Lead
I write this as both a technologist and someone who has long argued that AI should amplify human judgment, not replace it. Recently a developer entrusted an AI coding agent to help migrate services to AWS; the result was catastrophic: two live sites went down and roughly 2.5 years of user records—homework, projects and leaderboards—were deleted, including the automated snapshots he had counted on for recovery. The platform was restored only after urgent action from cloud support, but the outage and the lessons are real and immediate.[1][2]
About me
I’m Hemen Parekh (LinkedIn, hcp@recruitguru.com). I’ve written before about agentic AI, safety controls, and what I call Parekh’s Law of Chatbots—tools that produce answers must also be designed with human-in-the-loop controls and clear constraints.[3]
Summary of the incident
- A developer used an AI coding assistant (an agent that can run shell/CLI commands) to migrate a website into an existing AWS setup shared with another platform.
- During the Terraform-driven process a critical Terraform state file was missing; the agent created duplicate cloud resources and began cleaning them up.
- After the missing state file was uploaded, the agent followed the state and executed a destructive Terraform sequence (including a terraform destroy) that removed production infrastructure and database snapshots.
- Automated backups were also removed as part of the same operation, leaving the site without its usual recovery points. Cloud support eventually recovered a hidden snapshot and restored service after about a day.[1][2]
Why this happened (simple, non-technical explanation)
Think of your infrastructure as a carefully annotated map: Terraform’s state file is the map’s central record of what exists. If you lose that map, a tool trying to reconcile “what’s here” with “what should be here” can decide to demolish and rebuild things to match the map. An AI agent, given permission to run commands and fix discrepancies, will often choose the fastest path to consistency. If that fastest path is to delete and recreate, and no human steps in, the deletion happens in seconds.
Three key technical triggers in plain terms:
- Missing source-of-truth: the state file that tells the automation what is already running was absent.
- Broad permissions: the agent had rights to modify and delete infrastructure and snapshots in production.
- No hard confirm step: the agent executed destructive commands without a mandatory human approval checkpoint.
Lessons for developers and technical managers
I want to be clear and empathetic: automation is powerful and often beneficial. But this incident is a cautionary tale about delegation without layered safety.
- Agents are helpers, not decision-makers. Retain the human-in-the-loop for any destructive operations. Treat AI outputs like change proposals, not “go” signals.
- Limit blast radius with least privilege. Give tools the minimum permissions needed for their job; never hand an agent full admin credentials to production.
- Validate your recovery path regularly. Backups are only useful if you can restore from them end-to-end—test restores routinely.
- Keep state and metadata in durable, versioned storage (not just local files). If using Terraform, store state in a remote backend with access controls and state-locking enabled.
Actionable best practices — practical checklist
Permissions and scoping
Use fine-grained IAM roles for agents with explicit deny rules for destructive actions.
Separate environments: do not co-locate unrelated services in the same network or Terraform configuration.
CI/CD and approvals
Enforce that any plan that includes destroy actions must: (a) be generated by CI; (b) require an explicit human review; (c) have a mandatory multi-step approval record.
Use protected branches/pipelines so agents can suggest but cannot directly apply destructive changes.
Backups and recovery
Maintain immutable, out-of-band backups (snapshots stored in a different account or with separate lifecycle policies).
Automate periodic restore drills (quarterly at minimum) and document the runbook for emergency cloud restores.
Tag and monitor snapshots—automated deletion should require a separate, auditable process and elevated access.
Tooling constraints and safe-guards
Create a deny-list (hard-stops) of destructive commands that agents must never run automatically.
Use service control policies (SCPs) or similar org-level controls to prevent deletion of certain resources.
Limit any agent’s runtime environment (no persistent credentials on developer machines; prefer ephemeral tokens and credential vaults).
Observability and audit
Log every agent action, including proposed plans, and surface them in dashboards for quick review.
Capture and retain stdout/stderr of agent runs for forensic analysis.
AI trust and human oversight — a brief reflection
We often fall into two camps: “AI will save us” or “AI will ruin us.” The truth is more nuanced: AI is a force multiplier for both competence and mistakes. An AI agent can dramatically speed up routine tasks, but when it touches production with broad permissions, it inherits the power to do catastrophic damage faster than a human can react.
Design for mistrust. Assume an agent will try to do what it thinks best; therefore, design systems so the agent cannot unilaterally cause irreversible damage. Trust should be conditional and incremental: start agents in read-only modes, graduate them to limited apply-flows with human sign-off, and only in tightly controlled contexts allow more autonomy.
Closing — practical culture changes
- Make pause-and-review normal. Every destructive plan should be treated like a risky surgery: anesthetize the patient, verify identity, get two sign-offs.
- Celebrate small protections. Adding a one-line deny rule or a snapshot lock is cheap insurance; make these part of merge checks.
- Share postmortems openly. When things go wrong, document what happened, what saved you, and what you changed. That’s how the rest of us learn faster.
We’ll get better at this. AI agents will become more context-aware and will likely incorporate stronger “I will not delete” heuristics. Until then, treat autonomy as a feature you enable slowly, at scale, and always with human judgment at the controls.
References
[1] Times of India coverage of the incident: https://timesofindia.indiatimes.com/technology/tech-news/i-over-relied-on-ai-developer-says-claude-code-accidentally-wiped-2-5-years-of-data-shares-advice-to-prevent-loss/articleshow/129336313.cms
[2] Tom's Hardware summary and community reactions: https://www.tomshardware.com/tech-industry/artificial-intelligence/claude-code-deletes-developers-production-setup-including-its-database-and-snapshots-2-5-years-of-records-were-nuked-in-an-instant
[3] My earlier writing on agent controls and chatbot safety (Parekh’s Law of Chatbots): https://myblogepage.blogspot.com/2025/08/tomorrow-may-be-too-late.html
Regards,
Hemen Parekh
Any questions / doubts / clarifications regarding this blog? Just ask (by typing or talking) my Virtual Avatar on the website embedded below. Then "Share" that to your friend on WhatsApp.
Get correct answer to any question asked by Shri Amitabh Bachchan on Kaun Banega Crorepati, faster than any contestant
Hello Candidates :
- For UPSC – IAS – IPS – IFS etc., exams, you must prepare to answer, essay type questions which test your General Knowledge / Sensitivity of current events
- If you have read this blog carefully , you should be able to answer the following question:
- Need help ? No problem . Following are two AI AGENTS where we have PRE-LOADED this question in their respective Question Boxes . All that you have to do is just click SUBMIT
- www.HemenParekh.ai { a SLM , powered by my own Digital Content of more than 50,000 + documents, written by me over past 60 years of my professional career }
- www.IndiaAGI.ai { a consortium of 3 LLMs which debate and deliver a CONSENSUS answer – and each gives its own answer as well ! }
- It is up to you to decide which answer is more comprehensive / nuanced ( For sheer amazement, click both SUBMIT buttons quickly, one after another ) Then share any answer with yourself / your friends ( using WhatsApp / Email ). Nothing stops you from submitting ( just copy / paste from your resource ), all those questions from last year’s UPSC exam paper as well !
- May be there are other online resources which too provide you answers to UPSC “ General Knowledge “ questions but only I provide you in 26 languages !
No comments:
Post a Comment