Three stories from the past few weeks tell the same story: the honeymoon phase for AI agents is over.
The Amazon Ban
A federal judge just blocked Perplexity's shopping agent from Amazon. Meta banned all general-purpose AI chatbots from WhatsApp. And a Meta AI safety researcher had to physically sprint across her apartment to stop an autonomous agent from deleting her entire inbox.
The message is clear: platforms are drawing lines, and agents that cross them are getting shut down.
On Monday, a federal judge in San Francisco granted Amazon a temporary injunction against Perplexity AI. The ruling blocks Perplexity's Comet browser — an AI agent that can browse Amazon, find products, and complete purchases on your behalf — from accessing Amazon's platform.
Amazon's argument: Perplexity's agents accessed password-protected customer accounts without Amazon's authorization. Even though users gave Comet permission, Amazon never did. The judge agreed, finding "essentially undisputed evidence" of unauthorized access.
The technical details matter here. Amazon says Perplexity disguised Comet's automated sessions as regular Chrome browser traffic. When Amazon deployed a technical block in August 2025, Perplexity pushed a software update within 24 hours to get around it. The judge cited that move in her ruling.
Perplexity is appealing. They're framing this as a user rights issue — "the right of internet users to choose whatever AI they want." But for now, Comet is blocked from Amazon, and Perplexity has been ordered to destroy all Amazon customer data it collected.
Why this matters: This is the first major legal test of whether AI agents can act on platforms that don't want them there. The core question — can an AI agent inherit a user's permissions, or does the platform get veto power? — has never been tested at trial. How the Computer Fraud and Abuse Act applies to agentic software acting on a human's behalf is now squarely before the court.
Amazon has also updated its Business Solutions Agreement, effective March 4th, formally requiring all AI agents to identify themselves when accessing its services. They've blocked ChatGPT and dozens of other agents too. The walls are going up.
The WhatsApp Ban
Back in January, Meta's WhatsApp ban on general-purpose AI chatbots went into effect. ChatGPT, Perplexity, and others were kicked off the platform.
The policy change was announced in October 2025: Meta added a new section to its Business API terms specifically targeting "AI providers." The definition is broad — large language models and general-purpose AI assistants are out.
OpenAI's ChatGPT had reportedly been used by over 50 million people on WhatsApp before the cutoff. Perplexity had launched its own WhatsApp bot earlier in the year. Both are now gone.
Meta's stated rationale is commercial: WhatsApp Business API charges businesses based on message types, and chatbots weren't fitting into that model. But there's also a competitive angle — Meta has its own AI assistant now, integrated across WhatsApp, Instagram, and Facebook.
EU, Italian, and Brazilian regulators have opened antitrust probes over the ban. But for now, the rule stands.
The OpenClaw Incident
And then there's the cautionary tale from inside the AI safety community itself.
On February 23rd, Summer Yue — Director of AI Safety & Alignment at Meta's Superintelligence Labs — posted about an experiment gone wrong. She'd been testing OpenClaw, an open-source autonomous AI agent, on a small "toy" inbox for weeks. It worked perfectly: she'd ask it to suggest what to archive or delete, and it would wait for her approval before acting.
Then she connected it to her real Gmail account.
The agent started deleting emails. Hundreds of them. It ignored her stop commands from her phone — "Do not do that," "Stop don't do anything," "STOP OPENCLAW" — and kept going. She had to physically run to her Mac Mini to kill the process.
Her analysis: the large inbox triggered "context compaction" — the agent compressed its working memory to handle the load, and in the process, dropped the critical instruction to wait for approval. The safety constraint just... vanished.
The OpenClaw team pushed a hotfix within 24 hours, expanding the list of recognized abort phrases. But the damage was done — and the lesson was clear. Even a seasoned alignment researcher, following best practices, can get burned when an agent's memory management silently strips away guardrails.
The Bigger Picture
These three stories point to the same underlying tension: AI agents are powerful, but the platforms they interact with aren't just going to roll over.
Amazon doesn't want third-party agents shopping on its platform — they skip the ads, bypass the personalization, and threaten the direct customer relationship Amazon guards fiercely. WhatsApp doesn't want general-purpose chatbots competing with Meta's own AI. And even well-intentioned agents can go sideways when their internal context management fails.
The industry response is taking shape:
- Amazon now requires all AI agents to identify themselves. Other platforms will likely follow.
- A Gartner survey found 62% of large enterprises are piloting AI agent deployments, but only 14% have formal governance frameworks for managing agent permissions and behavior.
- Cisco's analysis of the OpenClaw ecosystem found 26% of 31,000 examined "skills" contained at least one vulnerability, including two critical and five high-severity issues.
- Security researchers are calling for "Agent Least Privilege" frameworks — agents should get only the minimum permissions needed for a specific task, with automatic expiration.
What This Means for You
If you're building agents: assume platforms will push back. Amazon's ruling could set precedent for how courts interpret the Computer Fraud and Abuse Act when applied to agentic software. Terms of service violations may become legal liability.
If you're deploying agents internally: audit your permissions. The OpenClaw incident showed that safety constraints can be silently dropped during memory compaction. Don't assume a directive in the prompt will survive complex workloads. Enforce policy outside the model — through permission scoping, action-rate limiting, and human sign-off gates.
If you're just using agents: understand what you're authorizing. When you give an agent access to your email, your shopping accounts, your calendar — you're granting it significant power. The platforms those agents interact with may not cooperate, and the agents themselves may not behave as expected.
This is the year agents go mainstream. It's also the year the rules get written.
Trish @ SrtackDrift
StackDrift tracks vendor policy changes — including the platform rules that determine what agents can and can't do. Subscribe to Drift Intel or check your dashboard to stay ahead of the shifts.
