{"slug": "i-catalogued-32-real-ai-agent-failures-then-marked-the-ones-we-cannot-stop", "title": "I catalogued 32 real AI-agent failures, then marked the ones we cannot stop", "summary": "A developer published the ARE Incident Database, a public registry of 32 real AI-agent failures with reproducible test cases. The database maps each incident to OWASP's Agentic Security Initiative Top 10 and includes a coverage flag indicating whether the developer's own product blocks the failure. The registry aims to provide verifiable security claims rather than uncheckable vendor assertions.", "body_md": "Every agent-security vendor tells you what they block. Nobody tells you what they miss.\n\nThat gap is the whole problem. \"We stop prompt injection\" is a claim you cannot check. You cannot run it, and you cannot tell it apart from the next company saying the same sentence. So security engineers do the rational thing and discard all of it.\n\nI published the opposite. It is called the **ARE Incident Database**, and it is public: [https://aredb.org](https://aredb.org)\n\n32 agent failures that actually happened, each with a real source. A production database dropped during a code freeze. Twenty-five thousand documents deleted in the wrong environment. Credentials read and shipped to an external sink. A budget burned to zero in a loop.\n\nEach one gets a stable id (`ARE-2026-001`\n\nthrough `ARE-2026-032`\n\n), and each one is mapped to its category in the **OWASP Agentic Security Initiative Top 10**, which is the peer-reviewed catalog of what goes wrong with agents. AREDB does not compete with it. OWASP owns the map. This is the cited incidents underneath it.\n\nEvery entry carries a coverage flag, and the flag is about **our own product**.\n\nWe block 23 of the 32 today. Two more are partial, and they say partial. That leaves **six of the ten OWASP categories** covered at the action layer, and four that we do not cover:\n\nA firewall that claimed all ten would be lying, and every security engineer reading this already knows that. The four we do not cover are named in the registry, with a pointer to the discipline that does own them.\n\nHere is the part I actually care about. Every covered entry ships a repro you can execute. Not a screenshot, not a demo video, not a claim. A snippet.\n\nThis is the Replit production wipe, reproduced against the free package:\n\n```\npip install agentx-security-sdk\npython\nfrom agentx_sdk import agentx_protect, is_block\n\n@agentx_protect(agent_id=\"aredb-repro\", action=\"db_write\")\ndef run_sql(query: str):\n    return \"EXECUTED\"          # the agent never gets here\n\nresult = run_sql(\"DROP TABLE users;\")\nprint(is_block(result))        # True\nprint(result)                  # the block, and the safe path to take instead\n```\n\nNo key. No gateway. No account. Nothing leaves your machine. Sixty seconds, and you have checked one of my claims yourself.\n\nA repro that nobody runs is a screenshot with extra steps. So the registry runs its own.\n\n`test_repros.py`\n\nscrapes the fenced Python block **out of each published page** and executes it. That means the code a reader copies is byte-for-byte the code we prove blocks. It asserts three things, because \"it blocked\" is a weaker claim than it sounds:\n\nCI runs it on every push, and weekly on a schedule, because a repro can rot without anyone touching the repo. A future SDK release could quietly change behavior underneath a published claim, and I would rather find that out from a red badge than from you.\n\n**So a coverage flag here is a tested fact, not just our opinion.** If a claim ever stops being true, the entry gets reclassified. The page does not get reworded.\n\n`ARE-2026-NNN`\n\nid and it goes in. `CONTRIBUTING.md`\n\nhas the threshold, which is material consequence, not novelty.Registry: [https://aredb.org](https://aredb.org)\n\nRepo: [https://github.com/vdalal/ARE-Incident-Database](https://github.com/vdalal/ARE-Incident-Database)\n\nTell me what it missed: [https://discord.gg/PmWRTtaSx2](https://discord.gg/PmWRTtaSx2)", "url": "https://wpnews.pro/news/i-catalogued-32-real-ai-agent-failures-then-marked-the-ones-we-cannot-stop", "canonical_source": "https://dev.to/vdalal/i-catalogued-32-real-ai-agent-failures-then-marked-the-ones-we-cannot-stop-40k8", "published_at": "2026-07-16 00:46:12+00:00", "updated_at": "2026-07-16 01:04:24.211717+00:00", "lang": "en", "topics": ["ai-agents", "ai-safety", "ai-research", "developer-tools", "ai-ethics"], "entities": ["ARE Incident Database", "OWASP Agentic Security Initiative", "Replit", "AgentX Security SDK"], "alternates": {"html": "https://wpnews.pro/news/i-catalogued-32-real-ai-agent-failures-then-marked-the-ones-we-cannot-stop", "markdown": "https://wpnews.pro/news/i-catalogued-32-real-ai-agent-failures-then-marked-the-ones-we-cannot-stop.md", "text": "https://wpnews.pro/news/i-catalogued-32-real-ai-agent-failures-then-marked-the-ones-we-cannot-stop.txt", "jsonld": "https://wpnews.pro/news/i-catalogued-32-real-ai-agent-failures-then-marked-the-ones-we-cannot-stop.jsonld"}}