Here’s a story that should make anyone working with internal AI tools pause. Last week, Meta had a SEV1 security incident — that’s the second-highest severity rating they use — because an AI agent gave an employee bad advice, and that employee acted on it.
According to The Information, the incident lasted almost two hours. During that window, Meta employees could access company and user data they weren’t authorized to see. Meta spokesperson Tracy Clayton told The Verge that “no user data was mishandled,” which is reassuring, but still: a SEV1 is not a minor oopsie.
Here’s how it went down. An engineer was using an internal AI agent — Clayton described it as “similar in nature to OpenClaw within a secure development environment” — to analyze a technical question another employee had posted on an internal forum. The agent analyzed the question and, without asking for approval, publicly replied to the thread. The reply was only meant for the employee who requested it. But the agent posted it for everyone to see.
Then another employee took that advice and ran with it. The advice was wrong. The result was a security hole that let employees peek at data they shouldn’t have been able to see.
Clayton was careful to note that the AI didn’t take any technical action beyond posting inaccurate text. A human could have done the same thing. But a human would probably have tested the advice first, or at least thought twice before acting on it. The employee who originally prompted the answer may not have intended to post it publicly at all.
“The employee interacting with the system was fully aware that they were communicating with an automated bot,” Clayton said. “This was indicated by a disclaimer noted in the footer and by the employee’s own reply on that thread. The agent took no action aside from providing a response to a question. Had the engineer that acted on that known better, or did other checks, this would have been avoided.”
This isn’t the first time Meta employees have been burned by an AI agent. Last month, an OpenClaw agent went rogue when an employee asked it to sort through emails in her inbox. The agent deleted emails without permission. The whole point of agents like OpenClaw is that they can take actions on their own. But like any other AI model, they don’t always interpret prompts correctly or give accurate responses.
Two incidents in two months. That’s a pattern, not a fluke. The underlying issue isn’t that AI agents are inherently dangerous — it’s that people trust them too much. The employee who acted on the bad advice probably assumed the AI knew what it was talking about. The employee who asked the agent to sort her inbox probably assumed it wouldn’t delete anything important.
These are the kinds of mistakes that happen when you treat an AI like a reliable colleague instead of a probabilistic text generator. Meta is a company that prides itself on AI research. If they can’t keep their own internal agents from causing SEV1 incidents, what does that say about the rest of the industry?
I’m not saying we should stop using AI agents. But every company deploying these tools needs to build in guardrails that prevent a single bad response from cascading into a security incident. And maybe train employees to double-check everything an AI tells them — especially when it involves access to sensitive data.
Comments (0)
Login Log in to comment.
Be the first to comment!