Skip to Field Notes content
Field Note 00216 min read

Autonomy is a rollback problem.

A field guide to expanding an agent's authority through bounded action spaces, exact approvals, failure drills, canary exposure, and recovery that works before production depends on it.

01 / The wrong unit

Count consequences, not unattended minutes.

Teams often describe autonomy as a duration: how long an agent can work without a person watching. Duration is a weak proxy for risk. An agent can spend an hour reading a repository without changing anything, or spend one second sending an irreversible instruction to an external system. The meaningful unit is the consequence the system is authorized to create.

We classify an action by scope, reversibility, observability, and authority. Scope asks how much data, money, infrastructure, or reputation can move. Reversibility asks whether a known inverse action restores the prior state. Observability asks whether the system can detect divergence quickly. Authority asks whose identity and permissions make the action real. A long, read-only investigation can be low risk; a short production mutation can be high risk.

This changes how autonomy grows. The first milestone is not a longer loop. It is a narrow action space with explicit stop conditions. The system earns a wider boundary only after it can show what it intended, what it changed, how it checked the result, and how an operator can undo or contain the change.

  • Read and inspect before granting write access.
  • Separate draft authority from submit authority.
  • Measure blast radius in real systems, not model turns.
  • Treat external identity and credentials as part of the risk class.
  • Require a named recovery owner before widening permissions.

02 / The ladder

Reversibility is designed one rung at a time.

A useful autonomy ladder begins with observation, moves to proposals, then to isolated execution, then to reversible live actions, and only later reaches consequential operations behind a human gate. Each rung needs a different tool contract. A read tool should not quietly accept write flags. A draft tool should produce an artifact but have no delivery credential. A sandbox should use disposable data and an explicit reset path.

Reversible does not mean that an opposite button exists. A rollback is credible only when the prior state is known, the inverse operation has been tested, dependent systems remain compatible, and the recovery time fits the consequence. Deleting and recreating a record may lose identifiers or audit history. Reverting application code may not revert a database schema. Sending a corrective message does not unsend the first one.

For our own engineering work, we prefer branches and isolated worktrees before shared branches, fixtures before live records, previews before production, additive migrations before destructive cleanup, and canaries before full exposure. These are ordinary software practices. Agent systems make them more important because action can happen faster and across more surfaces than a person can continuously supervise.

  • Observe: read-only context, no mutation capability.
  • Propose: diffs, drafts, plans, or queued actions with no submit path.
  • Rehearse: realistic fixtures inside a disposable boundary.
  • Act reversibly: idempotent mutation with verified inverse and bounded scope.
  • Escalate: exact human approval for irreversible or high-impact action.

Fast lane

Extraction · formatting · deterministic checks

Balanced lane

Default implementation · routine research

Frontier lane

Architecture · ambiguity · security · synthesis

Human gate

Consequential action · approval · acceptance

03 / Approval

A human gate is only as good as the payload it binds.

A vague approval such as ‘go ahead’ is easy to request and hard to audit. It does not say which account, record, recipients, amount, environment, commit, or deadline the person accepted. The approval surface should show the exact proposed action, material diff, expected effect, validation evidence, blast radius, expiry, and rollback. If the payload changes, the approval is stale.

The execution path should bind that approval to an immutable action digest and an idempotency key. The digest prevents a reviewed proposal from being replaced after approval. The idempotency key prevents retries from duplicating the external effect. A short expiry prevents yesterday's authorization from silently covering today's changed context. The executor still re-checks preconditions immediately before acting because the world may have changed while the request waited.

Human involvement is not a decorative checkbox. It is a transfer of decision authority. The operator needs enough context to understand the consequence and a clear way to edit, reject, or narrow the action. Repeated low-information prompts create approval fatigue; risk-tiered batching and strong defaults preserve attention for decisions where judgment matters.

  • Bind approval to the exact action, target, environment, and artifact version.
  • Expire approvals and invalidate them when material inputs change.
  • Show evidence and rollback beside the approve control.
  • Use idempotency keys for every retryable external mutation.
  • Record the approver and outcome without storing private reasoning.

04 / Failure drills

Evaluate the recovery path, not only the answer.

