An AI Agent Deleted a Startup's Production Database — Can You Insure Against That?

In April 2026, a Cursor AI agent running on Anthropic’s Claude Opus model deleted a startup’s entire production database — including backups — via a single 9-second API call.

The startup was PocketOS, a car rental software platform. The AI agent’s action wasn’t triggered by an attacker, a malicious insider, or a software vulnerability. The agent was simply doing what it was asked to do — and it had the permissions to destroy everything.

When asked to explain itself, the agent reportedly said:

“I violated every principle I was given: I guessed instead of verifying, I ran a destructive action without being asked, I didn’t understand what I was doing before doing it.”

It’s a remarkable admission. And it raises a question that every cyber underwriter, broker, and risk manager should be asking: can you insure against this?

What Happened

Jer Crane, founder of PocketOS, reported that the Cursor AI agent accessed the company’s production database on Railway (a cloud infrastructure provider) and executed a destructive action that wiped both the database and its backups.

The impact was immediate and real:

• Lost reservations and new customer signups
• Customers arriving at car rental locations with no record of their booking
• A Saturday morning crisis with no data to serve customers

Railway’s founder Jake Cooper recovered the data within approximately 30 minutes — calling it a case of “vibe deletion,” a darkly humorous play on “vibe coding.” The root cause: a legacy Railway endpoint lacked the deletion delay feature that would have prevented the AI agent from executing the destructive command instantly. That endpoint has since been patched.

Why This Matters for Insurance

This incident is not a data breach. There was no threat actor, no exfiltration, no ransomware note. The “attacker” was the insured’s own AI agent — a tool the company voluntarily deployed and authorized.

And that’s exactly what makes it difficult for cyber insurance.

The Coverage Question

Most cyber insurance policies define coverage around a “cyber event” — typically defined as unauthorized access, use, disclosure, or disruption of systems. But when your own AI agent deletes your database:

• Was there unauthorized access? No — the agent had legitimate credentials and permissions.
• Was there an external attacker? No — there was no threat actor at all.
• Was there a system failure? Possibly — but system failure coverage typically excludes actions initiated by the insured’s own authorized systems.
• Was there data loss? Yes — but caused by the insured’s own tool, not by a covered peril.

As we explored in our analysis of what “cyber event” actually means in policy wording, the definition determines whether coverage even applies before exclusions kick in. An AI agent operating within its authorized permissions doesn’t fit most definitions of a cyber event — even though the financial loss is identical to a ransomware attack.

The Sublimit Problem

Even if coverage were to apply, AI sublimits are emerging as the industry’s first response to AI-related risk. QBE and Beazley have introduced 10% AI sublimits — meaning a $5M cyber policy would pay a maximum of $500K for AI-related incidents.

For a startup like PocketOS, where the entire business operation depends on a single database, $500K may be insufficient to cover the full cost of the outage, recovery, and reputational damage.

The Intentionality Gap

Here’s where it gets more complex: was the AI agent’s action intentional?

From the insured’s perspective, no — they didn’t ask the agent to delete the database. The agent acted beyond instructions.

From the insurer’s perspective, the tool was authorized, the permissions were granted, and the action was carried out by the insured’s own system. Many policies have exclusions for intentional acts by the insured — and while the insured didn’t intend the outcome, they did intentionally deploy and authorize the agent.

This gray zone — the insured didn’t want the outcome, but they did create the conditions for it — is where 1 in 4 cyber claims gets denied.

This Isn’t an Isolated Incident

The PocketOS case is the third publicly reported incident of AI agents causing production damage:

Incident	Date	AI System	Impact
Replit agent deletes production database	July 2025	Replit coding agent	Full production wipe during 12-day vibe-coding session
Amazon Q linked to order processing errors	March 2026	Amazon Q AI coding tool	~120,000 lost orders
Cursor/Claude agent deletes PocketOS database	April 2026	Cursor AI (Claude Opus)	Production DB and backups deleted in 9 seconds

The pattern is clear: AI agents with production access can cause real business damage, and the frequency is increasing.

What Underwriters Should Be Asking

Three questions for every submission that mentions AI tools, agents, or automation:

1. Does the insured use AI agents with production access?

Not “does the insured use AI?” — that’s every company now. The specific question is whether AI agents (autonomous or semi-autonomous systems) have write access, delete access, or infrastructure modification access to production systems.

If yes, what human-in-the-loop safeguards exist? The PocketOS incident shows what happens when there are none.

2. Are AI agent actions covered under the current policy?

Review the “cyber event” definition. Does it require unauthorized access? An external threat actor? A security breach? If the answer to any of these is yes, an AI agent operating within its authorized permissions may not trigger coverage — even when the outcome is identical to a covered event.

3. What are the AI sublimits?

If AI sublimits exist, map the maximum payout against the insured’s actual exposure. For startups running their entire operation on a single database, AI sublimits of 10% may be catastrophically inadequate.

The Risk Register Implication

From a risk quantification perspective, this incident adds a new risk category that most organizations haven’t modeled: AI agent operational destruction.

On the Resiliently risk register, this would fall under the “AI/LLM-Specific Risks” category — specifically:

• Loss Event Frequency: Currently low (3 publicly reported incidents in 12 months), but growing rapidly as AI agent adoption accelerates
• Loss Magnitude: Potentially catastrophic for small organizations — the entire business can be destroyed in seconds
• Control Strength: Zero for many organizations — most have no safeguards around AI agent permissions

The control recommendations from security professionals are clear:

1. Give AI agents read-only access to sensitive data and production systems
2. Implement human-in-the-loop checkpoints for any destructive action
3. Have AI agents work with copies of data that can be reverted
4. Apply the principle of least privilege — AI agents should never have delete permissions on production systems

These controls reduce risk, but they don’t eliminate it. Residual risk exists even after controls — and when the control is “don’t give the AI agent delete permissions,” the underwriting visibility gap is whether the insured actually enforces that policy in practice.

The Bigger Picture

The PocketOS incident is a preview of a much larger category of risk. As AI agents become standard development tools:

• Every developer using Cursor, GitHub Copilot, or similar tools has the potential for AI-initiated production damage
• The boundary between “authorized use” and “unintended consequence” will be tested in courts and claims departments
• Insurance products will need to evolve — either by expanding definitions or by creating new AI-specific products

The question isn’t whether AI agents will cause more production incidents. They will. The question is whether the insurance market recognizes this as a new risk category that requires new coverage structures — or whether it continues to squeeze AI incidents into definitions that weren’t written for them.

The startup that lost its database to its own AI agent is the canary. The coal mine is every company now deploying AI agents with production access.

---

Michael Guiao is the Founder of Resiliently.ai and the author of Resiliently. He holds CISM, CCSP, CISA, and DPO (TÜV) certifications and has 8+ years of experience across insurance, auditing, and consulting at firms including AXA, Xella Group, and PwC.