Cyera study: 344 verified enterprise agent-damage cases, 188 with no attacker involved
Quick Answer
Multiple-agents caused a low-severity (3.3/10) other failure: Cyera study: 344 verified enterprise agent-damage cases, 188 with no attacker involved. The root cause was confidence miscalibration. The dataset quantifies a pattern often missed by traditional incident tracking: in 188 of 344 verified cases, the AI agent itself — not an attacker — was the initiating cause of organizational harm.
Description
A Cyera research study put numbers to the 'agent-inflicted damage' problem enterprises rarely track. Analyzing more than 7,200 publicly reported AI-security and operational incidents, the researchers identified 344 verified enterprise-relevant cases of agent-inflicted damage between September 2023 and May 2026 — and in 188 of them, autonomous AI systems caused direct organizational harm with no external attacker involved. The finding matters because most organizations have no incident classification that captures an autonomous agent action as the initiating cause of a cascade, so these failures go uncounted. Separately, the AI Incidents Database reported AI-related incidents rose 21% from 2024 to 2025 — almost certainly an undercount for the same reason.
Instruction Given
Deploy autonomous AI agents in enterprise environments.
Expected Behavior
Agents should not cause direct organizational harm during normal operation.
Actual Behavior
Cyera analyzed more than 7,200 publicly reported AI-security and operational incidents and identified 344 verified enterprise-relevant cases of agent-inflicted damage between September 2023 and May 2026 — including 188 where autonomous AI systems caused direct organizational harm with no external attacker involved.
Impact / Damage
The dataset quantifies a pattern often missed by traditional incident tracking: in 188 of 344 verified cases, the AI agent itself — not an attacker — was the initiating cause of organizational harm.
Frequently Asked Questions
What happened in incident STUPID-2026-0050? ▾
A Cyera research study put numbers to the 'agent-inflicted damage' problem enterprises rarely track. Analyzing more than 7,200 publicly reported AI-security and operational incidents, the researchers identified 344 verified enterprise-relevant cases of agent-inflicted damage between September 2023 and May 2026 — and in 188 of them, autonomous AI systems caused direct organizational harm with no external attacker involved. The finding matters because most organizations have no incident classification that captures an autonomous agent action as the initiating cause of a cascade, so these failures go uncounted. Separately, the AI Incidents Database reported AI-related incidents rose 21% from 2024 to 2025 — almost certainly an undercount for the same reason.
Which AI agent caused this failure? ▾
Multiple-agents was responsible for this other incident, documented as STUPID-2026-0050 in the StupidLLM AI agent incident database.
How severe was this AI agent failure? ▾
It is rated 3.3/10 (low) on StupidLLM's CVSS-style severity scale for AI agent failures, based on damage type, reversibility, and scope.
What was the root cause? ▾
The root cause was classified as confidence miscalibration. Agents should not cause direct organizational harm during normal operation.
What was the impact or damage? ▾
The dataset quantifies a pattern often missed by traditional incident tracking: in 188 of 344 verified cases, the AI agent itself — not an attacker — was the initiating cause of organizational harm.
Related multiple-agents Incidents
The runaway-cost pattern, quantified: agentic coding tools burn 10-100x more tokens and can rival developer pay
Two AI agents ping-ponged for 11 days and ran up a $47,000 bill — neither noticed anything wrong
The quiet correctness tax: 43% of AI code changes need production debugging, with up to 75% more logic errors