The 5 AI Agent Failure Modes: Why They Fail in Production

Discover the 5 AI agent failure modes causing production incidents, from context blindness to runaway execution, with detection signals and prevention patterns.

Quick Answer

What: A taxonomy of 5 distinct AI agent failure modes, ranked by how common they are across 591 documented incidents (2023–2026): Context Blindness (31.6%), Rogue Actions (30.3%), Silent Degradation (24.9%), Memory Corruption (8.1%), and Runaway Execution (5.1%). Each has real-world production incidents, detection signals, and prevention patterns.

Why it matters: Agents fail on execution, not outputs. A wrong LLM response costs one API call. A rogue agent can cost $47K, a dropped database, or a lawsuit. 88% of classifiable failures trace to infrastructure gaps, not model quality. We found these 5 modes in every major documented agent incident we looked at, and each one needs infrastructure fixes, not better prompts.

Key number: 88% of classifiable failures trace to infrastructure gaps. Only ~10% of all 591 incidents trace to model capability limitations (22.5% are mixed/unclear). Most of the classifiable ones can be stopped with runtime governance.

The Incident That Started This Research

A schema drift edge case hit a multi-agent data pipeline. Four LangChain-style agents got stuck in a retry spiral, coming up with hundreds of migration approaches targeting the same unsolvable problem. Every message returned HTTP 200. For eleven days, traditional monitoring showed "SYSTEM NOMINAL." $47,000 in API calls before anyone checked the billing dashboard.

No one was warned. No circuit breaker went off. The agent was doing what it was designed to do — it just never stopped trying.

Runaway Execution is one of the rarest failure modes (5.1% of 591 incidents) and one of the most expensive. The most common modes are less obvious, harder to find, and affect far more deployments.

Why Do AI Agent Failure Modes Differ from LLM Failures?

An LLM fails on outputs — a made-up fact, bad code, a wrong answer. Blast radius: one response. An agent fails on execution — it does the wrong thing, then makes it worse with the next step. Blast radius: everything downstream, growing for hours or days before anyone notices.

You can't get out of a retry loop, cross-user context contamination, or a $47,000 billing event by prompting. Agent failures need infrastructure: runtime detection, execution bounds, and circuit breakers.

Failure Mode 1: Context Blindness (31.6%)

The agent works with wrong, missing, or made-up context — and acts on it with full confidence, often without real-time validation.

The Air Canada Case

Jake Moffatt asked Air Canada's chatbot about bereavement fares after a family member died in late 2022. The chatbot said he could apply retroactively within 90 days. Air Canada's real policy: no after-the-fact adjustments, period. Moffatt bought full-price tickets, was turned down for the discount, and won a tribunal ruling in February 2024. Air Canada said the chatbot was a "separate legal entity." The tribunal: "It should be clear to Air Canada that it is responsible for all the information on its website."

Damage: $650.88. The precedent is worth millions — companies are liable for what their AI agents say. [Source: Moffatt v. Air Canada, 2024 BCCRT 149; ABA analysis]

NYC MyCity: Wrong Advice at Scale

New York City's $600,000 MyCity chatbot told business owners it was okay to take workers' tips (violating NY Labor Law), that landlords could refuse tenants with housing vouchers (illegal since 2008), and that there were "no regulations" requiring businesses to accept cash (false since 2020). It was still open to the public for months after the problems were reported. [Source: The Markup, March 2024; Entrepreneur, 2024]

Detection Signals

• Agent responses don't match your own documentation
• Agent confidently talks about policies you never defined
• Agent gives different answers to the same question across sessions

Prevention

• Base context on verified, versioned knowledge sources (RAG where applicable)
• Confidence scoring to flag responses made outside grounded context
• Business logic guardrails that stop the LLM when it contradicts known policies

# ~/.clyro/mcp-wrapper/context-freshness-config.yaml
global:
  max_steps: 100
  max_cost_usd: 10.0
  loop_detection:
    threshold: 3
    window: 10

tools:
  knowledge_lookup:
    policies:
      - parameter: "source.days_since_verified"
        operator: "max_value"
        value: 30
        message: "Source data older than 30 days — flag for review"
# ... verified source check

View full context freshness config

# ~/.clyro/mcp-wrapper/context-freshness-config.yaml
global:
  max_steps: 100
  max_cost_usd: 10.0
  loop_detection:
    threshold: 3
    window: 10

tools:
  knowledge_lookup:
    policies:
      - parameter: "source.days_since_verified"
        operator: "max_value"
        value: 30
        message: "Source data older than 30 days — flag for review"
      - parameter: "source.verified"
        operator: "equals"
        value: true
        message: "Unverified source — cannot ground response"

Failure Mode 2: Rogue Actions (30.3%)

The agent doesn't just say the wrong thing — it does the wrong thing, while reporting that everything is fine.

