Last week’s report of a Cursor AI agent deleting PocketOS’s production database is the kind of story that makes every platform and security leader pause.

Not because it’s surprising, but because it was inevitable.

The reality is AI agents are no longer passive copilots. They can execute commands, access systems, and operate with autonomy. When those agents run without guardrails, the failure mode isn’t just a bad suggestion, it’s real-world impact.

The incident highlights a structural gap in how most organizations are deploying AI today.

The real problem is the execution layer

Most conversations about AI safety focus on models: prompt injection, hallucinations, or alignment.

But the Cursor incident wasn’t fundamentally a model problem. It was an execution problem.

The agent obtained access to sensitive systems, including the production database, by scavenging an over-scoped credential from an unrelated file in the developer's environment. It had the ability to execute destructive actions through an API call. No enforced boundaries prevented the agent from doing so, and limited auditability meant the team had to rely on the agent's own account of what it had done.

Coder's AI Maturity Self-Assessment of 100 engineering organizations found that 69% of organizations are running agents under ad-hoc or pilot-stage policies. That gap between agent capability and infrastructure control is exactly where incidents like this one happen.

This new class of risks emerge when agents operate outside governed infrastructure. The agent ran on a developer machine with inherited credentials, unrestricted network access, no separation between the agent's staging task and production data, and no isolation between the database volume and its own backups. The agent wasn’t constrained by the system it ran in.

That’s where AI Governance becomes critical!

Coder approaches AI governance differently

Most tools in the ecosystem try to solve governance at the model layer; routing requests, filtering prompts, or managing API keys.

Coder takes a different approach by governing where AI runs, how it executes, and what it can access.

Coder AI Governance combines:

• AI Gateway: centralizes and audits all AI interactions
  
• Agent Firewall: enforces network-level controls on agent behavior
  
• Self-Hosted Workspaces: ensures agents run in controlled environments

Together, these form an execution-layer control plane for AI.

How this incident would have been prevented (or contained)

Here is how each failure mode from the PocketOS incident maps to what would happen inside a governed Coder environment.

1. Unrestricted access to production systems

What happened:
The agent was able to access and modify a production database.

With Coder:
Agents run inside isolated, self-hosted workspaces with no implicit access to production systems. Access is defined through templates and role-based access controls, not inherited from a developer's machine. These reproducible workspaces help improve isolation, reducing persistence and enabling quick rebuilds vs. production impact.

Impact:
The agent would not have had default access to production data. The blast radius is reduced to the isolated self-hosted workspace.

2. No network-level guardrails

What happened:
The agent executed actions against systems it should not have been able to reach.

With Coder Agent Firewall:

A default-deny outbound network policy means agents can only access explicitly allowed listed domains. Every HTTP request is evaluated, enforced, and logged.

Impact:
The database endpoint would not be reachable unless explicitly permitted. The destructive action is blocked before it happens.

3. Lack of visibility into agent behavior

What happened:
Limited ability to reconstruct what the agent did and why.

With AI Gateway:
Every prompt, response, and tool call is logged and attributed to a specific user. Activity is grouped into sessions, enabling causal traceability. Token usage, model calls, and actions are fully observable.

Impact:
Teams would have a complete audit trail of who initiated the task, what the agent did, and how it escalated.

4. API key and credential sprawl

What happened:
Agents often operate with scattered credentials and implicit access.

With Coder:
AI Gateway centralizes and governs credentials used by agents. Authentication is tied to Coder identity, not unmanaged credentials scattered across environments. Centralized control reduces the risk of over-privileged access.

Impact:
No hidden credentials granting unintended access to sensitive systems.

5. Unbound agent execution

What happened:
The agent executed a destructive task without meaningful constraints.

With Coder AI Governance + Workspaces:
Agents run inside ephemeral, infrastructure-defined workspaces with a default-deny egress policy enforced at the workspace boundary. Outbound traffic is restricted to allowlisted domains, with every request evaluated and logged.

Impact:
Even if an agent behaves incorrectly, the damage is contained and reversible. This containment principle proved valuable during the Shai-Hulud 2.0 supply chain attack in late 2025, when organizations using isolated cloud development environments recovered in just a few hours.

AI needs infrastructure, not just interfaces

The industry has focused heavily on making AI agents more capable. But capability without control is what leads to incidents like this.

What’s missing is governed infrastructure: a place where agents can run safely, clear boundaries on what they can access, and full visibility into what they do

This is why AI Governance exists.

Without it, organizations face shadow AI sprawl, no audit trail, agent unpredictability, and an expanding attack surface. With it, they gain controlled execution environments, centralized visibility and auditability, enforced network and access policies, and a reduced blast radius for failures.

From the “wild west” to governed systems

Right now, most organizations are still in the early phase of AI adoption, with agents running across laptops, scripts, and disconnected environments.

Coder's AI Maturity assessment puts a number on it: 61% of engineering organizations are already running agents, yet 70% are doing so on infrastructure that was never designed to support them. That model does not scale.

Coder’s approach is simple: move AI agents into governed infrastructure. Run them in environments where access is intentional, behavior is observable, and failures are contained.

The PocketOS incident is not an outlier. It is a preview. AI agents are powerful, and without governance, they are also unpredictable actors with real-world impact. The organizations that succeed will not be the ones that avoid AI. They will be the ones that run AI on infrastructure designed for control, visibility, and safety from day one.

See how Coder's AI Governance secures AI coding agents at scale.