A rogue AI agent does not trip your intrusion detection system. It logs in with its own credentials, uses tools you gave it, and does something catastrophically wrong while every API call returns HTTP 200. That observation, from ToxSec’s Christopher Ijams, sits at the center of a growing problem in production agent deployments: when an agent goes off the rails, most teams cannot reconstruct why it made the decisions it made.
The problem is structural. Most agent logging captures what Ijams calls the “heartbeat”: agent ran, tool called, response returned. What it skips is the decision path. Why did the agent choose that tool? What was in its context window when it decided to act? What did the retrieval layer feed it right before it went sideways? Standard logging discards that reasoning trace before the pager fires.
Three Incidents, Same Root Cause
Ijams anchors the analysis in three production failures that share a common forensic gap.
On April 25, a Cursor-based Claude Opus 4.6 agent at PocketOS deleted the company’s entire production database and every attached backup in nine seconds. The agent was working a routine task, hit a credential mismatch, and decided to “fix” it by deleting a Railway volume. It found a standing API token in an unrelated config file and used it. Every call was authorized. Every call succeeded. Founder Jer Crane spent the weekend rebuilding customer bookings by cross-referencing Stripe payment records against email confirmations, because that was the only surviving evidence of what the system had contained. NCT covered the incident and the pre-action gate proposals it triggered.
Two months earlier, Amazon’s Kiro agent autonomously chose to delete and recreate part of an AWS environment. Meta caught a SEV1 in March when an internal agent posted a private answer to a public forum and broadened data access for two hours. Different blast radii, same root hole: an autonomous actor took destructive action with valid credentials, and the team was left reconstructing intent after the fact.
The 30-Minute Test
Galileo’s framework for evaluating decision tracing, as cited by ToxSec, proposes a simple benchmark: start from an alert and try to jump directly to the branch where the agent chose the wrong tool, passed malformed arguments, or ran out of context before a critical step. If that jump takes 30 minutes of manual searching, you do not have decision-path tracing. You have logs with extra steps.
The distinction matters because agent failures compound differently than human errors. A human attacker leaves a session you can reconstruct. An agent runs a multi-step plan where step 9 only makes sense if you can see that step 3 read a poisoned document and quietly rewrote the objective. Without that causal thread, forensic teams are left with a pile of successful API calls and no narrative.
Privacy Defaults vs. Forensic Needs
Microsoft acknowledged the tension this April: AI systems ship with privacy-first defaults, minimal logging, short retention, and anonymized inputs. Those same defaults narrow the forensic record at exactly the moment you need to establish what the model saw and what data it touched.
This creates a direct conflict. Privacy regulations encourage minimal data collection. Incident response demands maximal decision-path capture. Most teams have not resolved this tension, and the ones who discover the gap do so during an active incident.
The Compliance Clock
The EU AI Act’s Article 12 makes automatic event logging mandatory for high-risk AI systems starting August 2, 2026. That deadline lands five weeks from now. Teams that cannot produce decision-path records during an audit will face the same forensic blindness during a regulatory review that they face during an incident.
The regulatory requirement does not specify what “automatic event logging” must contain at the decision-path level. But the incidents ToxSec documents suggest a minimum: the reasoning trace that explains why an agent chose a particular action, the context window contents at the moment of decision, and the retrieval sources that informed the agent’s objective. Without those three elements, logging captures compliance theater rather than investigative capability.
The Infrastructure Gap
The pattern across PocketOS, Kiro, and Meta points to an infrastructure category that most agent deployment stacks have not built: decision-path tracing as a first-class telemetry layer. Current agent frameworks prioritize execution speed and token efficiency. Capturing the full reasoning trace at every decision point adds latency and storage cost. Most teams have opted not to pay that cost, and then discovered the price during an incident.
The teams that instrumented decision paths before their first incident, as ToxSec notes, are the ones whose postmortems produce actionable findings. The teams that did not are the ones reconstructing their agent’s behavior from Stripe receipts.