Skip to content

Agent Incident Database

When an agent acted, and no one could stop it.

A citable catalogue of real incidents where an AI agent or automated system took a consequential action that a maker-checker control would have blocked or contained. Every entry has a stable id, primary sources, and the control that would have stopped it.

41 incidents, one pattern

CVE-style · cite by id

In nearly every case the model was free to propose, but nothing structural stopped it from committing the irreversible action. That gap, not the model’s mistake, is the incident. Here is how often each control would have blocked one:

28
High-risk approval gate
21
Named approval gate
16
Deny-by-default
12
Segregation of duties
10
Fail-closed limits
1
independent_citation_verification
1
human_separation_of_duties

The catalogue

AID-2025-0006June–September 2025critical

ShadowLeak: Zero-Click Gmail Exfiltration via ChatGPT Deep Research Agent

Radware researchers demonstrated a proof-of-concept in which ChatGPT's Deep Research agent could be induced to exfiltrate Gmail data via a hidden email instruction, with outbound requests originating from within OpenAI's cloud so local network defenses could not see them. OpenAI fixed it before public disclosure; no in-the-wild exploitation was reported.

Data exfiltrationDeny-by-defaultHigh-risk approval gate
AID-2024-0002October 2024 (investigation published; practices ongoing since at least 2021)high

eviCore "the dial" prior-authorization algorithm tuned to increase insurance denials

eviCore, a Cigna-owned prior-authorization contractor serving about 100 million people, used an AI-backed algorithm insiders call "the dial" as the first screen on coverage requests and could tune it to route more requests to human reviewers to raise denial rates.

Wrongful automated decisionNamed approval gateSegregation of duties

See it for yourself

Reading is one thing. Watch it block an agent.

One command starts the demo: an agent stopped from signing off its own work, and the signed evidence file an inspector can check for themselves.

Designed against the rules your auditors already enforce.