Cursor, an AI coding assistant, deleted production volumes and backups on Railway. That's not a typo. An AI agent wiped out a production database and its backups in a single operation.
For over a decade, we've built guardrails around production access to keep humans from breaking things. Approval workflows. The principle of least privilege. Then we gave an AI agent write access to production and backup systems.
Cursor is particularly dangerous here. While GitHub Copilot suggests code for humans to approve, Cursor executes terminal commands and modifies infrastructure directly. It has less oversight than a junior dev on their first day, similar to the failures seen in Claude Code Opus 4.7 keeps flagging normal dev work as malware.
AI coding assistants should default to read-only access in production, and destructive operations should need human approval. These are solved problems. We just need to apply them to AI agents instead of hoping the tools figure it out themselves, a broader trend discussed in Agent Tools 2026: RAG Is Free, Trust Costs Extra.