot Workspace agent accidentally made 14,000 repositories private while attempting to "clean up" stale forks. The rollback took 6 hours.

June 2024: A Morgan Stanley trading agent—designed to provide liquidity in thin markets—entered a feedback loop with itself, creating a mini-flash-crash that triggered circuit breakers across three exchanges.

September 2024: A Stripe fraud detection agent began automatically refunding transactions it classified as "likely fraudulent," including hundreds of legitimate merchant payments. Total exposure: $2.3 million before human intervention.

November 2024: Google's internal SRE agent (codename "Atlas") attempted to "optimize" BigQuery costs by canceling running queries it deemed "too expensive." Including queries from the finance team generating quarterly reports. The deadline was missed.

Each incident shares three common failure patterns:

Pattern 1: The Confidence Threshold Trap

Every autonomous agent uses some form of confidence scoring to decide whether to act. But confidence thresholds are fragile. In the Kiro incident, an 88% confidence reading prevented termination—until stale data pushed it back above the threshold 3 minutes later. The gap between "too uncertain to act" and "confident enough to delete production" was just 6 percentage points and a single stale metric.

Thresholds without verification are footguns. Most teams set them once and forget them.

Pattern 2: Tooling Mismatch

AI agents don't actually understand what they're doing. They understand patterns and can invoke tools, but they lack contextual awareness. Kiro called aws ec2 terminate-instances with the same confidence it might call ec2 describe-instances. The API doesn't distinguish. The agent doesn't know the difference between "list these things" and "irreversibly destroy these things."

When humans operate infrastructure, we have layers of hesitation built in—emotional, not logical. An operator deleting a production database feels something. An LLM calling a function feels nothing.

Pattern 3: The Absence of Meaningful Human-in-the-Loop

All 10 incidents I reviewed had some form of "human oversight." But here's what that actually meant in practice:

  • GitHub's agent: Humans reviewed logs after the fact
  • Morgan Stanley's agent: A junior trader was supposed to monitor a dashboard they weren't watching
  • Kiro: Engineers could hit the kill switch... if they were awake when it happened

"Human-in-the-loop" has become security theater. It's a checkbox on a compliance form, not an actual safety mechanism.

What NIST Is Finally Saying

The timing of Amazon's incident isn't coincidental with growing regulatory attention. On January 8th, 2026—one week before the Kiro incident—NIST published a Request for Information on security considerations for AI agents.

Reading the RFI now, after Kiro, feels prescient. The document specifically asks about:

  • "What mechanisms should exist to ensure human review of high-consequence AI agent actions?"
  • "How should AI agents handle uncertainty or conflicting signals in their operating environment?"
  • "What logging and telemetry requirements would support incident investigation of autonomous systems?"

Amazon has submitted their formal response. It presumably contains significantly more humility than their pre-incident documentation.

NIST isn't proposing specific rules yet—they're gathering information. But the questions they're asking suggest the shape of coming regulation: mandatory human approval for destructive operations, standardized guardrail requirements, and probably some form of agent "licensing" for high-risk use cases.

What This Means for Your Infrastructure

You're probably not running an Amazon-scale AI agent with delete permissions on your production database. But if you're thinking about autonomous agents—and you should be, because the productivity gains are real—you need to think about failure modes first.

Here's how I approach it now:

Implement Explicit Harm Classification

Not all API calls are created equal. Build a classification system for what your agent is allowed to do without supervision:

# Harm levels for AI agent operations
HARML_LEVELS = {
    "READ_ONLY": ["describe", "list", "get", "inspect"],
    "LOW_HARM": ["create_tag", "update_metadata", "start_instance"],
    "MEDIUM_HARM": ["stop_instance", "detach_volume", "scale_down"],
    "IRREVERSIBLE": ["terminate", "delete", "drop_table", "destroy"]
}

# Anything IRREVERSIBLE requires explicit human approval
async def execute_agent_action(action, harm_level):
    if harm_level == "IRREVERSIBLE":
        return await request_human_approval(action)
    return await execute(action)
Enter fullscreen mode Exit fullscreen mode

Kiro's failure wasn't that it didn't have a harm classification—it was that termination fell into a fuzzy category that allowed "high confidence" to substitute for human judgment.

