What are the most common failure modes of AI agents in enterprise environments?

The nastiest issues I’ve seen weren’t dramatic one‑shot exploits, they were a pile of small decisions that each looked harmless. We had agents treating anything in the conversation history as trustworthy, pulling in context from sources that were never meant to drive decisions, and calling tools in sequences that looked fine individually but added up to something no one would have signed off in a design doc. Nothing about a single step looked alarming; viewed as a session, it was a slow‑motion facepalm. One pattern that keeps cropping up is over‑reliance on long‑term memory. Once an agent can remember and reuse old context, any earlier message can influence later actions. If you don’t cap how much privileged information it can collect in one session, or reset state around sensitive operations, a completely normal user or third‑party content they paste in can gradually push it into dangerous territory without ever sending an obviously malicious prompt. Another recurring issue is stateless tool gating: if the policy engine only looks at “this call right now” instead of “the last N calls in this session,” agents can reconstruct sensitive data or perform high‑risk workflows piece by piece while every individual call still looks fine. Add overly broad permissions on top and you’ve basically handed a very eager intern the keys to production. If you’ve shipped agents into production, what’s the most instructive “death by a thousand cuts” failure you’ve run into, and what change architecture, policy, or tooling, did the most to keep it from happening again? If you point to any other specific post where the pattern still bothers you, that one can be rewritten with a different opening structure and tone as well.