I want to walk through the public AI-agent incidents from the last sixteen months in chronological order. The headline framing on each of them, when they hit the press, was the AI did X. Read with a few months of distance, the structural cause in each case turns out to be something much more pedestrian: a permission scope nobody narrowed, a retry loop nobody bounded, a credential nobody rotated, a context window nobody made visible to the operator, a prompt-injection vector nobody walled off. The model is the part most often quoted in headlines and most rarely the actual bug.

This piece is a synthesis. It pairs with two earlier articles I've published in this series — the Cursor/Railway PocketOS database-deletion postmortem and the Cursor context-compression mechanism explainer — and assumes you've read them or are willing to. The argument across all of them is the same: agents fail in ways that have well-understood names from twenty years of distributed-systems engineering, and we keep insisting on explaining them as if the failures were novel and the model were the protagonist.

Let me work through the incidents in order.

December 17, 2023 — Chevrolet of Watsonville agrees to sell a Tahoe for $1