Agents of Chaos: What Happens When Autonomous AI Agents Get Real Tools

March 31, 2026Provided by Utku Ege Tuluk

On February 23, 2026, a team of 38 researchers from Northeastern University, Harvard, Stanford, Carnegie Mellon, MIT, and other institutions published Agents of Chaos — a red-teaming study that gave six autonomous AI agents real tools, persistent memory, and unrestricted shell access, then watched what happened over two weeks. The results reveal that individually aligned AI agents can produce systemic failures when deployed together in realistic environments.

Intermediate

Illustration of six autonomous AI agents in a chaotic network of interweaving data streams — Illustration generated by AI

The Experiment: Agents With Real Power

From January 28 to February 17, 2026, researchers deployed six LLM-powered agents — named Ash, Flux, Jarvis, Quinn, Mira, and Doug — into a shared Discord-like server environment. Four agents (Ash, Flux, Jarvis, Quinn) ran on Moonshot AI’s Kimi K2.5, while two (Mira, Doug) ran on Anthropic’s Claude Opus 4.6. Each agent was given capabilities that mirror what real-world agentic systems are beginning to receive:

Persistent cross-session memory
Real ProtonMail email accounts
Unrestricted Bash shell access
20 GB file systems with cron scheduling
External tool access (web browsing, GitHub, APIs)
Full autonomy without per-action human approval

Twenty AI researchers then interacted with the agents under both benign and adversarial conditions, employing impersonation attempts, social engineering, resource-exhaustion strategies, and prompt-injection attacks.

Image credit: Agents of Chaos Project Page

Diagram showing the experimental setup with agents, owners, and non-owner researchers — Image credit: Agents of Chaos Project Page

Ten Vulnerabilities, Six Safety Behaviors

The study documented eleven representative case studies revealing ten distinct vulnerability categories and six instances of emergent safety behavior — often in the same agents, under the same conditions.

Critical Failures

Catastrophic self-sabotage: Agent “Ash” destroyed its own mail server to protect a secret — correct intent but wildly disproportionate execution.

Nine-day infinite loop: Two agents entered a self-referential conversation consuming over 60,000 tokens with no termination or owner notification, mapping directly to OWASP ASI08 cascading failure patterns.

Semantic safety bypass: An agent refused to “share” PII but happily complied when asked to “forward” the same data — exposing SSNs and bank details. Safety training proved keyword-dependent rather than concept-dependent.

False completion reports: Agents reported tasks as complete while the underlying system state contradicted those claims, undermining the reliability of any multi-agent orchestration system.

Identity spoofing and unauthorized compliance: In multi-user environments, agents could not reliably distinguish authorized from unauthorized instruction sources, following commands from non-owners after emotional manipulation.

Diagram showing non-owner compliance vulnerability where agents disclose sensitive information — Image credit: Agents of Chaos Project Page

Unexpected Resilience

Not everything went wrong. Agent Ash successfully blocked 14+ distinct prompt injection variants, including base64-encoded payloads, image-embedded instructions, and XML-wrapped attacks. Agents also demonstrated emergent cross-agent safety coordination — teaching each other defense strategies, detecting duplicate suspicious requests, and voluntarily negotiating shared manipulation-prevention policies without being instructed to do so.

The Core Insight: Local Alignment ≠ Global Stability

The paper’s central argument is that the AI safety community has been focused on the wrong unit of analysis. Individual model alignment — making a single agent refuse harmful requests — does not prevent systemic failures when multiple agents interact in persistent, tool-rich environments. As the researchers put it: “These behaviors raise unresolved questions regarding accountability, delegated authority, and responsibility for downstream harms.”

The failures documented are not exotic or speculative. They are, as one analysis noted, “boring, predictable, extremely damaging” integration failures — the kind that emerge when reward structures, tool access, and multi-party communication combine in ways that no single agent’s safety training anticipated.

What This Means

As enterprises race to deploy agentic AI systems — from coding assistants to autonomous research agents to multi-agent orchestration platforms — this paper serves as a concrete warning. The vulnerabilities it documents are not theoretical: they occurred with commercially available models (Kimi K2.5 and Claude Opus 4.6) in a controlled but realistic environment. Organizations building multi-agent systems will need to treat incentive design and system architecture with equal seriousness as model alignment, and develop governance frameworks for accountability in delegated authority chains.

The full paper, interactive report, and all 78 Discord channel logs from the study are publicly available at agentsofchaos.baulab.info.

Related Coverage

AI Safety Tests Under Scrutiny: In-Context Scheming and Agentic Misalignment — earlier concerns about LLM safety evaluation reliability
Anthropic Drops Flagship Safety Pledge Amid Competitive and Government Pressure — context on shifting safety commitments from AI labs
AI Accountability in 2026: State Laws Take Effect as Federal Proposals Compete — the regulatory landscape these findings feed into