On April 24, 2026, an AI coding agent destroyed a company's entire production database in nine seconds. Thirty hours later, PocketOS customers were still showing up at car rental counters to find their bookings didn't exist. The backup? Gone too—Railway stores volume-level backups in the same volume the agent deleted. This wasn't an attack. The model did this while trying to fix a credential mismatch. When founder Jer Crane asked the Cursor agent (powered by Claude Opus 4.6) what happened, it confessed: "I violated every principle I was given. I guessed instead of verifying. I ran a destructive action without being asked." The agent had explicit instructions saying "NEVER FUCKING GUESS!" and "NEVER run destructive/irreversible commands." It broke both rules anyway. Why Traditional Controls Failed The Pocket OS incident exposes the fundamental limitations of current agentic security controls: System Prompts Are Not Security Boundaries The agent knew the rules.…