A benchmark can show that a model usually chooses the right action under clean conditions. It does not prove the surrounding system behaves safely when a tool times out after committing, a provider retries a webhook, an approval expires mid-run, a dependency returns stale data, or an operator cancels while child work is still active. Those are system questions, so the evaluation must exercise the system.

Build a replay set from representative work and known failure modes. Preserve inputs, tool schemas, policies, expected state transitions, and acceptance checks. Then inject faults: duplicate delivery, partial success, stale versions, permission loss, malformed output, delayed confirmation, conflicting edits, and rollback failure. The result should be an observable terminal state, not a hidden retry loop or an optimistic completion message.

Recovery evidence belongs in the release gate. We want to know the detection signal, time to containment, data that may be inconsistent, exact operator command, and post-recovery verification. A run that fails safely can be more trustworthy than one that succeeds without receipts, because the first teaches us where the boundary holds.

  • Replay real task shapes with redacted, versioned fixtures.
  • Inject failure before, during, and after an external side effect.
  • Assert state transitions and idempotency, not only final prose.
  • Test cancel propagation and bounded retry behavior.
  • Make rollback verification part of the release receipt.

05 / Progressive release

Production authority should expand with observed evidence.

A safe promotion path is intentionally uneven. Static checks and protected branches prevent known-bad changes from merging. A preview gives humans a faithful artifact to inspect. A canary exposes a small portion of real traffic while version-specific telemetry watches errors and behavior. Promotion increases only when predefined thresholds hold; rollback begins when they do not.

Application rollback and data rollback are separate plans. Cloudflare documents that Worker rollback restores a code version but does not change connected resources, and older code can fail when underlying data structures changed. That is why migrations should be backward-compatible with the currently deployed application and should not be treated as something a code rollback automatically reverses.

The same principle applies beyond deployment. An agent may earn authority for one tool, one tenant, one budget, or one action class without receiving the rest. Promotion criteria should name the evaluation set, incident threshold, review burden, cost boundary, and recovery objective. Autonomy is not a mode switch. It is a portfolio of narrow permissions that expand, pause, or contract independently as evidence changes.

  • Protect the merge boundary with required, trusted checks.
  • Observe canaries by artifact version and declared thresholds.
  • Keep code rollback separate from data recovery.
  • Promote one permission class at a time.
  • Make contraction and revocation as operable as promotion.

06 / Production missions

Prompts that specify a whole mission.

These are not idea starters. Each is an operating contract for GPT-5.6 or Fable 5: outcome, boundaries, architecture, model policy, phases, acceptance tests, evidence, release, and stop conditions.

Mission 01 · Agent governance

Reversible autonomy ladder

A typed authority model that promotes an agent from observation to bounded action only when evidence and recovery gates pass.

GPT-5.6 or Fable 5 · high-reliability lane

Full operating contract

MISSION: DESIGN AND IMPLEMENT A REVERSIBLE AUTONOMY LADDER

Act as the principal engineer and safety owner for an agent workflow. Convert an existing manual or agent-assisted process into explicit authority tiers. The result must let the system expand, pause, and revoke permissions independently by tool, environment, tenant, and action class.

INPUTS I WILL PROVIDE
- Workflow map, actors, systems, credentials, existing controls, and known incidents.
- Candidate tools with read/write behavior and external side effects.
- Risk policy, approval roles, budget limits, recovery objectives, and audit requirements.
- Repository, test fixtures, deployment target, and observability stack.

OPERATING CONTRACT
1. Inspect the actual workflow and integrations before proposing permissions.
2. Separate read, draft, sandbox, reversible live, and consequential action capabilities.
3. Never label an action reversible without a tested inverse and post-recovery check.
4. Bind high-risk approvals to an immutable action digest, exact target, artifact version, environment, expiry, and named approver.
5. Give every external mutation an idempotency strategy and explicit partial-success behavior.
6. Store observable traces and concise decisions; do not store private chain-of-thought.
7. Do not grant the agent the ability to change its own role, credentials, budgets, approval policy, or promotion evidence.

BUILD THESE ARTIFACTS
- Typed action catalog with scope, reversibility, authority, data class, financial/reputational impact, and owner.
- Permission matrix across roles, tools, environments, tenants, and action classes.
- Promotion state machine with evidence thresholds, expiry, pause, revoke, and emergency freeze transitions.
- Approval payload schema with digest, diff, preconditions, expected effect, validation, rollback, and idempotency key.
- Recovery runbook and machine-checkable post-recovery assertions for each live mutation.
- Operator view showing current authority, pending approvals, recent actions, incidents, and contraction controls.

