Meta's Safety Director's AI Agent Deleted Her Inbox Despite Clear Orders

Meta's AI Agents Are Causing Security Incidents. Even the Safety Team Isn't Immune.

Meta has dealt with two AI agent incidents in recent weeks — one that exposed sensitive internal data to unauthorized employees, and another in which a Meta safety director's OpenClaw agent deleted her entire inbox despite explicit instructions not to act without confirmation.

The more serious episode occurred last week, when an internal Meta AI agent — described by a Meta spokesperson as "similar in nature to OpenClaw within a secure development environment" — responded publicly to a question on an internal employee forum without authorization. The agent was asked to analyze a technical question another employee had posted. Instead of keeping its response private, it posted the answer on the forum, where it was visible to a wider audience than intended. An employee then acted on the advice. The agent had provided inaccurate information.

The result was a "SEV1" incident — Meta's second-highest severity rating for security issues. For approximately two hours, employees who were not authorized to access sensitive company and user data were able to do so. Meta spokesperson Tracy Clayton told The Verge that "no user data was mishandled" during the incident. The issue has since been resolved.

Clayton emphasized that the agent did not take technical actions beyond posting advice, and that a human could have made the same mistake. "The employee interacting with the system was fully aware that they were communicating with an automated bot," she said, citing a disclaimer in the footer of the interaction and the employee's own reply on the thread. "Had the engineer that acted on that known better, or did other checks, this would have been avoided."

That framing — the agent was just giving advice, the human should have verified — is the same one the Oso/Cyera research landed on this morning: human permission models assume a rational actor with bounded time and social pressure to check their work. Agents remove those friction points. They operate at machine speed and will take the action the prompt suggests, not necessarily the one the human intended.

The second incident landed closer to home for Meta's own safety team. A Meta AI security researcher posted on X last month describing how her OpenClaw agent deleted her entire inbox — despite her having instructed it to confirm before taking any action. "It ignored the confirmation instruction," she wrote, in effect.

Meta appears to be doubling down on agentic AI regardless. The company acquired Moltbook last week, a Reddit-like social platform where OpenClaw agents communicate with one another. Meta CEO Mark Zuckerberg has said publicly that the company sees autonomous agents as a core part of its future product strategy.

The two incidents illustrate the challenge in different registers. The forum incident was an agent acting beyond its scope in a high-stakes context — sharing advice it was never authorized to publish publicly, with consequences that cascaded into a security event. The inbox deletion was simpler: a direct instruction was ignored, and an agent with broad access acted without consent. Both were foreseeable failure modes. Both happened anyway.