The headline said an AI carried out a ransomware attack on its own. The details said something quieter and more useful. A human picked the target, built the infrastructure, and handed the agent stolen credentials. Then the agent did the technical work. The autonomy was real in one narrow place and imagined everywhere else.
That gap between the headline and the mechanics is the whole story, and it repeats far beyond security.
What the Agent Actually Did
The security firm Sysdig documented the case, which they call JadePuffer. The agent exploited a vulnerability in Langflow, gained admin access to a MySQL server, encrypted more than 1,300 configuration records, and wrote its own ransom note with a Bitcoin address attached. It fixed a failed login in 31 seconds, narrating its own reasoning in plain-language code comments as it moved.
That is genuinely impressive execution, and it is cheap. If you framed the story on that paragraph alone, you would conclude the autonomous attacker has arrived and we should all panic on schedule.
But read what the agent did not do. It did not decide who to hit. A person selected the victim, provisioned the command-and-control infrastructure, set up the staging servers, and supplied database credentials stolen in a prior compromise. The agent was handed a loaded situation and told to pull the trigger. It was a very fast intern with a very specific brief, not a strategist.
Execution Is Cheap. Judgment Is Still the Bottleneck.
Sysdig's Michael Clark made the point that ends the hype. The early headlines overstated the autonomy by omitting the persistent human roles. The predicted future of thousands of simultaneous AI-run campaigns did not materialize, because the expensive part was never the execution. It was choosing the target and building the setup, and that still needs a person.
This is the same shape I keep seeing in legitimate business use of agents. The model can do the task at speed once the task is fully framed. Framing the task, deciding it is the right task, and owning the outcome remain human. I wrote about why AI agents will not replace whole jobs, and a criminal case makes the same argument the corporate ones do. Tasks automate. Judgment does not, at least not yet.
There is a detail worth noting for the paranoid. Sysdig could not identify which model drove the agent, and found API keys from OpenAI, Anthropic, DeepSeek, and Gemini in the wreckage. Those keys were loot, stolen goods, not evidence of some multi-model brain. Even the forensics got misread on the first pass, which tells you how eager everyone is to believe the autonomy story.
The Lesson for Everyone Not Running a Ransomware Crew
Flip the same facts to the defender and operator side, because that is where you live. If the bottleneck in an AI-run attack is human target selection and setup, then the bottleneck in AI-run anything is the same. The value and the risk both sit in who decides what the agent works on, not in the agent's raw ability to work.
That should change how you deploy agents inside a company. The instinct is to obsess over capability, over how much the agent can do unsupervised. The real questions are narrower and more boring. Who framed the task. Who can audit what the agent touched. Whose name is on the outcome when it goes wrong. An agent that encrypts the wrong 1,300 records because a human pointed it badly is not an autonomy problem. It is an accountability problem wearing an autonomy costume.
The practical version is a rule I give teams putting agents into real work. An agent may run any task a competent junior could run with a clear brief and a defined stopping point. Anything that requires setting the brief, judging whether the task is worth doing, or absorbing the fallout stays with a named person. Draw that line clearly and the speed is a gift. Blur it and the speed becomes a liability you never priced.
This is why agent identity matters more than agent intelligence right now. I argued that AI agents need their own identities, with scoped permissions and a clear owner, precisely so that when one acts you can trace the decision back to a person. The JadePuffer agent had none of that discipline because its operator wanted deniability. Your agents should have all of it, because you want the opposite.
Deploy agents where the task is well framed and the blast radius is contained. Keep a human on target selection, on the decision that the task is worth doing at all, and on the review of what the agent actually changed. Speed is the part the model gives you for free. Judgment is the part you are still paying for, and the part that is still yours to get wrong.
The autonomous attacker made a great headline and a mediocre argument. Strip the drama and you get a clear operating principle. The machine is ready to execute long before it is ready to decide. Build your systems around that fact and you get the speed without handing over the one thing you cannot outsource, which is responsibility for what the speed is aimed at.