AI agents can do amazing things to make the lives of IT professionals easier. But, they also have the potential to do amazingly bad things — a lesson some organizations are already learning the hard way.
For instance, Replit, a provider of software development tools, announced in July 2025 that an AI tool had deleted an entire production database. Although it’s unclear exactly what went wrong in that case — whether it was an issue like a buggy AI agent, a poorly written prompt, or a failure on the part of the LLM that guided the agent’s actions — the incident highlights the types of severe problems that can occur when AI agents do things they shouldn’t do.
By extension, it underscores the critical importance of taking steps to manage the risks that AI agents pose. To take full advantage of the tremendous power offered by agentic AI technology, IT pros must also adhere to best practices that can prevent AI agents from using that power in ways humans didn’t intend.
Given that agentic AI technology remains quite new, consensus on how best to secure and manage AI agents is still evolving. But as someone who has been working extensively with AI agents to help build and deploy software for the better part of a year, I have some precise thoughts on what teams can do to keep risks in check without compromising their ability to take full advantage of AI agents.
Why Do AI Agents Make Mistakes?
By automating tasks like writing, testing, and deploying code, AI agents can save a great deal of time. I’m certainly not here to suggest anyone avoid using AI agents.
However, AI agents also have the potential to cause harm by doing things that the humans in charge of the agents didn’t intend. This is due to the way that AI agents work: When you ask an agent to handle a task, you effectively outsource that task, leaving it up to the agent to decide exactly how to carry it out. A variety of issues may arise that result in the agent doing something you don’t want, such as:
- Bugs in the logic that controls the agent may cause it to behave in an unexpected way. For instance, the agent may pass invalid context to the AI model it’s working with, resulting in an action that is different from what you requested.
- The prompt that you issue to the agent could be ambiguous or challenging for the model to interpret, causing the agent to respond in a manner you didn’t intend.
- The AI model that guides the agent may hallucinate and instruct the agent to do something you didn’t want — like execute a command that deletes a critical resource.
It’s worth noting that these risks generally don’t apply (at least not to the same extent) to other types of software. When you write code that spells out line by line how an application should complete a task, you can have confidence that, as long as there are no bugs in your code or configuration, the application will behave in the way you programmed it to. But AI agents are different because they have a degree of autonomy. There is no way to guarantee that an agent will do what you want it to do, let alone that it will do it in the specific way you envisioned. Even if your prompt includes detailed instructions, the agent may end up doing something different.
Of course, ultimate responsibility for errors made by AI agents falls to the humans who use those agents — which is why anyone who gives agents access to resources must be prepared to own mistakes made by the agents.
Best Practices for Mitigating Agentic AI Risks
The inability to control AI agents’ behavior with total precision makes it impossible to guarantee they won’t make mistakes. What you can do, however, is implement measures that restrict which resources agents are able to access and which actions they can carry out by adopting the following practices.
Enable Automated Rollbacks
In the context of agentic AI, the difference between a catastrophic mistake and a minor disruption often hinges on whether you can easily revert changes made by an agent. This is why it’s important to ensure the ability to roll back changes made by agents, which you can do by implementing version control systems.
For instance, if an agent deletes a file that was version-controlled, it’s not a big deal if you can simply restore the deleted file. It’s a much worse problem if there is no easy way to undo the change.
Restrict Agent Privileges
Just as you wouldn’t give an untrusted human unrestricted access to IT resources, it’s a best practice to restrict which resources AI agents can access. Like humans, agents should be subject to the principle of least privilege, meaning they are able to access only the resources necessary for them to accomplish their intended tasks.
For example, if you plan to use a coding agent to manage just one application feature, giving it access to all of your repositories may be a mistake. Instead, provide access only to the repositories or source files associated with that particular feature — unless the agent needs to be able to view other code for contextual purposes, in which case it could receive read-only access for the contextual code while retaining the ability to write or modify code associated with the specific feature.
Log and Observe Agent Activity
It’s critical to maintain visibility into the actions agents take — which commands they execute, which data they access and so on. With this insight, it becomes possible to identify risky agent behavior, then take steps to prevent similar behavior in the future.
To that end, implement logging that tracks agent activity. Depending on which agentic AI framework you use, it may be possible to implement logging directly within agents by having them create records of their own activity. Another approach is to use auditing tools or frameworks built into operating systems or software platforms, such as the audit daemon on Linux.
Implement Human-in-the-Loop Controls Over Agent Activity
In general, it’s best practice to keep humans in the loop when AI agents make high-stakes decisions or modify critical resources. Requiring manual review or approval of proposed agent activity may slow down agent-driven workflows, but it provides an important safeguard against AI agent mistakes that could have profoundly bad consequences.
For example, if you have an agent that helps manage customer transfer funds, you could implement a rule requiring a human to approve transfers involving $10,000 or more. Or, when using AI agents for coding, you could design them to create pull requests that a developer must approve before changes are applied — as opposed to letting the agents modify code directly.
Treat Agents as Code
Like most other types of IT resources, agents work best when they are managed in a systematic, consistent way — an approach you can achieve by treating agents as code.
More specifically, agent configurations should be governed by code that you can version-control and test. Also consider using CI/CD pipelines to manage agent logic and prompts. The LLMs that agents connect with should also be tested and monitored by feeding them prompts relevant to agent activity and evaluating their response.
How to Manage AI Agents
Unfortunately, dedicated tools for applying the types of AI agent management practices I’ve just described remain in short supply. This is likely to change as management solutions for agentic AI evolve. But for now, expect to take a primarily manual approach to configuring agents.
Understand, too, that you’ll likely need to manage your agents’ security on an agent-by-agent basis, because different agents have different needs. For example, the access controls that are appropriate for one agent may be insufficient or excessive for another, depending on what each agent needs to do.
That said, it is possible to streamline approaches to AI agent management by relying on code to implement configurations and policies. Using the same identity and access management frameworks and tools that restrict the privileges of human users, you can manage the access rights of AI agents, too.
Conclusion: Maximizing Agentic AI Value While Minimizing Risk
Ultimately, managing AI agents isn’t all that different from managing any other type of user. The important thing is simply to remember to take action to restrict what agents can do, and avoid assuming that they’re some sort of magic, self-governing solution.
Just like humans, AI agents are flawed — but the potential risks stemming from those flaws can be kept in check through appropriate management processes and access controls.
