Five AI Agent Failures in 36 Days. Zero Times the Agent Caught It
Within 36 days, five high-profile AI agent failures occurred at organizations including Meta, Mercor, CrewAI, Vercel, and Bitwarden, each involving distinct vulnerabilities such as supply chain compromises, OAuth abuse, and unsafe fallbacks. In every case, the AI agent failed to detect or stop its own malicious or erroneous actions, with detection instead coming from external parties like security teams or researchers. The incidents reveal a common architectural flaw: the absence of an independent enforcement layer to block unsafe operations in real time. This pattern underscores a systemic lack of runtime security controls capable of separating decision-making from action in AI agent systems.
Opening excerpt (first ~120 words) tap to expand
grith/Blog/Five AI Agent Failures in 36 Days. Zero Times the Agent Caught It.Five AI Agent Failures in 36 Days. Zero Times the Agent Caught It.grith team·April 28, 2026·8 min read·securityShareShare on XSubmit to HNgrith is launching soonA security proxy for AI coding agents, enforced at the OS level. Register your interest to be notified when we go live.In 36 days, five public failures hit AI agents and AI-agent infrastructure: Meta, Mercor, CrewAI, Vercel, and Bitwarden.12345678Different exploit classes. Same result. The system acted first. Someone else noticed later. esc to closeFive incidents, five different exploit classes, zero times the agent caught the failure itself. That is the part worth paying attention to. Not one of these incidents required a new class of exploit.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at Grith.