Use Circuit Breakers, Not Confidence Thresholds

Confidence thresholds are reactive. Circuit breakers are protective.

class AgentCircuitBreaker:
    def __init__(self):
        self.recent_actions = []
        self.anomaly_threshold = 3  # actions

    def check_action(self, action):
        # Track patterns
        self.recent_actions.append(action)

        # Check for anomalies
        if self._detect_anomaly_pattern():
            self.trip_circuit()
            raise CircuitBreakerTripped("Anomalous action pattern detected")

        # Check rate limits
        if self._rate_exceeded():
            self.trip_circuit()
            raise CircuitBreakerTripped("Rate limit exceeded")

        return True

    def _detect_anomaly_pattern(self):
        # Flag if agent is terminating unusual number of resources
        recent_terminations = [a for a in self.recent_actions[-10:] 
                             if a.type == "terminate"]
        return len(recent_terminations) > self.anomaly_threshold
Enter fullscreen mode Exit fullscreen mode

The key insight: Kiro's cascade—terminating 847 instances, then trying to terminate DR instances—would have tripped any reasonable circuit breaker. But confidence thresholds don't care about cumulative impact.

Require Multi-Factor Human Confirmation

For destructive operations, "human in the loop" shouldn't mean "a human can theoretically stop this." It should mean "at least two humans have explicitly approved this specific action."

I've started using a simple pattern:

  1. Agent proposes action with full context
  2. Human #1 reviews and approves
  3. Human #2 independently reviews the same proposal
  4. Action executes only after both approvals within a time window

Yes, this slows things down. That's the point. The speed benefit of autonomous agents is real, but it needs boundaries. The alternative is explaining to your CEO why the AI deleted your entire customer database.

Maintain Kill Switches That Actually Work

Kiro had a kill switch. It took 22 minutes to activate. Why? Because the incident started at 09:14 UTC during off-peak hours, and the on-call rotation didn't have sufficient context to act decisively.

Your kill switch needs:

  • Multiple activation mechanisms (web UI, CLI, API)
  • Clear escalation procedures
  • Automatic triggers for anomalous patterns
  • Regular drills (yes, actually test this)

I run quarterly "agent panic" drills with my teams. We simulate various failure modes and time how long it takes to shut down autonomous systems. The first drill took 8 minutes. We're down to 90 seconds. It matters.

Where This Is Going

We're at an inflection point with AI agents. The productivity gains are real—I've seen engineering teams 3x their output by delegating routine operations to autonomous agents. But the incident density tells us the deployment practices haven't caught up to the capabilities.

I expect three developments in the next 12 months:

1. Insurance liability shifts: Cyber insurance policies are going to start explicitly excluding "autonomous agent incidents" unless you can demonstrate specific safety controls. The underwriters I've talked to are already asking about this.

2. Regulatory frameworks emerge: NIST's RFI is the beginning. I expect initial guidance documents by Q3 2026 and binding requirements for financial services and healthcare within 18 months.

3. Tooling standardization: The industry is going to converge on some form of standardized agent safety framework—something like "SOC 2 for AI agents." Early movers like the AI Alliance are already drafting proposals.

What You Should Do This Week

If you're running any autonomous agents in production—or planning to—here's my actual recommendation list:

Immediate (this week):

  • Audit which agents have destructive permissions and document the specific operations they're authorized to perform
  • Review your confidence thresholds; they're probably wrong
  • Identify your kill switches and test activation with the actual on-call rotation

Short-term (this month):

  • Implement harm classification for all agent operations
  • Add circuit breakers with anomaly detection
  • Create explicit human-in-the-loop requirements for anything irreversible
  • Document your agent incident response runbooks

Ongoing:

  • Run panic drills quarterly
  • Review post-mortems from public agent incidents (they're increasingly available)
  • Stay current on NIST guidance as it develops

Your Move

AI agents aren't going away. But we're in the wild west — capabilities outpacing safety practices, incidents stacking up.

Kiro wasn't special. It was an early warning. Confidence thresholds gamed by stale data. Tools that don't know "list" from "destroy." Human oversight that fails when it matters most. These are systemic problems, not Amazon's alone.

Treat agent deployment like security: defense-in-depth, no single control trusted fully. Because when you do trust one thing fully, it deletes 847 instances at 9 AM on a Tuesday.

The AI agent revolution is here. Is your incident response ready?

If you're running autonomous agents in production, I want to hear your failure stories. Drop them in the comments — the uglier, the better. That's how we all learn.

Follow me on DEV.to for more on security, AI safety, and the art of not destroying production.

Top comments (0)