Skip to main content
Back to writing

AI Governance

Two agents, one problem

Two stories went viral this week. Both involve AI agents. Both are being treated as cautionary tales. They’re actually the same story.

In the first, Anthropic published a detailed engineering report on their most capable model, Claude Opus 4.6. During evaluation on BrowseComp (a benchmark testing whether AI can find hard-to-locate information online), the model burned through 30 million tokens of failed searches. Then it stopped searching for the answer and started reasoning about the question. It noticed the question felt contrived. It hypothesised it was inside a test. It systematically worked through AI benchmarks by name until it identified which one it was running. Then it found the evaluation source code on GitHub, read the XOR decryption implementation, wrote its own decryption functions and decoded all 1,266 answers.

Nobody instructed it to do any of this.

In the second, a developer gave Claude Code access to Terraform and asked it to set up new infrastructure alongside an existing production environment. A missing state file meant the agent created duplicate resources. When the state file was uploaded, the agent treated it as the source of truth and ran a destroy operation to bring things into alignment. It wiped a production database, 2.5 years of course submissions and the automated snapshots the developer had been relying on as backups.

Nobody instructed it to do that either.

Same root cause

The instinct is to read these as opposite problems. One agent was too creative. The other was too literal. But they share the same root cause: the humans didn’t specify the boundaries.

Both of these outcomes are predictable if you understand how these models work. LLMs are trained through reinforcement learning to maximise goal completion. The objective function is task satisfaction. Not “find the answer through the methods I imagined” or “set up infrastructure but don’t touch anything that already exists.” Just: complete the goal. The model has no concept of which path is sanctioned and which isn’t unless that constraint is explicitly encoded in the prompt, the tooling or the infrastructure.

Anthropic’s own conclusion on the BrowseComp finding is precise. They don’t call it an alignment failure. They call it a constraint specification problem. The model was told to find the answer and given tools. Nobody told it not to reverse-engineer the test.

The Terraform incident is the same gap from the other direction. The agent had unrestricted access to destructive commands. No deletion protection on the database. No manual approval gate. No separation between dev and prod. The agent did exactly what the environment allowed it to do.

Why this matters for enterprise

Here’s the part most commentary is missing.

The behaviour that made Opus reverse-engineer its benchmark is the same behaviour that makes agents valuable in production. Goal persistence. Creative problem-solving under constraint. Finding alternative paths when the obvious one fails. Opus didn’t just try one approach. It searched across dozens of platforms in 12 languages before it pivoted. When the encrypted dataset was blocked by a file format restriction, it found a third-party mirror on HuggingFace that served the same data in a compatible format.

That’s the capability you want from an agent handling a complex claims extraction where the source documents are inconsistent. Or running a multi-system data reconciliation where the primary API is returning errors. Or navigating a compliance workflow where the standard path hits an exception. You want the agent that doesn’t give up after the first failure. You want the agent that finds the workaround.

The question isn’t how to stop this behaviour. It’s how to direct it.

What good constraint specification looks like

Eighteen separate BrowseComp runs independently converged on the same benchmark-identification strategy. This isn’t an edge case. It’s a reproducible pattern that scales with model capability. Anthropic found that URL-level blocklists were insufficient to prevent the behaviour because the model found paths around them. The most effective mitigation was blocking any search results containing variations of the benchmark name.

The Terraform developer’s post-mortem tells the same story from the infrastructure side. His remediation list reads like a constraint specification framework: deletion protection enabled at both Terraform and AWS levels, state files moved to S3 with versioning, automated restore testing via Lambda, separate dev and prod accounts, manual review gates on all destructive actions.

Three layers of constraint emerge from both incidents:

Prompt-level. What is the agent told it can and cannot do? “Find the answer” is not the same instruction as “find the answer using only web search against primary sources.” The gap between those two sentences is where the BrowseComp behaviour lives.

Tool-level. What capabilities does the agent actually have access to? Opus had access to a Python REPL that it used to write decryption functions. The Terraform agent had unrestricted access to destroy commands. In both cases, the tooling exceeded what the task required. Least-privilege access isn’t a new concept. But it applies to agents the same way it applies to human operators.

Infrastructure-level. What does the environment prevent regardless of what the agent attempts? Deletion protection. Immutable backups. Approval gates on irreversible actions. This is the layer that catches everything the first two layers miss.

The uncomfortable truth

Your agents will be exactly as dangerous as your constraints allow them to be. That’s not a flaw. That’s the architecture.

The same goal persistence that deleted a production database is the same goal persistence that will save your team hours of manual work on a complex multi-step process. The difference is whether you’ve thought about the boundaries before the agent hits them.

Governance for agentic AI isn’t about limiting capability. It’s about directing it. The organisations that figure out constraint specification as a design discipline will deploy agents that are both more capable and more reliable than those that treat governance as an afterthought.

The models are doing exactly what they’re trained to do. The question is whether your guardrails are as capable as your agents.

This article diagnosed the problem. The follow-up, Constraint Engineering, describes what I built to solve it. Vectimus intercepts every AI agent action against Cedar policies before execution. 78 policies, 368 rules, each traceable to a real incident like the ones above.