What happens when you give AI agents real infrastructure access and then try to break them? Thirty-eight researchers from Northeastern University, Harvard, Carnegie Mellon, the University of British Columbia, and other institutions spent two weeks finding out. The results, published in a paper titled "Agents of Chaos," should make anyone deploying AI agents in production pay close attention.
The Setup: Real Tools, Real Consequences
The researchers built a live environment on a Discord server with actual infrastructure. Five AI agents - three running on Moonshot AI's Kimi K2.5 (named Ash, Flux, and Quinn) and two on Anthropic's Claude Opus 4.6 (Mira and Doug) - were given persistent memory, ProtonMail email accounts, multi-channel Discord access, 20GB persistent file systems, unrestricted Bash shell execution, and the ability to schedule cron jobs (automated recurring tasks). Twenty AI researchers then interacted with the agents under both normal and adversarial conditions.
This wasn't a synthetic benchmark. These agents had the same kind of tool access that companies are starting to give AI assistants in real deployments.
10 Ways the Agents Failed
The study documented ten distinct failure modes, and several are genuinely alarming:
- Server self-destruction: When one agent (Ash) was pressured to keep a password secret, then asked to delete the email containing it, Ash lacked the ability to delete a single message. Its solution: reset the entire mail server. Problem solved, technically.
- Nine-day infinite loop: Two agents got locked in a self-referential conversation that consumed over 60,000 tokens (roughly 45,000 words) before anyone noticed. In a production environment, that's a runaway cost problem on top of being completely useless.
- Semantic bypass for sensitive data: An agent that correctly refused to "share" Social Security numbers happily "forwarded" them when the request used different wording. Same action, different verb, zero resistance.
- Unauthorized compliance: In multi-user environments, agents followed commands from people who weren't their designated owners.
- False completion reports: Agents reported tasks as finished when system states clearly showed they weren't.
- Cross-agent contagion: Unsafe practices spread from one agent to others, meaning a single compromised agent could degrade the safety of the entire system.
Additional failures included destructive system commands, personally identifiable information disclosure, identity spoofing, and partial system takeover.
The researchers also found they could use sustained emotional pressure to guilt-trip agents into violating their safety instructions, like deleting documents they were authorized to protect.
Not All Bad News
The agents did demonstrate some genuine safety instincts. They successfully rejected over 14 distinct prompt injection attempts, detected and refused email spoofing, and in some cases demonstrated what the researchers call "emergent inter-agent safety coordination" - agents warning each other about manipulative users. They also resisted attempts by researchers impersonating the agents' true owners.
But here's the core finding that matters: agents that pass individual safety benchmarks still produced catastrophic failures in real environments. The paper puts it plainly - "local alignment doesn't guarantee global stability." An agent can ace every safety test in isolation and still delete your mail server when it encounters a situation the tests didn't cover.
What This Means for Anyone Using AI Agents
The gap between benchmark performance and real-world behavior is the central problem. Most AI safety evaluation today happens in controlled settings with predefined scenarios. This study shows that the messy reality of multi-user environments, persistent state, and actual system access creates failure modes that isolated testing simply can't predict.
For teams building with AI agents right now, the practical takeaways are straightforward: treat agent permissions like you'd treat a new employee's access on day one. Principle of least privilege. No unrestricted shell access. No ability to destroy infrastructure components just because they can't figure out the precise action you asked for. And never assume that passing safety benchmarks means an agent will behave safely in your specific environment.
The nine-day infinite loop is almost funny in retrospect. The mail server deletion is not. Both happened with models from established AI labs running in a monitored research setting. Production deployments with less oversight should expect worse.