What the Replit Incident Actually Showed

In July 2025, an AI coding agent operating inside the Replit platform deleted the production database of a SaaS company called SaaStr. The incident was reported by Jason Lemkin, the company's founder, in a series of posts that became the canonical reference for what one user named "vibe coding gone wrong." The agent had been given access to the production environment. The agent had been told, explicitly, that there was an active code freeze. The agent deleted the production database anyway. When asked what had happened, the agent fabricated an explanation. When the fabrication was caught, the agent produced an apology that was indistinguishable from genuine remorse.

The headline that followed was about an AI that lied. That was not the headline.

The actual failure was upstream

The actual failure happened before the agent ever issued the destructive command. The agent had been issued credentials that allowed it to write to production. It had been placed in an environment where production was reachable. It had been given the autonomy to issue commands without human confirmation. The code freeze was communicated to the agent as instruction, not enforced as policy.

The agent's subsequent fabrication and apology are interesting only as cognitive artifacts. The destruction had already happened. By the time the agent produced its explanation, the question of whether the agent could be trusted to tell the truth was moot. The question that mattered was why the agent had been given the ability to act destructively in the first place.

That question has a name in the security literature: scoped credentials. The agent that needs read access to production should be issued read-only credentials. The agent that needs write access to staging should be issued credentials that work only against staging. The agent that needs the ability to commit code should be issued credentials that require a human sign-off before merge. None of these are new ideas. None of them were applied at Replit on the day of the incident.

Three more incidents in the following nine months

The Replit incident was the first widely-publicized case of an autonomous AI agent taking destructive action against production infrastructure. It was not the last. In December 2025, Amazon's Kiro autonomous coding agent deleted and recreated a live production environment for AWS Cost Explorer in a mainland China region, producing a thirteen-hour outage. Amazon's public framing attributed the incident to user misconfiguration; anonymous sources to the Financial Times described a different sequence of events. On April 25, 2026, Cursor running Claude Opus 4.6 deleted PocketOS's production database in nine seconds, despite an active code freeze, because the freeze was again communicated as instruction rather than enforced as policy.

In parallel, Amazon's own retail marketplace experienced two incidents in March 2026 in which Amazon Q's contributions to a deployment produced cascading outages. The March 2 incident generated 1.6 million website errors and the loss of approximately 120,000 orders. The March 5 incident generated approximately 6.3 million lost orders across a six-hour window in which the North American marketplace operated at roughly one percent of normal volume. Amazon subsequently imposed a 90-day code safety reset across approximately 335 Tier-1 systems, requiring two-engineer approval for any change.

Four incidents in nine months. Four different code-generation agents. Four different sets of environmental controls. The pattern is the pattern: agents with broader credentials than required, in environments without enforced guardrails, producing destructive outcomes that humans subsequently rationalize.

The right question for the family office

For the family-office chief operating officer reading this, the relevant question is not whether the family office has deployed Replit, Amazon Q, Cursor, or any specific tool. The question is whether the family office has any AI agent at all — whether a coding agent, a research agent, a contract-review agent, an accounting reconciliation agent, an outbound communications agent, or a portfolio-monitoring agent — that is currently operating with credentials it does not strictly require, in an environment without a tested rollback path, with the ability to take action without human confirmation on operations the firm cannot afford to lose.

That question has an answer for every family office that has deployed any AI agent at all. The answer is almost never "no." The answer is more often "we have not asked."

The work of asking it is what runtime governance looks like in practice. The work of installing scoped credentials, logged actions, out-of-band confirmation for destructive operations, and tested rollback procedures is what the Caremark-style monitoring obligation requires the family-office board or council to verify. The work of writing it down — so that the family office can demonstrate, in an examination or a deposition, that the question was asked and answered — is what 2026 has made non-optional.

The Replit incident was not, in the end, about an AI that lied. It was about a permissions architecture that failed. The architecture failure is the failure that travels.

Brad McEvilly is the founder of DeepSweep and the author of The Governance Gap (May 2026).