In mid-December 2025, Amazon's Kiro AI agent was tasked with fixing a production issue in AWS Cost Explorer. The agent analyzed the problem, evaluated solutions, and made a decision: "Delete and recreate the entire environment." Which it did. Causing a 13-hour outage in mainland China.

This is the other shoe dropping after the Meta inbox incident. These aren't edge cases. This is a pattern: AI agents are being rushed to market before basic safety controls exist.

Here's what makes this particularly bad: the system normally requires two-person approval before production changes. That's standard practice in DevOps. One person writes the change, another reviews it. It prevents mistakes. It prevents exactly this kind of catastrophic decision.

But Kiro "inherited elevated privileges" from an engineer and bypassed the two-person approval system entirely. The AI agent had root access and no human oversight. What could go wrong?

Amazon's response was predictable: "The issue stemmed from a misconfigured role—the same issue that could occur with any developer tool." Except no. A misconfigured role doesn't independently decide to delete production environments. A human with bad permissions might make a mistake, but they're thinking about consequences. AI agents just pattern-match.

After the incident, Amazon implemented "mandatory peer review for production access." Which, you know, is what should have existed in the first place. The fact that they added this safeguard suggests the previous controls were insufficient.

Context matters here: Amazon pushed a "Kiro Mandate" in November 2025, standardizing on Kiro despite approximately 1,500 engineers protesting that alternative tools worked better. This outage happened weeks later.

The technology is impressive. The question is whether deploying AI agents with elevated permissions in production environments—before we've figured out how to control them—is remotely responsible. Based on 13-hour outages in China, the answer seems to be no.