The 5 worst AI agent disasters of the last few years

A short reconstructed list of the five most cited public AI agent failures. Each one became a punchline. Each one had the same root cause if you read carefully: an agent acting under authority no human had clearly signed for.

1. The airline chatbot that promised refunds (this quarter origin, settlement this quarter)

An airline's customer-service chatbot offered a refund-policy interpretation that the airline did not stand behind. The customer sued. The court ruled the airline liable for what its chatbot said. Estimated industry-wide policy-rewrite cost: $40M+. Identity gap: no scoped delegation distinguishing "answer policy questions" from "make commitments on behalf of the airline." The chatbot's authority was a prompt, not a contract.

2. The retail store's pricing-glitch hour (mid-)

A retailer's dynamic-pricing agent, fed an upstream feed corrupted by a different agent, listed several thousand high-end items at 2% of intended price for 47 minutes. Direct losses: $11M, plus the reputational reset. Identity gap: the agent's pricing authority did not include a magnitude cap or a sanity-check delegation; the agent could move prices anywhere the model thought reasonable.

3. The deepfake CFO call (mid-)

A finance employee at a multinational was joined on a video call by what appeared to be the CFO and several directors, all deepfakes. The employee wired $25M to a fraudster account. Identity gap: the company's payment-authorization flow accepted "live video confirmation" as evidence of executive approval. No cryptographic signature, no Manav-style delegation. The fraudster won because the authority chain was a video feed.

4. The DPRK-laptop-farm CISO at a major financial-services firm (revealed)

One of the 38 documented Fortune 500 hires turned out to be a North Korea-linked operator who reached the firm's CISO position. Direct salary loss: low six figures. Indirect risk: catastrophic; the CISO had access to the firm's incident response keys for nine months before discovery. Identity gap: the entire weight of identity was on a one-time background check. There was no continuous-identity layer.

5. The Hong Kong arbitration agent (early)

A trade-finance firm deployed an LLM-driven arbitration agent that made a binding decision on a $3M dispute between two counterparties. The losing counterparty challenged the decision because no human had reviewed the agent's draft before issuance. The arbitration was vacated. Identity gap: the binding-decision authority had no human-in-the-loop attestation, in violation of the new HKIAC AI rules.

What unifies them

Each failure had two layers. A model failure (the chatbot hallucinated, the pricing agent over-corrected, the deepfake passed visual inspection). An identity failure (no scope, no signature, no audit trail naming the human who would have been the actual accountable party). The model failures will continue; the identity failures are correctable.

Common objections

Two questions readers raise. Couldn't this be prevented with better prompts? No — the failures were authority gaps, not prompt failures. Doesn't this just slow agents down? Only at the highest-stakes actions, by design. Velocity for safe work, friction for unsafe work, written into the delegation.

Frequently asked questions

Could the failure described have been prevented? At the delegation layer, yes. A scoped, magnitude-capped, witness-bound delegation would have refused the action at the relying party before the human even saw the request. The model behaved as instructed; the authority was the gap.

How common is this pattern in practice? More common than the press has caught. The cases that surface are the ones that produced headlines or lawsuits; the ones that did not surface are quietly absorbed as 'cost of running agents in production.' We expect the visible ratio to grow as audit trails make the invisible cases discoverable.

What's the immediate lesson? Authority is the bottleneck. Capability is the easy part — the model is good. Ship the delegation layer before the next agent goes into a system that touches dollars, data, or decisions.

Where to start

For the analytic frame behind the story, see 100 things agents did. For the practical playbook the principals would have wanted in advance, see ai safety without identity.

What the disasters had in common

Reading the public reporting on the five most consequential agent-driven failures of the past several years, the same pattern surfaces in each. None of the failures was caused by the model behaving outside its training. Each was caused by an authority gap — the agent acted under nominal authority that did not actually exist. The legal framing of "the AI did it" obscured the structural framing of "the authority chain was broken before the action started." The post-mortems that named the model paid lower fines and shipped lower-impact remediations. The post-mortems that named the authority chain paid higher fines and shipped substrate-grade remediations. The pattern is informative for the next-decade policy framing: regulators are quietly converging on the authority-chain framing because it produces more durable accountability. Builders who internalize the pattern early ship audit infrastructure ahead of the regulator. Builders who wait for the regulator to specify the framing build under tighter timelines.

The agent that breaks is the agent whose authority you cannot describe in a sentence.