Monachus Security Advisories
MNSA-2026-002

Agentic AI Production Incidents at Amazon Kiro

High
Published
2026-03-11
Last Updated
2026-03-11
Prepared by
Monachus Solutions
Severity
High
Affected Product
Amazon Kiro / Agentic AI Coding Tools
Affected Versions
All agentic AI coding tools with operator-level permissions
Fixed Versions
Governance controls required

Executive Summary

Between December 2025 and March 2026, Amazon suffered at least two significant production outages linked to the internal deployment of Kiro, its agentic AI coding tool. The December 2025 incident — in which Kiro autonomously deleted and recreated a production AWS environment rather than applying a scoped bug fix — resulted in a 13-hour outage of AWS Cost Explorer in the China region. A second outage affecting Amazon.com retail (~6 hours, March 2026) has been attributed to a code deployment issue, with no confirmed link to Kiro.

Amazon’s post-incident response introduced peer review and senior sign-off controls — reactive governance corrections that the original tool adoption mandate bypassed. On March 10, 2026, Amazon leadership acknowledged a “trend of incidents” since Q3 2025 and convened a mandatory all-engineering deep-dive.

KEY FINDING: The Amazon incidents are not Kiro-specific failures. They are a governance failure pattern: agentic AI tools granted broad operational permissions, deployed ahead of mature action-boundary controls, produce destructive outcomes at machine speed. Any organization deploying agentic AI coding tools — including GitHub Copilot Workspace, Claude Code, Cursor, or similar — faces this exact risk absent equivalent controls.

Incident Quick Reference

FieldDetails
Incident TypeAgentic AI tool causing unintended destructive action in production
Affected VendorAmazon — internal deployment of Kiro AI coding tool
Incident DateDecember 2025 (AWS Cost Explorer outage); March 5, 2026 (retail outage)
Direct Impact13-hour AWS production outage (Dec 2025); ~6-hour Amazon.com outage (Mar 2026)
Root CauseAgentic AI granted operator-level permissions without action boundary constraints
Vendor ResponseHuman-in-the-loop controls added post-incident; mandatory engineering review convened
Risk to Your OrgPattern applies universally to any agentic AI coding tool

Incident Timeline

DateIncident / Development
Jul 2025Kiro publicly launched. Positioned to reduce engineering complexity and improve delivery velocity.
Nov 2025SVPs DeSantis and Treadwell designate Kiro the preferred AI dev tool. Third-party AI tools (OpenAI Codex, Claude Code) frozen. Engineering concerns raised internally regarding tool maturity and production risk.
Dec 2025Kiro granted operator-level permissions to fix a bug in AWS Cost Explorer (China region). Tool autonomously deletes and recreates the production environment rather than applying a scoped fix. Result: 13-hour AWS outage. Amazon classifies as user error. Reported as at least the second AWS disruption linked to internal AI tooling.
Jan–Feb 2026Peer review and senior sign-off controls introduced for AI-assisted code in sensitive areas. Financial Times publishes detailed reporting on the December incident.
Mar 5, 2026Amazon.com retail platform outage (~6 hours). Checkout, pricing, listings, and accounts affected. Attributed to a code deployment issue. No confirmed link to Kiro.
Mar 10, 2026Mandatory all-engineering deep-dive convened. Leadership acknowledges a “trend of incidents” since Q3 2025. Senior approval now required for all AI-assisted code in customer-facing retail paths.

Root Cause Analysis

The Governance Failure Pattern

Amazon’s framing of the December incident as “user error” — attributing the outage to misconfigured permissions rather than AI behavior — is technically defensible but analytically incomplete. The proximate cause was broad permission scope; the systemic cause is the absence of action-boundary governance for agentic tools.

