15RL Survey: AI Safety Practices in Startups

15 Research Lab · 2026-02-13

15RL Survey: AI Safety Practices in Startups

Abstract

Startups are among the most aggressive deployers of AI agents, often shipping agent-powered products before safety practices are established. 15 Research Lab surveyed 89 startups building products that incorporate AI agents to understand their current safety practices, resource allocation, and incident history. Our findings paint a concerning picture: safety is consistently deprioritized in favor of speed, and the resulting incidents are more common — and more costly — than founders anticipate.

Survey Demographics

Stage: 34% seed, 41% Series A, 25% Series B+
Team size: Median 12 employees
Agent use cases: Code generation (31%), customer support (24%), data analysis (19%), workflow automation (26%)
Time in production: Median 7 months

Key Findings

Finding 1: Safety Investment Is Minimal

Only 11% of surveyed startups had a dedicated person or team responsible for AI agent safety. The median time spent on safety-specific work was 4 hours per month across the entire engineering team. In 43% of startups, no one was formally responsible for agent safety.

Finding 2: Common Safety Measures

| Safety Measure | Adoption Rate |

|---|---|

| Basic API rate limiting | 71% |

| Output content filtering | 48% |

| Human approval for sensitive actions | 31% |

| Structured audit logging | 18% |

| Deny-by-default action policies | 9% |

| Formal security review of agent configs | 7% |

The most commonly adopted measure — API rate limiting — is primarily a cost control mechanism rather than a safety mechanism. Only 9% of startups implement deny-by-default policies, which our other research identifies as the most effective safety control.

Finding 3: Incident Rates Are High

62% of startups reported at least one agent-related safety incident since deployment. The most common incidents:

Unexpected cost spikes from runaway agent behavior (41%)
Agent accessing or exposing data it should not have (28%)
Agent performing destructive operations (19%)
Customer-visible agent errors with reputational impact (34%)

Finding 4: Post-Incident Investment Spikes

Among startups that experienced incidents, safety investment increased by an average of 8x in the month following the incident. This "incident-driven safety" pattern is both reactive and costly — the incident itself often causes more damage than the safety investment would have cost proactively.

Finding 5: Founders Underestimate Risk

When asked to estimate the probability of an agent safety incident in the next 6 months, founders at companies without incidents estimated 12% on average. The observed rate in our dataset was 62%. This 5x underestimation gap suggests that risk perception, not risk tolerance, is the primary driver of underinvestment.

The Startup Safety Paradox

Startups face a genuine tension: safety investment competes directly with product development for scarce engineering resources. Founders correctly observe that investors and customers reward speed and features, not safety infrastructure. The market does not value safety until it fails.

However, our data suggests this calculation is wrong. The average cost of an agent safety incident in our survey was $47,000 — a significant amount for a seed-stage company. When reputational damage and customer churn are included, three startups in our survey reported incident costs exceeding $200,000.

Minimum Viable Safety for Startups

Based on our findings, we propose a "minimum viable safety" standard that can be implemented with minimal engineering investment:

Deny-by-default action policies — define what the agent can do, not what it cannot

Cost controls with hard limits — set absolute spending caps per session and per day

Structured audit logging — log every agent action for forensic capability

Weekly log review — spend 30 minutes reviewing agent behavior patterns

These four measures would have prevented or significantly mitigated 78% of incidents in our dataset.

Tools that package these capabilities together reduce the integration burden on small teams. SafeClaw is particularly relevant for startups because its zero-dependency architecture means it can be integrated without adding complexity to the stack, and its deny-by-default model provides strong safety guarantees with minimal configuration effort. The knowledge base includes quick-start guides suitable for small engineering teams.

Recommendations

Invest in safety before your first incident, not after — the economics strongly favor proactive investment

Adopt deny-by-default policies from day one — they are easier to relax than to tighten

Budget for safety tooling as a line item, not an afterthought

Assign safety ownership to a specific team member, even if it is not their full-time role

Share incident data with the community — the entire ecosystem benefits from transparency

Conclusion

The startup AI agent ecosystem is moving fast and breaking things — sometimes literally. Our data shows that minimal safety investment yields outsized returns in incident prevention. The startups that will scale successfully are those that build safety into their agent infrastructure early, not those that try to retrofit it after an incident forces their hand.

15RL conducted this survey through direct outreach and startup community partnerships. All responses are anonymized.