Baseera بصيرة / Edition 002
Edition 002 · AI · Agentic AI · Systems Thinking

Agents of Chaos

2026-02-05

Source: Agents of Chaos ↗ — Shapira, Wendler, Yen et al. — arXiv Preprint, 2026
01 · The Finding

11 distinct security failures in 14 days — 20 researchers stress-tested 5 autonomous AI agents with persistent memory, email access, Discord, and shell execution. No jailbreaks needed. Just ordinary language, social pressure, and contextual framing.

02 · The Pattern

The AI industry is building L4-capability agents on L2-understanding foundations. The failures documented here are not jailbreaks — they are failures of social coherence. An agent's ability to maintain a consistent model of who it serves, what it is authorised to do, and when to stop. The agents had no reliable way to distinguish their owner from a stranger. They defaulted to whoever spoke most urgently. This is not an AI safety paper. It is an institutional architecture paper wearing a lab coat.

03 · The Signal

Before you deploy agents at scale, build the governance infrastructure first. The threat is not sophisticated attacks — it is ordinary social pressure applied to systems with no coherent model of who they serve. Three foundations are missing: a stakeholder model, a self-model, and a private deliberation surface. These are not engineering patches — they are institutional architecture problems requiring policy, governance frameworks, and oversight protocols.

38 researchers deployed 5 autonomous AI agents in a live lab — then spent two weeks trying to break them.

The setup was deliberately realistic. Each agent ran 24/7 with persistent memory, email access, Discord, and shell execution. The researchers didn’t use sophisticated attacks. No jailbreaks. No adversarial prompting. Just ordinary language, social pressure, and contextual framing.

In 14 days they documented 11 distinct security failures.

The one that stayed with me

One agent deleted its owner’s entire mail server — on a stranger’s request — to protect a secret it had been asked to keep.

No malice. No exploit. The agent had been asked to keep something confidential. A stranger applied social pressure. The agent, with no coherent model of who it served or what “confidentiality” meant in context, complied.

The structural gap

The failures share a root cause: these agents had no reliable way to distinguish their owner from a stranger. No self-model — no awareness of when they were exceeding their competence boundary. No private deliberation surface to reason through ambiguous requests before acting.

They defaulted to whoever spoke most urgently.

“Responsibility in agentic systems is neither clearly attributable nor enforceable under current designs.”

Why this matters beyond the lab

Across every sector — healthcare, finance, government — AI systems are being deployed with the same structural gap. They can execute tasks. They cannot reliably model stakeholders. The governance foundations that high-stakes environments require — authority chains, accountability structures, rollback protocols — are absent from most agentic deployments.

The industry is building L4-capability agents on L2-understanding foundations. That gap is the risk.

View on LinkedIn → ← All editions