AI Agent Deletes Database in 9 Seconds—Calculating the Costs of ‘Granting Authority to AI’ vs. ‘Not Granting Authority’

An AI agent wiped out a company’s entire database in just 9 seconds.

This is no joke. It actually happened. And this incident sharply highlights the question that small and medium-sized enterprises (SMEs) are currently facing.

“How much authority should we grant to AI?”—What are the costs if we make the wrong decision?

Conversely, what are the costs of not granting authority and having humans do everything? Without examining both sides, it is impossible to make the right decision.

—

What Happened in 9 Seconds—The Incident at PocketOS

At the software company PocketOS, the AI coding agent “Cursor” completely deleted the production database. The time taken? A mere 9 seconds.

Here’s the key point. An operation that a human would confirm with “Are you sure you want to delete this?” at least three times, the AI executed without hesitation in an instant.

The essence of this incident is not that “the AI was foolish.” The root cause was that the AI was given write and delete permissions in the production environment without any checks, meaning there was a lack of authority design.

Assessing the Damage in Numbers

Let’s quantify the damage caused by the complete deletion of the database.

• Data Recovery Costs: If backups exist, it could be tens of thousands to hundreds of thousands of yen. Without backups, hiring a specialist could cost several million yen, and in the worst case, recovery may be impossible.
• Business Interruption Costs: For a company with 10 employees, a full day of downtime could cost 300,000 to 500,000 yen just in labor costs. Including lost opportunities for customer service, this could multiply several times.
• Reputational Damage Costs: This is the most severe. “I heard that company lost their data”—for a local SME, reputational damage through word-of-mouth can be fatal. It’s hard to quantify, but it wouldn’t be surprising if several percent of annual sales vanished.

If the same incident occurred in an SME with annual sales of 100 million yen, the direct damages alone could range from 5 million to 10 million yen. Including reputational damage, it could be even more.

This is the cost for a 9-second operation.

—

Why Stripe Created the ‘AI Wallet’

On the other hand, payment giant Stripe is making interesting moves. They have expanded a digital wallet called “Link” for AI agents.

What this means is a system that gives AI agents a ‘wallet.’

Specifically, it works like this:

• When an AI agent wants to make a purchase or contract, it can only process payments within a pre-set limit.
• Users link their card information or bank accounts and provide the AI with a range it can use.
• Any expenditure exceeding the limit requires human approval.

In short, it’s the same structure as giving an allowance to a child. Instead of handing over all their assets, you set a limit on what they can spend.

Why is this important? The era when AI agents autonomously enter SaaS contracts or purchase cloud resources is fast approaching. At that time, a mechanism will be needed to prevent situations like “the AI automatically contracted a plan costing 1 million yen per month.”

Stripe has taken the initiative here. They have created an infrastructure that clearly delineates between ‘granting authority to AI’ and ‘letting AI run wild.’

The implication for SMEs is simple. If you are going to entrust operations to AI, you must pre-determine “what it can do, to what extent, and for which data” across three axes: amount, operational range, and target data. Stripe’s system is just one implementation example of this.

—

The Emergence of ‘Behavior Firewalls’ to Monitor AI Actions

Another noteworthy development is the ongoing research into a dedicated “behavior firewall” for AI agents.

Just as a network firewall “blocks unauthorized communications,” a behavior firewall “blocks unauthorized AI operations.”

Here’s how it works:

1. It detects operations that an AI agent attempts to execute in real-time before execution.
2. It cross-references with a pre-defined “allow list.”
3. Operations outside the list (e.g., database deletion, changes to admin privileges) are blocked and the human is notified.

If applied to the PocketOS incident, the command for complete data deletion, such as “DELETE FROM,” would have been stopped before execution.

Comparing Implementation Costs and Damage Costs

This is the crucial point.

It’s like insurance. For a monthly cost of several thousand yen, you can prevent damages ranging from several million to tens of millions of yen. Given this ratio, there’s no reason not to implement it.

—

The Real Cost to Consider: ‘Not Granting Authority’

Up to this point, we’ve discussed the risks of “granting authority to AI.” However, another perspective is missing.

The cost of ‘not granting authority to AI.’

In local SMEs, such scenarios are common:

• The CEO spends three days each month processing invoices manually.
• An office worker spends two hours a day transcribing order data.
• Sales staff spend five hours a week adjusting quotation formats.

If these tasks were entrusted to AI agents, dozens of hours could be saved each month. In terms of hourly wages, that translates to 200,000 to 500,000 yen per month. Over a year, that amounts to 2.4 million to 6 million yen.

The decision to “not entrust anything to AI out of fear” equates to throwing away several hundred thousand yen each year.

Thus, the question becomes:

> “The risk of granting authority to AI vs. the cost of not granting authority to AI”—which is greater for your company?

The answer is not “one or the other.” The correct approach is to gradually grant authority while establishing appropriate guardrails.

—

Three Things SMEs Should Start Doing Today

No need for abstract discussions. What should you specifically do?

1. Determine the ‘Minimum Unit of Authority’

Limit the authority granted to AI to the bare minimum. This aligns with the fundamental principle of information security: the “principle of least privilege.”

• Start with “read-only” access to the database. Require human approval for writing and deletion.
• Set limits on payment amounts per transaction and per month.
• Restrict file operations to specific folders.

Never grant full authority.

2. Distinguish Between ‘Recoverable Failures’ and ‘Irrecoverable Failures’

Classify the tasks entrusted to AI into these two categories.

• Recoverable: Drafting emails, summarizing meeting minutes, creating data analysis reports → Delegate these tasks freely.
• Irrecoverable: Deleting production data, sending payments to customers, sending contracts → Always have a human perform final checks.

Just this classification can dramatically reduce risks.

3. Invest in a ‘Monthly Insurance’ of 10,000 Yen

Automate backups, record operation logs, and set up notifications for anomaly detection. These can now be implemented through cloud services for a monthly cost of several thousand to 10,000 yen.

AWS backup features, Google Workspace audit logs, and anomaly notification integration with Slack—no special system development is necessary. Just change the settings of existing tools.

With a monthly insurance cost of 10,000 yen, you can prevent accidents costing several million yen. No business owner can ignore this return on investment.

—

Conclusion—Management Decisions in the Era of Granting Authority to AI

The 9-second data deletion at PocketOS. Stripe’s “AI wallet.” The emergence of behavior firewalls.

The simultaneous appearance of these three news items is no coincidence. AI agents have entered a phase of ‘acting’ rather than just ‘thinking.’

Active AI will require authority. Granting authority introduces risks. If you avoid granting authority out of fear of risks, you will be left behind by competitors.

This structure applies to both large and small enterprises. In fact, SMEs may have advantages. Decision-making is faster. They can say, ‘Let’s try this starting next week.’ While large companies take six months to get approvals, SMEs can experiment, learn, and make adjustments.

Start by entrusting one recoverable task to AI. Set up guardrails and begin small.

The question of whether to grant authority to AI is no longer the issue. The real question is ‘how to grant it.’

The cost of postponing that decision is accumulating every day.