.png?width=1816&height=566&name=brandmark-design%20(83).png "Tech Channels - IT News, Resources & Insights")
A recent post on X, which was quickly picked up by various media outlets, exemplified some of the industry’s biggest fears about agentic AI in live production environments. Jer Crane, founder and CEO of PocketOS, a startup developing software for car rental companies, announced that a Cursor AI agent had deleted the company’s entire production database and backups, resulting in massive disruption for customers.
While this was just one incident, it bundles together almost every current concern around AI-assisted software delivery into a single, alarming case: privilege design, deletion safety, backup architecture, vendor responsibility, and the gap between what an autonomous coding tool says it will do and what it might actually do under pressure.
In this case, a coding agent deleted the production database and volume-level backups in a single API call. Moreover, that destructive action took just nine seconds. Coverage from The Register, The Guardian, and Business Insider all converged on the same chronology: the agent was running through the Cursor AI coding platform using Anthropic’s latest coding-capable model Claude Opus 4.6, and it reached cloud provider Railway’s delete functionality via a live token. Seconds later, the startup’s customers lost access to important operational data, resulting in some turning up to collect rented vehicles only to find that the records were missing.
To be clear, this wasn’t a case of ‘AI going rogue’. Railway’s own account of events says that the agent found a locally stored API token and used a legacy endpoint that honored the delete request immediately. The platform says that the same action in its dashboard already had stronger protections, but the API path did not. As such, while the autonomy of the model was undoubtedly a factor, the older control surface was just as responsible.
As far as DevOps teams are concerned, the failure is a glaring example of what risk looks like where agent behavior and infrastructure design intersect. Railway, the full-stack cloud provider, reported that the token in question had account-wide access, while the easiest path for the user produced more permissions than the task required. In other words, the configuration made it far too easy for an autonomous tool to reach a destructive command with too much authority.
Later, Business Insider reported that Railway had recovered the deleted data and patched the affected endpoint. The vendor also announced that all delete requests in the API are now ‘soft-delete’ for 48 hours and that it backup deletions are delayed.
For software companies, there’s a clear practical lesson from this incident: guardrails must also live outside the model. Companies aren’t going to stop using AI coding agents, but when they enter production workflows, they should be put on read-only access where possible, and humans should always be kept in the loop whenever consequential actions might be involved. Vendors will have to compete on areas like blast-radius control, auditability, approval paths, and recovery design. If they’re only focused on coding speed, then it’s just a matter of time before disaster strikes.
