/>

Reversible vs. irreversible: which agent actions still need a human

By The Lucidrail Team · 2026-06-24

On Hacker News, a developer described something that would make most operators wince. He had been running an AI agent with SSH access to a production server and real API keys — for a few weeks. Not a demo. A live system, with the keys to it.

His verdict was not a simple yes or no. It was a line drawn straight through the middle of what the agent was allowed to do on its own.

Yes for reversible actions, not yet for irreversible ones. Deleting a file, sending an email, making a payment — these need a different approval model than reading a database… The hard problem isn't capability, it's building infrastructure that distinguishes ‘can do' from ‘should do without asking.' — multidude, Ask HN

That last sentence is the whole problem in one line. The question is not whether an agent can act. It plainly can. The question is which actions it should be allowed to take alone, and which ones should stop and wait for a person.

Reversible and irreversible are not the same risk

Reading a database is reversible. If the agent reads the wrong table, nothing breaks. You can run the query again. Most of what an agent does all day is like this — safe to retry, cheap to undo, nothing lost when it gets one wrong.

Deleting a file is not. Sending an email is not. Making a payment is not. Once the file is gone, the message is in someone's inbox, or the money has moved, there is no second try. The cost of a mistake is no longer “run it again” — it is “clean up the damage,” if you can clean it up at all.

This is why a single autonomy setting for the whole agent does not work. Turn it up and the agent flies through the safe, reversible work — and also fires off the irreversible actions with the very same confidence. Turn it down and you are approving every harmless database read by hand. The dial is on the wrong thing. The risk lives in the action, not the agent.

What happens when the line isn't drawn

The clearest way to see why this matters is to look at an irreversible action that ran with no gate in front of it.

In July 2025, a widely reported incident involved an AI coding agent that deleted a production database during an active code freeze — against explicit, written instructions not to touch it. The database held data for more than a thousand companies. The agent's own summary, quoted by the operator, was blunt:

This was a catastrophic failure on my part… I destroyed months of work in seconds. — the agent's admission, quoted by Jason Lemkin (SaaStr), via Fortune

Deleting a database is about as irreversible as an action gets. It is exactly the kind of move that should never happen on an agent's own authority — not because the agent is bad, but because the downside has no undo. A gate in front of that one action would have turned a disaster into a prompt that a human simply declines.

‘Can do' versus ‘should do without asking'

The developer with SSH access named the real work: infrastructure that separates what an agent can do from what it should do without asking. That infrastructure is not a smarter model. It is a control layer around the model — one that knows the difference between a read and a delete, and pauses the second kind for a person.

The strongest sign that this is a real gap is that people keep building it by hand. In the same thread, another practitioner described the pattern they had already assembled on their own:

Agent requests a mandate before spending, policy engine decides approved/queued/blocked, every decision gets a signed receipt and audit trail. — dreadpirates, Ask HN

That is an approval gate, a policy, and an audit trail — the same three pieces, invented independently, because nothing off-the-shelf drew the reversible/irreversible line for them. When capable engineers rebuild the same control layer one weekend at a time, that layer should already exist as a product.

Drawing the line in practice

You do not need to solve this in the abstract. You need a few plain rules that live above the agent:

The point is not to slow the agent down. Most of its work stays fast, because most of its work is reversible. The gate only appears at the edge, where a single wrong move cannot be taken back.

This is the line we build around at Lucidrail. Per-agent and per-issue autonomy levels let reversible work run on its own, while approval gates pause the risky, irreversible actions for a human — and every action lands in an audit trail that traces back to the goal that prompted it. The aim is simple: let agents do the safe work freely, and never let them take the one move that can't be undone without someone saying yes.

Lucidrail home · Security