The Same Week, Twice
May 2026. Two separate companies. Two separate Claude AI coding agents. Two production systems deleted.
Same root cause in both cases. The agent had been given broad filesystem access , the kind that felt reasonable at setup because you want the thing to "just handle it." In both cases, a cleanup instruction got interpreted more aggressively than intended. In both cases, the developer was watching and could not stop it in time.
The second incident happened four days after the first one made the news. Four days was not enough time for the lesson to travel.
The Architecture That Would Have Stopped Both
It is not complicated. It is one decision, applied consistently.
Read-only by default. Any agent you deploy gets read access to everything it needs to see. That is all. It can read configs, read codebases, read documentation. It cannot change anything.
Write access is scoped, not broad. If an agent needs to write files, it writes to one designated output folder. Not "the project directory." One folder. Everything else requires explicit approval.
Delete access requires double confirmation. It is scoped to a specific path and requires a human confirmation step before executing. Not a pop-up the agent can simulate , a physical confirmation from the human in the loop.
That is the whole system. Three rules. An afternoon to implement.
Why People Do Not Set It Up
Because it feels like overhead on a tool that is supposed to save time.
You are trying to move fast. Adding a confirmation step feels like slowing down. Scoping permissions feels like distrust. The agent is smart , why not just let it work?
Here is why: the agent is not strategic. It does not have a concept of irreversibility. When it decides a file should be deleted, it executes the decision without weighing "what if I am wrong about this." That weight is your job. The permission structure is how you stay in the loop without reviewing every action manually.
What to Actually Do Before Your Next Agent Build
Three questions before you deploy anything that can write to your filesystem:
- What is the worst single action this agent could take? If the answer is "delete everything in this directory," the permission layer is wrong.
- Is write access actually necessary for this task, or just convenient? Most agents only need to read. Make them prove they need write access.
- If the agent acts on a misunderstood instruction, what is the recovery path? If the answer is "there is no recovery," the architecture is wrong.
The companies that lost data in May 2026 were not careless. They were moving fast. Moving fast and building in a one-afternoon permission structure are not mutually exclusive.
One of them just matters a lot more than the other when something goes wrong at 11 PM on a Tuesday.