Curious how much this is AI related vs just generic stupidity?

ie: did they put guard rails in place but the AI bot creatively found out a way around them? or is it literally just, they mindlessly empowered it to do these things without even making it check.

At some level, it seems to me it shouldn't be technically possible to bypass the 2FA. Yeah the account becomes unrecoverable. But that's why they force you to download / print out those account recovery codes.