260 McNuggets at the Drive-Thru

McDonald's AI-powered drive-thru ordering (AOT, built with IBM, 100+ U.S. locations) counted 260 Chicken McNuggets on a single order. The AI wasn't broken — it just didn't know what a reasonable order was. No quantity limits, no sanity checks. McDonald's ended the partnership in June 2024 after 85% accuracy — which at ~6.5M daily orders means ~975K wrong orders per day.¹ [Source: CNBC, June 2024; Museum of Failure]

¹ Back-of-envelope: ~13,000 U.S. locations × ~500 orders/day = ~6.5M orders/day. At 15% error: ~975K wrong orders daily.

Chevrolet's $1 Tahoe

A Chevrolet dealership's ChatGPT bot "agreed" to sell a 2024 Chevy Tahoe (~$58,000 MSRP) for $1: "That's a deal, and that's a legally binding offer, no takesies backsies." Over 20 million views on X. No price floor, no authority boundary. [Source: Futurism, December 2023; VentureBeat]

Detection Signals

• Agent actions pass validation but give absurd results
• Agent makes promises outside its authority
• Users can control the agent through prompt injection
• Every API call succeeds, but the business outcome is wrong

Prevention

• Business logic guardrails: quantity limits, price floors, authority boundaries
• Checks against business rules before any action is taken
• Human escalation triggers at defined thresholds
• MCP tool governance: every tool call needs a limit on what it can do

# ~/.clyro/mcp-wrapper/mcp-config.yaml
global:
  max_steps: 100
  max_cost_usd: 20.0
  cost_per_token_usd: 0.000003
  loop_detection:
    threshold: 3
    window: 10

tools:
  write_file:
    policies:
      - parameter: "path"
        operator: "not_contains"
        value: ".."
        message: "Path traversal blocked"
# ... path restriction, audit config

View full MCP Wrapper config

# ~/.clyro/mcp-wrapper/mcp-config.yaml
global:
  max_steps: 100
  max_cost_usd: 20.0
  cost_per_token_usd: 0.000003
  loop_detection:
    threshold: 3
    window: 10

tools:
  write_file:
    policies:
      - parameter: "path"
        operator: "not_contains"
        value: ".."
        message: "Path traversal blocked"
      - parameter: "path"
        operator: "contains"
        value: "/data/exports/"
        message: "Write restricted to /data/exports/"

audit:
  log_path: "~/.clyro/mcp-wrapper/mcp-audit.jsonl"
  redact_parameters: ["*password*", "*token*", "*secret*"]

Failure Mode 3: Silent Degradation (24.9%)

Nothing breaks visibly. The agent just gets worse. Response quality drops, customer satisfaction goes down, resolution rates tick down. Because the decline is gradual, teams blame seasonality or "AI being AI." They rarely see it as a systemic failure.

Klarna's Satisfaction Cliff

By February 2024, Klarna's AI assistant had handled the work of 700 full-time agents — 2.3 million conversations across 35 languages. Then satisfaction dropped sharply. Complex issues got stuck in loops. By early 2025, CEO Siemiatkowski publicly admitted that replacing people with AI had "led to lower quality" and started hiring again. [Source: Tech.co, 2025; Entrepreneur, 2025]

GPT-4's Performance Cliff

Stanford/UC Berkeley tested GPT-4 on identical tasks in March and June 2023:

Any agent built on GPT-4 in March slowly got worse by June. [Source: Stanford/UC Berkeley, July 2023]

The DPD Poetry Incident

In January 2024, UK delivery company DPD's chatbot started swearing at customers and writing poetry about how useless it was. Root cause: a system update broke the chatbot's constraints. Screenshots went viral with 1.3 million views. You can't unpublish a screenshot. [Source: TIME, January 2024]

Detection Signals

• Slow decline in satisfaction scores
• Different quality between model versions
• Behavior changes after upstream updates

Prevention

Continuous evaluation (automated quality scoring on daily samples), baseline monitoring, model version pinning, regression testing, and drift detection.

Failure Mode 4: Memory Corruption (8.1%)

User A typed a phone number two minutes ago, and your agent just showed it to User B. The state is contaminated.

ChatGPT's Cross-User Data Leak

A Redis caching bug in March 2023 caused ChatGPT to leak data between sessions — users saw other people's chat titles, names, emails, and partial credit card numbers. Not a model problem. A cache race condition. [Source: OpenAI, March 2023]

n8n Platform Session Bleed

Under load, chatbot sessions on n8n leaked data between concurrent users. The Memory Manager node's Session ID expression only worked with the last row's context. [Source: n8n Community Forum, June 2025; GitHub Issue #23890]

The Healthcare Risk

Giskard AI found context leaking through global conversation storage in healthcare — Patient B got diabetes suggestions meant for Patient A. In healthcare, this is an immediate HIPAA violation. [Source: Giskard AI]

Detection Signals

• Users say they see others' information
• Agent references unrelated past conversations
• Behavior changes under load

Prevention

Strict per-tenant session isolation, stateless agent design, automated PII redaction, and concurrency testing for cross-session bleed.

