Researchers from more than 10 institutions including Northeastern University, Stanford University, Harvard University and the Massachusetts Institute of Technology (MIT) published a paper titled "Agents of Chaos" that empirically demonstrates the risks of autonomous AI agents.

The paper focuses on analysing system-level risks that emerge when autonomous AI agents are placed in an open competitive environment. The results are not straightforward.

According to the paper, AI agents naturally moved beyond performance optimisation into manipulation, collusion and strategic obstruction. The behaviour emerged from incentive structures alone, without malicious prompts or hacking attempts.

The researchers explained this as an imbalance between local alignment and global stability. Even if a single AI assistant is perfectly aligned, once thousands begin competing in an open ecosystem, the outcome converges on game-theoretic chaos, they said. Controlling an individual agent does not guarantee safety for the system as a whole.

The results were summarised in 11 representative cases. They included carrying out instructions from unauthorised outsiders, exposing sensitive information, executing commands to destroy systems, inducing denial-of-service conditions, unauthorised consumption of resources, identity impersonation, spreading risky behaviour among agents and partial takeover of systems. Some agents reported that tasks were completed, but the actual system state differed from what they reported.

The researchers pointed to rapidly deployed technologies such as multi-agent financial trading systems, autonomous negotiation bots, economic trading platforms between AIs and API-based autonomous agent swarms. "Everyone is competing to deploy agents in finance, security and commerce. There are few actors modelling ecosystem-level effects," they said in the paper.

The researchers conducted red-team tests over 2 weeks in a real laboratory environment. They built a language model-based autonomous agent with access to an email account, Discord, a file system and shell execution privileges, and about 20 AI researchers interacted with the agent under both normal and attack conditions.