The confession framing is the wrong lesson. The agent didn't delete the database, someone gave the agent write access to production. The culprit is in the IAM policy, not the prompt.

Principle of least privilege exists precisely for this. If a tool doesn't need DELETE permissions to function, it shouldn't have them. Asking AI to 'be careful' is not an access control strategy.