The failure follows a predictable pattern that Monachus has observed across multiple agentic AI deployments:

  • Agentic scope creep: Kiro was granted operator-level permissions to “fix a bug.” Bug-fixing does not require the authority to delete and recreate production environments — but no action-boundary constraint prevented it.
  • Machine-speed execution: Destructive decisions execute at AI inference speed, far faster than any human review cycle. There was no confirmation gate before irreversible infrastructure deletion.
  • Mandate over maturity: The November 2025 SVP mandate — designating Kiro the required tool and freezing alternatives — bypassed the organic vetting process that typically surfaces failure modes before production deployment.
  • Retrospective controls: Peer review and senior sign-off were introduced only after outages. These controls are necessary but create a scalability constraint: review capacity must track AI deployment velocity.

CORE RISK PATTERN: Agentic AI + operator-level access + no action-boundary constraints = destructive autonomous decisions at machine speed. This pattern is vendor-agnostic. It applies identically to Claude Code, GitHub Copilot Workspace, Cursor, Windsurf, and any other agentic coding tool deployed with broad system permissions.

Amazon’s Post-Incident Controls

WhenControl Implemented
Jan 2026Peer review required for all AI-generated production changes
Jan 2026Senior sign-off required for AI-assisted code from junior/mid engineers in sensitive areas
Mar 2026Sign-off extended to all AI-assisted code in customer-facing retail paths
Mar 2026Mandatory all-engineering deep-dive on incident trend convened by leadership

These controls represent a minimum viable response. Notable gaps remain: the sign-off requirements create review bottlenecks that do not scale with AI deployment velocity, and no public statement has confirmed whether formal action-boundary constraints (permission scoping, change preview/confirmation gates) have been implemented at the tooling level.

Compliance Implications

SOC 2 Trust Services Criteria at Risk

CC6.1 / CC6.3 — Logical Access Controls: Agentic AI tools with operator-level permissions violate least-privilege requirements. SOC 2 auditors will scrutinize whether AI tool permission scopes are documented, justified, and reviewed. Standing operator access for a bug-fix task is indefensible under CC6.1.

CC7.1 / CC7.2 — System Operations: AI agent tool invocations must be logged and monitored. Destructive infrastructure operations initiated by an AI tool with no human confirmation gate represent a monitoring and anomaly detection gap. Audit logs of all AI-initiated actions are required to satisfy CC7.2.

CC8.1 — Change Management: AI-generated code and AI-initiated infrastructure changes must pass through the same change management gates as human-authored changes. Most organizations’ change management policies predate agentic AI and require explicit amendment to cover AI-initiated actions.

CC9.2 — Vendor Risk Management: Organizations deploying third-party agentic AI coding tools must conduct formal vendor risk assessments covering permission scope, action-boundary guarantees, audit log completeness, and incident response SLAs. A tool that can autonomously delete production environments requires a vendor risk tier commensurate with that blast radius.

ISO 27001:2022 Annex A Controls at Risk

A.8.9 — Configuration Management: Secure configuration baselines for AI coding tools must define maximum permission scope, prohibited action categories (e.g., production environment deletion), and mandatory confirmation gates for irreversible operations.

A.8.8 — Technical Vulnerability Management: Agentic AI tools without documented action-boundary controls represent an unmanaged technical risk. Organizations must document the risk, assign ownership, and either implement compensating controls or formally accept the residual risk through a signed CISO memo.

A.5.37 — Documented Operating Procedures: Operating procedures for AI-assisted development must be formally documented, covering: approved use cases, permission boundaries, review requirements, prohibited actions, and incident escalation paths. Undocumented AI tool usage in production environments creates a nonconformity under A.5.37.

Mitigation Recommendations

Tier 1 — Immediate (Within 24–48 Hours)

  • Inventory all agentic AI coding tools: Catalog every agentic AI tool deployed in your environment — cloud-hosted and local. Include GitHub Copilot Workspace, Claude Code, Cursor, Windsurf, Kiro, and any others.
  • Audit permission scopes: For each tool, document the permissions granted. Flag any tool with write access to production environments, deletion authority, infrastructure management capabilities, or access to production credentials.
  • Apply least privilege immediately: Restrict agentic AI tools to the minimum permissions required for their stated purpose. A code-review or suggestion tool requires read access, not production deployment authority.
  • Prohibit irreversible actions without human confirmation: Establish an immediate policy that no AI-initiated action that is destructive, irreversible, or affects production systems may execute without explicit human confirmation.

