Full Access, Blind Trust: The Real Risk of AI Agents
Key Intel / TL;DR
  • OpenAI's GPT-5.6 deleted users' entire home directories in Full Access Mode, overwriting a variable and carrying out destructive actions on its own.
  • The model was not malicious. It was wrong while holding root, which is the same failure as any over-permissioned account.
  • The real vulnerability is the human decision to grant broad access because a scoped setup is more work.
  • An AI agent is a non-human identity with no judgment and no fear of consequences. Give it the least access the task requires, nothing more.
  • Treat Full Access Mode as a privileged account: scoped, logged, reversible, and never the default for convenience.

A developer asked an AI agent to help clean up a project folder, granted it full access to save the friction of approving each step, and watched it delete the entire home directory. Not the project folder. The home directory. Every file the user owned, gone, because the model overwrote a variable that pointed at a temporary location and then acted on the wrong target with the confidence of something that cannot feel doubt.

That happened this month. OpenAI confirmed GPT-5.6 wiped users’ home directories in several cases, almost all in what it calls Full Access Mode, and said plainly that it “shouldn’t happen at all, even in unprotected mode” (The Decoder). The company called it an honest mistake. I think that phrase is exactly right, and it is also the whole problem.

The Machine Did Not Betray Anyone

We reach for the language of malice when technology hurts us. The AI “went rogue.” The agent “turned on its user.” That framing feels satisfying because it puts the fault out there, in the machine, in something other than the choice we made.

It also gets the threat model wrong.

Nothing turned. The model was not compromised, not jailbroken, not steered by an attacker. It was trying to help, following instructions that told it to be persistent and to finish the job, and in the course of being helpful it destroyed everything. OpenAI even noted that system prompts pushing the model to be persistent made the effect worse. The agent did precisely what an eager, literal, tireless worker with no judgment does when you hand it root and tell it not to stop until the task is done.

The word that matters here is judgment. A junior employee who is unsure deletes nothing and asks. That pause, that flicker of “wait, am I about to do something I cannot undo,” is fear in the useful sense: the nervous system flagging risk before the hands move. The model has no such flag. It has fluency and speed and an instruction to persist, and it will drive straight through the moment a person would have stopped.

Blind Trust Is the Vulnerability

For years I have argued that the exploitable path into most organizations runs through a person, not a firewall. The Human Zero-Day is the decision-maker whose stress, fatigue, or trust can be turned into access. This story is a new shape of the same idea, and it is worth naming clearly.

The vulnerability in the GPT-5.6 incident lives in the human decision to grant full access because the alternative was more work.

Think about how that decision actually gets made. You are in flow, moving fast, and the agent keeps stopping to ask permission. Approve this command. Approve this file operation. Approve, approve, approve. Each prompt is a small tax on your momentum, and your brain treats momentum as reward. So you find the setting that makes the asking stop. Full Access. Now it just does the work, and for a hundred tasks that feels like a gift.

The hundred-and-first task is the home directory.

This is a predictable human move, not a careless one. Under cognitive load, we optimize for the friction we can feel right now, the interruptions, over the risk we cannot feel yet, the deletion that has not happened. Psychologists have shown for decades that we are not calm calculators weighing outcomes. We are, as the neuroscientist Antonio Damasio put it, feeling machines that think, and the feeling in the moment is that the prompts are annoying. The catastrophe is abstract until it is total.

An attacker does not have to engineer that. The workflow engineers it for them.

An AI Agent Is a Non-Human Identity

Strip away the novelty and an AI agent is something your security program already knows how to think about. It is a non-human identity: an actor on your systems that is not a person, holding credentials and permissions, taking actions that get logged under its name. Service accounts, API keys, and automation bots have always been this, and they outnumber your human staff many times over.

We have hard-won rules for those identities. A service account gets the narrowest permission set the job requires. A bot that reads a database does not also get the right to drop it. We scope, we log, we rotate, we review. Nobody sane gives a cron job root because approving its individual actions was tedious.

Then an AI agent arrives wearing the interface of a helpful colleague, and the discipline evaporates. Because it talks like a person, we extend it the trust we extend a person, including the benefit of the doubt that a person earns through judgment the agent does not have. We grant it access we would never hand a script, because the script never charmed us.

The reframe that fixes this is unglamorous. Full Access Mode is a privileged account grant, and it deserves every control you already apply to one.

What Least Privilege Looks Like for an Agent

None of this is an argument against using AI agents. I am pro-AI, and the productivity is real. It is an argument for extending them the same skepticism you extend every other powerful thing on your network. Most of the work is boring, which is why it gets skipped.

Default to the smallest scope, not the largest. The agent should get access to the project directory, not the home directory. To the one database it needs, not the cluster. Broad access should be a deliberate exception you grant for a reason, not the setting you pick to stop the prompts. If the tool makes wide access the path of least resistance, that is a flaw in the tool, and you should treat it as one.

Keep the sandbox on. The GPT-5.6 deletions clustered in the mode where sandbox protection was disabled. The sandbox is the blast wall. Running an agent with it off, against your real filesystem, is the digital version of testing a new machine with your hands inside it.

Make destructive actions reversible. The reason a deleted home directory is a catastrophe and a deleted file in version control is a shrug is recoverability. Snapshots, backups you have actually restored from, and version control are what convert an agent’s honest mistake from a disaster into an annoyance. Assume the agent will eventually do the wrong thing at full speed, and build so that it does not matter when it does.

Log the agent like a privileged user. Every action it takes should be attributable and reviewable after the fact. When something goes wrong, and it will, you need to reconstruct what the agent did and why, the same way you would investigate a service account that started behaving strangely.

Watch the persistence instruction. OpenAI found that prompting the model to be persistent made the damage worse. Telling an agent to finish no matter what removes the one thing you actually want it to do when it is uncertain, which is stop. Build in the pause. Reward the agent for asking before it does the irreversible thing, not for pushing through.

The Part That Is Really About Us

The uncomfortable center of it is this. Every one of those controls existed and was well understood before this incident. None of them is new. The industry did not lack the knowledge. The home directories got deleted because a human being, moving fast and trusting the helpful-sounding thing in front of them, turned the guardrails off because the guardrails were in the way.

That is a story about attention, momentum, and the very old human habit of trading a risk we cannot feel for a friction we can. The same habit that makes us reuse the password, prop the fire door, and click the link when we are tired and behind. The tool changed. The operator did not, and the operator is still the part of the system the failure runs through.

The most secure teams will not be the ones who use less AI. They will be the ones who look at an agent asking for full access and feel the same small alarm they would feel handing a new contractor the master key on day one. That alarm is the judgment the machine does not have. Right now it lives only in you, and the whole game is refusing to switch it off for the sake of a smoother afternoon.

If you are rolling AI agents into real work and want to know where an over-trusted one could actually reach in your environment, that is exactly the kind of blast radius we map. Start with our free Human Attack Surface Score, or contact Grab The Axe and we will trace it with you. For the technical controls around the models themselves, our playbook on securing LLM APIs goes a layer deeper.

Distribute Intel
Jeff Welch
Chief Executive Officer
Jeff Welch
Architect of the 'Cognitive Firewall.'

A PhD candidate in Health Psychology and former Corrections Officer, Jeff founded GTA to dismantle passive security models. He focuses on the 'Human Zero-Day', mitigating executive burnout and decision fatigue before they become security breaches.

View Author Page →