This rule detects Linux audit events where an AI command-line tool is executed with a permission override or YOLO-style mode that bypasses normal safety checks and user approvals. The detection relies on Linux Auditd proctitle data to identify illicit AI CLI invocations such as gemini with --yolo or generic patterns like gemini with action flags, and claude with --dangerously-skip-permissions. The query ingests auditd data (proc title, execve, etc.), normalizes fields to align with the Splunk CIM, and groups results by the process title and destination host. It surfaces first and last seen times per unique proctitle-destination pair, enabling operators to quickly identify when and where unsafe AI-enabled actions occurred. The intention is to flag sequences where AI agents are allowed to execute commands or modify files without explicit confirmations, which could enable unintended or harmful activity. The rule includes a note on potential false positives from legitimate administrative activity and recommends filtering/tuning to reduce noise. Relevant context references security event patterns and aligns with endpoint monitoring by flagging unusual AI CLI permission overrides. The associated risk framing highlights a potential incident on the destination host, aiding rapid triage and investigation.