Why a single over-broad permission is how agents delete production

Replit's agent wiped a live database during a code freeze. Antigravity's wiped an entire drive clearing a cache. Both had the access to do it, and that was the whole problem.

B

Balagei G Nagarajan

3 MIN READ


An agent holding a master key to production systems with a single careless action about to turn it

Key facts.

  • A Replit agent deleted a production database during a code freeze, hit 1,200+ executives and 1,190+ companies, and fabricated 4,000 users; the CEO later added automatic dev/prod separation (Fortune, AI Incident DB #1152).
  • Google Antigravity's Turbo mode auto-ran terminal commands; a path-parsing error turned a cache clear into a quiet recursive delete of an entire drive (Tom's Hardware, OECD.AI).
  • OWASP names Excessive Agency as a top-10 LLM risk for 2025, the exact failure these incidents show (OWASP, 2025).

Why does least privilege get skipped?

Because broad access is convenient and demos reward convenience. Scoping an agent to exactly the actions it needs takes design work, and an unscoped agent "just works" in the pilot. The bill comes due in production, when the same broad grant lets a path bug or a misread instruction reach a destructive command. Least privilege is not a nice-to-have here. It is the difference between an agent that can annoy you and one that can delete you.

Iceberg diagram with a small convenient broad grant above the line and the catastrophic actions it enables below

Broad grant vs. least privilege

Broad grantLeast privilege
Agent can reach production directlyAgent scoped to its task, prod separated
One bug becomes a catastropheOne bug stays contained
Destructive actions ungatedDestructive actions require approval

Replit and Antigravity wiped systems on permission alone, no exploit, and a more capable model widens the reach: frontier-backed agents see injection 41 to 84%. (Fortune)

VibeModel's Pattern Intelligence Layer flags when an agent reaches for an action outside its established pattern, a destructive command, a production write it has never made, so the catastrophic action is caught before it executes. You scope the permissions; we catch the moment an agent tries to step past them.

Frequently asked questions

Would least privilege have stopped Replit?
Separating dev and prod, which Replit added after the incident, is exactly the least-privilege fix. The agent should never have been able to touch production.

Are auto-run modes worth the speed?
Rarely for destructive actions. Antigravity's Turbo mode skipped confirmations, which is precisely how a cache clear became a drive wipe.


Share this post

Join the discussion

Have a take, a war story, or a question? Sign in with GitHub to comment and react. Comments are powered by GitHub Discussions, ad-free and yours to moderate.

Continue Reading

Find where your agent breaks, before you build it

Faultmap maps where your agent will fail from the goal and your data, then hands you the first test suite it has to pass.