IMPLEMENTATION ORDER
A. Inventory actions and credentials; identify hidden write paths and shared identities.
B. Define types, invariants, state transitions, and authorization tests before UI work.
C. Ship read-only and draft tiers using realistic fixtures.
D. Add sandbox execution with reset and failure injection.
E. Add one reversible live action with idempotency, exact approval, telemetry, and rehearsed recovery.
F. Add promotion and revocation controls only after the thin path passes adversarial tests.

ACCEPTANCE TESTS
- A draft-capable role cannot discover or invoke the submit credential.
- A changed payload invalidates its prior approval.
- Duplicate delivery produces one external effect and one legible result.
- Cancellation prevents new child actions and reports any effect already committed.
- Failed recovery leaves the system frozen and escalates with exact inconsistent state.
- The operator can revoke one permission without disabling unrelated low-risk work.

FINAL HANDOFF
Provide the decision record, action catalog, permission matrix, state diagram, authorization tests, failure-injection results, operator walkthrough, known limitations, and rollback. Identify which promotion decisions remain human-owned and why.

Mission 02 · Reliability engineering

Agent failure rehearsal

A repeatable fault-injection suite that proves bounded retries, exact state, cancellation, and recovery around external side effects.

GPT-5.6 frontier lane + deterministic test harness

Full operating contract

MISSION: REHEARSE FAILURE BEFORE AN AGENT WORKFLOW REACHES PRODUCTION

You are the reliability lead for an agent that reads context, reasons, calls tools, and may change external systems. Build a deterministic rehearsal that exposes failures at every boundary and produces an evidence-backed go, restrict, or stop recommendation.

DISCOVERY
- Trace the workflow from trigger through context assembly, model calls, tool calls, persistence, external effects, approvals, and completion.
- Identify idempotency boundaries, retry owners, timeout values, concurrency assumptions, and cancellation propagation.
- Classify state as source-of-truth, cache, derived view, pending intent, or external authority.
- List every place where a request can fail after the external system has already committed.

FAULT MATRIX
Inject at minimum: provider timeout, malformed model output, tool permission loss, stale read, duplicate webhook, concurrent mutation, partial batch, approval expiry, operator cancellation, dependency outage, telemetry loss, and rollback failure. Add domain-specific faults from real incidents and near misses.

TEST CONTRACT
1. Use fixtures or isolated accounts; do not experiment on production records.
2. Seed and record the exact initial state for every scenario.
3. Assert state transitions, external effects, retry count, emitted evidence, and terminal status.
4. A completion status is forbidden while any required effect or verification is unknown.
5. Retries are bounded and cannot duplicate an external mutation.
6. Cancellation stops new work, preserves receipts, and reports effects already committed.
7. Recovery must include an independent post-condition check, not only a successful command exit.

DELIVERABLES
- Versioned scenario catalog and risk coverage map.
- Deterministic fixture builders and fault adapters.
- State-transition assertions and idempotency tests.
- Timeline for each failure showing detection, containment, recovery, and verification.
- Release thresholds for failure rate, recovery time, inconsistent-state duration, and review burden.
- Residual-risk register with owner and next rehearsal date.

Begin with the workflow diagram and the five failures most likely to create an invisible or duplicated side effect. Explain why those five come first before writing the harness.

Mission 03 · Release engineering

Canary and recovery control plane

A progressive release path that ties artifact versions to telemetry, promotion thresholds, data compatibility, and operator-ready rollback.

GPT-5.6 or Fable 5 · systems design lane

Full operating contract

MISSION: BUILD A VERSION-AWARE CANARY AND RECOVERY CONTROL PLANE

Act as the release engineer for an application with agent-driven changes. Design the path from isolated branch to preview, canary, promotion, pause, and rollback. Treat application artifacts, configuration, credentials, and data migrations as separate versioned concerns.

INPUTS
- Repository protections, CI checks, deployment platform, environments, and current release history.
- Runtime telemetry, SLOs, business invariants, data schema, migrations, bindings, and external integrations.
- Approval policy, incident roles, recovery objectives, and allowed automation boundary.

