This week’s main thing

The question this week isn’t “What can AI do?” It’s “What can humans undo?”

Most of the systems we’re deploying agents into are too tightly wired together for “undo” to mean what we think it means.

Quick rewind: In his 1997 letter to shareholders, Jeff Bezos drew a distinction Amazon still uses: some decisions are two-way doors and some are one-way doors. A two-way door, you walk through, look around, walk back out. A one-way door closes behind you. Bezos argued that organizations should make two-way-door decisions fast and one-way-door decisions slowly, with deliberation.

Our AI needs an analogous ruleset. But it’s complicated.

Sociologist Charles Perrow studied disasters at Three Mile Island, chemical plants, and in aviation, and found that the type of door (one-way or two-) is a property of the system, not the decision itself. Some systems are “tightly coupled” – where when one action is taken, its new state triggers additional actions and downstream consequences at a rate too quick to reasonably stop.

Imagine a platform agent that closes a marketplace seller’s account due to fraud signals: a two-way door from the admin panel, a one-way door once the closure has cascaded to active orders, refunds, search ranking, and external syncs that ran in the same few minutes.

So the question for AI integration this week isn’t “do we have a rollback path?” It’s the harder question Perrow forces: how tightly coupled is the system this agent is acting in, and at what point does that coupling turn the door one-way regardless of what the policy says?

Here’s a start, drawn from how Perrow’s framework gets applied in high-reliability fields like aviation and hospital medication systems:

• Low coupling. The agent’s action affects one record. Other systems read it on their own schedule. Reversal is straightforward. Agents act, with logging.

• Medium coupling. The action triggers downstream behavior within minutes, not seconds. Reversal is possible but requires compensating actions. Agents recommend and even act under a subset of conditions; but humans have to approve in the majority of use cases.

• High coupling. The action triggers automated downstream behavior in real time, where customers, regulators, or partners see the result before we do. Reversal is theatrical. Agents surface the option; a human walks through the door every time.

What to say to your CEO this week

Before we sign off on the next agent deployment, I want to flag something. The way we’re scoping these is by what the agent can do, but the question I’m not seeing us ask is what’s around the action when it happens. There’s a useful frame from Bezos here: two-way doors versus one-way doors. We’re set up to identify those when humans are walking through them, because humans pause and read the sign. Agents don’t. They walk.

I want us to sort our active and planned agent deployments into three buckets. Where the agent’s action affects one record and the world catches up later, agents can act. Where the action triggers downstream systems within minutes but not seconds, agents recommend and even act in specific circumstances, and a person commits the rest. And where the action triggers automated downstream behavior in real time, where customers, regulators, or partners see the result before we do, the agent should surface the decision but not make it. Not because we don’t trust the AI. Because there’s no door to walk back through. And the EU’s Article 14 enforcement on August 2 is going to ask a version of this same question with regulatory teeth.

This week’s move: sort your agent actions by coupling, not by capability

Most agent deployment reviews ask the wrong question first. They ask what the agent can do. The better first question is what’s around each action when it runs. Once you have that, the right level of human involvement falls out of it.

Run this on the most-deployed agent in your organization. List every action it takes. For each one, ask three questions in order.

One: what else happens when this action takes place? If nothing else moves for at least an hour (the action writes to a record other systems pick up on a daily sync), the coupling is low. If three other systems respond within minutes (notifications, calculations, status updates), it’s medium. If real-time downstream actors respond (other agents, customer-facing state, partner APIs, regulatory feeds), it’s high.

Two: who sees the result before we do? If the only audience is internal staff who can flag a problem, low. If it includes customers who’ll see it in their next interaction with us, medium. If it includes the customer’s customers, regulators, credit bureaus, or anyone outside our company whose response is automated, high. The faster the external audience reacts, the more one-way the door.