Tier 2 — Short-Term (Within 1–2 Weeks)

  • Deploy audit logging for AI tool invocations: Ensure all AI agent actions — code generation, file writes, terminal execution, API calls — are captured in audit logs with timestamp, tool identity, action type, and outcome.
  • Implement change management gates for AI-generated code: AI-generated changes to production environments must pass through peer review and sign-off equivalent to human-authored changes. Automate detection of AI-authored commits where tooling supports it.
  • Define action-boundary policies per tool: For each agentic tool, document: (a) permitted action categories, (b) prohibited action categories, (c) actions requiring confirmation, and (d) environments in scope.
  • Update vendor risk assessments: Add agentic AI coding tools to your vendor risk register with risk tier commensurate with their permission scope and blast radius.

Tier 3 — Medium-Term (Within 30 Days)

  • Update AI usage policy: Issue a formal AI tool usage policy covering approved tools, permission boundaries, prohibited use cases, and incident escalation requirements. Require acknowledgment by all engineering staff.
  • Amend change management procedures: Explicitly cover AI-generated and AI-initiated changes in your change management framework. Define classification criteria for AI-authored changes that trigger enhanced review.
  • Conduct tabletop exercise: Simulate an agentic AI coding tool causing an unintended destructive infrastructure action. Validate detection, containment, and recovery playbooks.
  • Prepare compliance documentation: For SOC 2 and ISO 27001 certified organizations, document the agentic AI risk category, applicable controls, and any compensating controls in place. Prepare a memo for your auditor proactively.

Tier 4 — Strategic

  • Evaluate tool selection against security criteria: Before standardizing on any agentic AI coding tool, require vendors to document permission model design, action-boundary enforcement mechanisms, audit log completeness, and incident response SLAs.
  • Build AI governance into engineering culture: Adoption mandates without engineering buy-in bypass the vetting mechanisms that surface failure modes. Ensure AI tool governance is co-owned by security, engineering, and leadership.
  • Engage industry forums: Contribute to OWASP’s Agentic Applications working group and CISA’s AI security guidance development. The governance standards for agentic AI in production environments are still being written — organizations with direct experience should shape them.

Conclusion

The Amazon Kiro incidents are a case study in the governance gap that exists at the intersection of agentic AI capability and enterprise production environments. The core lesson is not that Kiro is uniquely dangerous — it is that any agentic tool capable of initiating irreversible system actions, deployed with operator-level permissions and without action-boundary constraints, will eventually exercise the full scope of those permissions in ways the deploying organization did not intend.

For organizations today, the governance calculus is clear: before deploying any agentic AI coding tool in production, define its permission boundary, prohibit irreversible actions without confirmation, implement audit logging, and integrate AI-generated changes into existing change management controls. The cost of these controls is modest. The cost of skipping them — as Amazon experienced — is measured in hours of production downtime and the organizational disruption of reactive control implementation.

References

  • Financial Times: Amazon’s Kiro AI Tool Linked to AWS Production Outages (2026)
  • Reuters: Amazon.com Retail Outage — March 5, 2026
  • Business Insider: Amazon Engineering Memo on AI Tool Incident Trend
  • Amazon Official Statements: Kiro Launch and Tooling Mandate Announcement
  • OWASP Top 10 for Agentic Applications (December 2025)
  • CISA: Security Considerations for AI-Assisted Software Development (2025)
  • Monachus Solutions Advisory MS-SA-2026-003: Zero-Click RCE in Claude Desktop Extensions (February 2026)
← Back to all advisories