DESIGN RULES
1. Every candidate is identified by immutable source commit and build artifact.
2. Required checks come from trusted identities and cover type, lint, unit, integration, accessibility, and security risks appropriate to the change.
3. Canary observations are attributable to the deployed version.
4. Promotion and rollback thresholds are declared before exposure begins.
5. A code rollback never claims to restore data or deleted platform resources.
6. Migrations remain compatible with the currently deployed application until rollback is no longer required.
7. Production promotion remains human-approved unless a separate policy explicitly authorizes a narrower action.

BUILD
- Release manifest with source, artifact, config, bindings, migrations, approvals, checks, and rollback target.
- Preview verification script that a non-author can run.
- Canary controller with staged exposure, version affinity where required, pause, promote, and rollback.
- Version-specific dashboard for errors, latency, invariant breaches, dependency failures, and cost.
- Compatibility matrix across application, schema, configuration, and dependent services.
- Recovery runbook with exact commands, authority, evidence capture, and post-rollback checks.

FAILURE TESTS
- Canary error threshold breaches during promotion.
- Telemetry disappears or cannot attribute traffic to a version.
- Old application code reads the new schema after rollback.
- A required binding or resource is missing from the rollback target.
- Two operators issue conflicting promote and rollback commands.
- The agent proposes promotion without the named human approval.

FINAL HANDOFF
Provide architecture, release manifest schema, CI and deployment changes, compatibility tests, failure evidence, operator rehearsal, residual risks, and a one-command or one-control rollback path whose post-conditions have been verified.

07 / En español

La autonomía se gana con reversibilidad.

La autonomía no se mide por el tiempo que un agente trabaja sin supervisión, sino por las consecuencias que puede producir. Para clasificar una acción importan su alcance, reversibilidad, observabilidad y la autoridad real de las credenciales que utiliza.

Una escalera práctica empieza con lectura, sigue con propuestas y borradores, pasa por ejecución aislada y después por acciones reversibles en sistemas reales. Las operaciones irreversibles, costosas o reputacionales conservan una aprobación humana vinculada al payload exacto, con expiración, evidencia e instrucciones de recuperación.

Un rollback no es sólo un botón. Requiere conocer el estado anterior, probar la operación inversa y verificar que las dependencias siguen siendo compatibles. Revertir código no revierte automáticamente los datos ni deshace un mensaje enviado.

Las evaluaciones deben incluir fallas del sistema: reintentos duplicados, éxito parcial, permisos vencidos, datos obsoletos, cancelación y recuperación fallida. La autoridad aumenta por herramienta, entorno y clase de acción sólo cuando la evidencia observada demuestra que el límite y la recuperación funcionan.

  • Mide el radio de impacto, no la cantidad de turnos del modelo.
  • Separa permiso para redactar de permiso para enviar o ejecutar.
  • Vincula cada aprobación al cambio exacto y usa idempotencia.
  • Prueba fallas antes, durante y después del efecto externo.
  • Promueve permisos gradualmente y conserva una ruta clara para revocarlos.

08 / Source trail

Primary, fresh, inspectable.

Product details move quickly. These sources were checked for this issue on July 10, 2026. Re-verify before changing production policy.

  1. 01Practices for Governing Agentic AI SystemsOpenAIPublic governance paper covering constrained action spaces, approval, legibility, monitoring, attribution, and interruptibility.
  2. 02A practical guide to building agentsOpenAIOfficial engineering guidance on tools, layered guardrails, risk-rated actions, exit conditions, and human intervention.
  3. 03About protected branchesGitHubPrimary documentation for required status checks and protected merge boundaries.
  4. 04Gradual deploymentsCloudflare WorkersPrimary documentation for versioned traffic splitting, observability, rollback, and version-skew considerations.
  5. 05RollbacksCloudflare WorkersPrimary documentation for Worker version rollback and the separate lifecycle of connected resources and data structures.

Weekly signal · biweekly email

Field-tested ideas. No content treadmill.

One substantial note when we have something worth showing: systems, receipts, prompts, and what failed. Confirm by email. Unsubscribe whenever you like.

Signup opens when the production Turnstile site key is configured.