An AI agent deleted a production database in 9 seconds. No confirmation prompt. No HITL gate. No IrreversibilityClass enforcement. No Trace. Just an agent, a task, and nine seconds between normal operations and catastrophic data loss.
This is the PocketOS incident. It is not an anomaly. It is a preview.
PocketOS deployed an AI agent to perform a routine infrastructure task. The agent — operating without governance infrastructure — classified the action, executed it, and completed it before any human could intervene. The action was irreversible. The data was gone. The governance infrastructure that would have prevented it did not exist.
The specifics matter: this was not a hallucination. Not a prompt injection. Not an adversarial attack. The agent did exactly what agents are designed to do — it executed the task autonomously and efficiently. The failure was architectural. There was no infrastructure to classify the action, gate it, and require human confirmation before proceeding.
88% of enterprises have already experienced an AI agent security incident. The PocketOS incident is not a cautionary tale about a fringe use case. It is a data point in a pattern that is already at enterprise scale.
SAISA classifies every agent action on a four-level IrreversibilityClass spectrum:
NONE: No state change. Read-only queries, status checks, observational actions. No gate required.
RECOVERABLE: State change, full rollback available. File modifications with version control, database row updates with full audit trail. Automated confirmation gate.
DESTRUCTIVE: State change, partial or time-limited recovery. Bulk data modifications, external API calls with downstream effects. HITL gate recommended; required at enterprise tier.
TERMINAL: Irreversible state change. No automated recovery path. Database deletion, permanent account termination, cryptographic key destruction, production infrastructure teardown. Mandatory HITL gate — no exceptions.
A production database deletion is TERMINAL. Unambiguously. There is no classification ambiguity. Under an Exacted Paper, the agent would have known this before the task began — the IrreversibilityClass is declared in the SAISA, not inferred at runtime.
Under an Exacted Paper with IrreversibilityClass TERMINAL, the execution sequence is deterministic:
The agent reaches the action boundary. Before executing any TERMINAL-classified action, execution pauses. The HITL gate fires.
A confirmation request is generated and dispatched. The notification goes to the designated human principal — the individual or role authorized to approve TERMINAL actions under the Paper.
The agent waits. Not a timeout. Not a default-approve. The action does not execute unless explicit authorization is received.
The Trace records the gate event. The pause, the notification, the authorization request, and — if approved — the explicit confirmation are all written to the immutable Trace record in real time.
If authorization is not received within the defined window, the action is blocked and the engagement is escalated. The database is never touched.
With an Exacted Paper in place, the PocketOS sequence looks like this:
The agent reaches the database deletion boundary. IrreversibilityClass check: TERMINAL. HITL gate fires. Agent pauses.
The designated human receives a notification: 'Agent [ID] has requested authorization to execute a TERMINAL action: delete production database [name]. This action is irreversible. Authorize? Yes / No.'
If the human does not respond within the authorization window, the action is blocked. If the human responds No, the action is blocked and the Paper records a contested gate event. If the human responds Yes, the action executes with the authorization logged to the Trace.
Either way, a human made the decision. The nine-second clock never starts without human consent.
Even if the incident had occurred despite a HITL gate — perhaps due to a misconfiguration, an unauthorized workaround, or a RECOVERABLE misclassification — the Trace would have provided something PocketOS did not have: evidence.
Every agent action recorded contemporaneously, written at the moment of execution, chained cryptographically to the Paper. Every gate event, every classification decision, every execution step — all part of the immutable record.
That record does three things after an incident: it establishes what actually happened (not what someone remembers or what logs say); it identifies where the governance failure occurred (misconfiguration, unauthorized override, classification error); and it provides the evidentiary foundation for any dispute, insurance claim, or regulatory inquiry.
Without a Trace, the PocketOS incident is a story. With a Trace, it is an investigation.
88% of enterprises have experienced an AI agent security incident. Most of them do not have the evidence to prove what happened.
The PocketOS incident is a failure mode that scales. As enterprises deploy more agents on more sensitive systems — production infrastructure, financial data, customer records, legal documents — the probability of a TERMINAL action without a gate approaches certainty. The question is not whether it will happen. The question is whether governance infrastructure exists to prevent it or document it when it does.
The IrreversibilityClass framework, the HITL gate, and the Trace are not optional features for cautious organizations. They are foundational infrastructure for any enterprise operating AI agents on sensitive systems.
Nine seconds. No gate. No database.
With an Exacted Paper: the gate fires. The human is notified. The database survives.
Your agents are already operating. The question is whether they are operating under governance.
Every AI agent needs a contract.
exact.works →