Three: is our time-to-detection shorter than the cascade? If we’d notice within an hour and the cascade takes a day, the coupling is loose enough to recover. If we’d notice within a day and the cascade completes in an hour, the door has already closed. The Flash Crash, in the analog below, did $1 trillion in damage in 23 minutes. No human noticed in time because the system’s clock was faster than the humans monitoring it.

Top stories

Optimum Partners: most agent governance frameworks will fail their first real incident. A consultancy analysis published April 23 argued that policy documents mark each action as reversible or not at the time the agent is deployed, but whether an action is actually reversible depends on what’s happening around it when it runs, and the policy can’t see that far. The argument is the cleanest articulation this year of why “we have a governance framework” is not the same answer as “we can recover when the agent is wrong.” Optimum Partners

Gravitee survey: 88% of organizations had an AI agent security incident in the past year. 14.4% have full security and IT approval on the agents they’re running. A 2026 survey of 900 enterprise leaders by the vendor Gravitee found that 88% of organizations reported a confirmed or suspected AI agent security incident in the past year, rising to 92.7% in healthcare. Only 14.4% send agents into production with full security and IT approval. Sixty percent reported they cannot terminate a misbehaving agent once it begins operating, and 63% cannot enforce purpose limitations on what their agents are authorized to do. Fountain City

Singh: enterprises spent decades building reversibility into conventional software, and AI agents are being deployed without it. Technologist Raktim Singh argued April 26 that the question for enterprise AI is no longer whether AI can act, but what happens when it acts wrong. The infrastructure required (logs, permissions, rollback, records of what to roll back to, the people authorized to approve a rollback) took conventional software engineering decades to develop. The piece is conceptual rather than empirical, but it names the gap clearly enough that it’s worth giving leadership the vocabulary. Raktim Singh

EU AI Act Article 14 enforcement begins August 2; “effective” oversight is the phrase auditors will land on. The European Commission confirmed that the AI Act becomes fully enforceable on August 2, 2026. The relevant clause for agentic deployments is Article 14, which requires “effective human oversight” of high-risk systems, including “the ability to interrupt the system.” Penalties reach up to €35 million or 7% of global turnover. The word that will matter in practice is “effective.” A policy bullet that says someone is responsible does not satisfy it. A working off-switch the auditor can see and test does. The Future Society’s analysis maps agent architectures against the Act’s four pillars and is the cleanest current guide for compliance teams. European Commission

Last time around

May 6, 2010. 2:32 PM Eastern. A mutual fund called Waddell & Reed sells a $4.1 billion block of stock-market futures through an automated trading program. The program is told one thing: feed the order into the market based on how much trading is happening, with no price floor and no time limit. Volume rises. The program responds by selling more. Other automated programs running their own logic interpret the selling as a signal and start selling themselves. By 2:45 PM, the Dow has fallen nearly 1,000 points. The market loses roughly $1 trillion in value in less than half an hour. Accenture briefly trades at one cent. Recovery is partial by 3 PM.

The fix is not a smarter algorithm. It is single-stock circuit breakers, approved by the SEC in June 2010 and rolled out to all 404 S&P 500 stocks by mid-June. The first one trips on June 16, on Washington Post Company shares, after three erroneous trades cause a price spike. The breakers do not predict bad behavior. They sit one layer below the algorithms, in the architecture of the market itself, and they make certain failure modes mechanically impossible.

Markets had been algorithmically traded for years before May 6. The infrastructure that lets the market recover from an algorithm gone wrong arrived after the trillion-dollar incident, not before it. The agentic AI deployments shipping this quarter are running in front of their circuit breakers. SEC/CFTC Joint Report

Potpourri

Birgitta Böckeler outlines a proper harness. “Harness engineering” is a term that emerged in February for the layer of guardrails, checks, and review steps built around an AI agent. Böckeler’s essay is a great primer on what’s necessary to guide and constrain agent behavior (e.g. feedback and “feedforward” controls). The questions that emerge: what’s the role of a human in oversight, how much can one agent regulate another, and how much control will we ever have over these non-deterministic creatures. Martin Fowler