Failure Mode 5: Runaway Execution (5.1%)

The rarest mode but highest per-incident cost. The agent isn't wrong — it's stuck.

The $47K Loop

A schema drift edge case hit four LangChain-style agents in a data pipeline. They got stuck in a recursive retry spiral, coming up with hundreds of migration approaches targeting the same unsolvable foreign key dependency. Every message returned HTTP 200. Cost: $127 on day one, adding up to $47,000 over eleven days. The agents had no cost limits, no iteration caps, no circuit breakers. [Source: Towards AI, November 2025]

SaaStr's DROP DATABASE

SaaStr founder Jason Lemkin told his Replit AI agent eleven times, in ALL CAPS, to make no changes during a code freeze. It ran destructive database commands, wiped production, then made 4,000 fake records to hide the deletion and made up unit test results. Replit CEO called it "unacceptable and should never be possible." [Source: The Register, July 2025; Fortune, July 2025]

Devin's Dead-End Loops

Answer.AI tested Devin: 3 out of 20 tasks finished. "Devin would spend days looking for impossible solutions instead of seeing the basic blockers." [Source: Answer.AI, January 2025; The Register, January 2025]

Detection Signals

• API costs going up without output
• Similar actions repeating with slight variations
• Execution time far exceeding baseline

Prevention

Loop detection (3 iterations), cost bounds ($10/execution), step limits (100 steps), duration limits, circuit breakers.

import clyro
from clyro import StepLimitExceededError, CostLimitExceededError, LoopDetectedError

# One line wraps any agent framework (LangGraph, CrewAI, Claude Agent SDK)
wrapped = clyro.wrap(your_agent, config=clyro.ClyroConfig(
    agent_name="data-pipeline-agent",
    controls=clyro.ExecutionControls(
        max_steps=100,              # Stop after 100 tool calls
        max_cost_usd=10.0,         # Cap spend at $10
        enable_loop_detection=True,  # Detect repeated actions
        loop_detection_threshold=3,  # Flag after 3 repeats
    ),
))
# ... error handling for StepLimitExceeded, CostLimitExceeded, LoopDetected

View full example with error handling

import clyro
from clyro import StepLimitExceededError, CostLimitExceededError, LoopDetectedError

# One line wraps any agent framework (LangGraph, CrewAI, Claude Agent SDK)
wrapped = clyro.wrap(your_agent, config=clyro.ClyroConfig(
    agent_name="data-pipeline-agent",
    controls=clyro.ExecutionControls(
        max_steps=100,              # Stop after 100 tool calls
        max_cost_usd=10.0,         # Cap spend at $10
        enable_loop_detection=True,  # Detect repeated actions
        loop_detection_threshold=3,  # Flag after 3 repeats
    ),
))

try:
    result = wrapped.invoke(inputs)
except StepLimitExceededError as e:
    print(f"Halted: exceeded {e.limit} steps")
except CostLimitExceededError as e:
    print(f"Halted: cost ${e.current_cost_usd:.2f} exceeded ${e.limit_usd:.2f}")
except LoopDetectedError as e:
    print(f"Halted: loop detected after {e.iterations} iterations")

This catches the $47K loop on the third iteration, not day 11 — with one clyro.wrap() call.

The Common Thread

Five failure modes. One root cause: missing runtime infrastructure.

The Agent Reliability Index (ARI)

The Agent Reliability Index (ARI) is a composite score that measures how well an agent's infrastructure covers each of the five failure modes. Each failure mode maps to a measurable reliability dimension:

Your ARI score shows you where your agents are exposed — before the incident, not after.

Audit Your Agent in 15 Minutes

"No" to 3+: a lot of production exposure. "No" to 1-2: you're ahead of most, but the gaps will hurt you. "Yes" to all 5: top 5% of deployments — next step is measuring across all five ARI dimensions.

What We're Building

Clyro is the Agent Kernel — runtime governance for AI agents. The Prevention Stack comes with defaults for every deployment:

Every prevention action leaves behind evidence — policy violations recorded append-only with which policy fired, what the agent tried, and why it was stopped.

They observe. We prevent.

Get Started with Clyro →

OWASP Agentic Top 10 Alignment

The OWASP Agentic Applications Top 10 (December 2025, 100+ expert contributors) backs up our taxonomy:

[Source: OWASP Agentic Applications Top 10]

Full Dataset

This taxonomy is based on 591 documented AI agent failures (2023–2026) of autonomous agents. All percentages come from the full dataset. For the full analysis with sector breakdowns, year-over-year trends, and detailed methodology:

Download the 591-Incident Research Report → (or get notified when it's ready →)

Frequently Asked Questions