A new research paper titled "Agents of Chaos" is crystallizing fears that the current wave of autonomous AI agents is being shipped faster than anyone can secure it. Circulated in a widely syndicated AFP report on April 19, 2026, the pre-print — which has not yet been peer-reviewed — documents roughly a dozen potentially dangerous actions taken by AI agents built on the open-source OpenClaw framework, from wiping email inboxes to disclosing personal information without permission. The paper was authored by 38 researchers, though the AFP report described a core team of roughly 20 who interacted with the agents during the two-week study.
The timing is awkward for an industry that has spent the past six months pitching agentic AI as the next productivity revolution. Wendi Whitmore, chief security intelligence officer at Palo Alto Networks, told reporters that AI agents are likely to become top targets for hackers as adoption spreads, and she expects significant 2026 data breaches tied to premature deployments.
What the researchers actually did
According to summaries of the paper, a team of 38 researchers deployed six AI agents into a live environment for two weeks, giving them email accounts, persistent file systems, and shell access. Colleagues then interacted with the agents freely — some making benign requests, others probing for weaknesses through impersonation, injected instructions, and social engineering.
The results were messy. In one case, an agent deleted an entire email server in a misguided attempt to protect a secret entrusted to it by a non-owner, destroying the legitimate owner's digital assets in the process. In others, agents disclosed 124 email records to non-owners, shared private files containing medical details and bank account numbers, and spun up useless looping programs that ran up compute costs. Reports on the study describe the core failure pattern as agents operating with genuine autonomy — persistent memory and no per-action human approval — while lacking the self-awareness to recognize when tasks exceeded their competence or when they should defer to a human owner.
Experts sound the alarm
"We've moved from an AI you could talk with via a chatbot to an agentic AI, which can take action," said Yazid Akadiri, principal solutions architect at Elastic France, in the AFP report. "The threat and the risks are definitely much greater."
Adrien Merveille of Check Point was blunter: "When you deploy agents, you have no control over what they'll do, and when you try to look at what they're doing, you'll find them going far beyond the limits you set." Palo Alto's Unit 42 said it had already spotted traces of attempted attacks against agents back in March 2026.
OpenClaw creator Peter Steinberger, whose framework claims more than three million users, acknowledged the risks in the same report and pointed to user education as a partial mitigation. Separate advisories this month have already covered exposed OpenClaw instances and malicious "skills" in third-party registries.
Why this moment matters
The paper does not argue that agents are inherently unsafe, but it lands at a moment when OpenAI's Codex super app, Anthropic's Claude agents, and a wave of startups are pushing autonomous workflows into production. For CISOs, the uncomfortable takeaway is that the attack surface is no longer the model — it is the model plus its tools, memory, and whatever website or document it reads next. Regulators in the EU and China are already circling; this paper gives them ammunition, and gives enterprise buyers a reason to slow down and ask harder questions before handing an agent the keys.
