DC Daniel Chu
Back to field notes

Atlas note

If an AI can write data, it needs a recovery path

The moment an AI agent can mutate a private system, trust stops being only about accuracy. It becomes about confirmation, reversibility, and the user's ability to recover when the model is wrong.

Atlas started as a read-heavy system. The agent answered questions, summarized data, and helped me inspect what was already there. That was useful, but the product became much more serious once the agent could write: log an event, update a plan, change a classification, or record a transaction.

Write access changes the product contract. A wrong answer is annoying. A wrong write becomes state. It can show up in later reports, affect future recommendations, and teach the user to trust the system for the wrong reasons.

Trust depends on what happens after the model is wrong.

The parser is a trust boundary

Many AI write paths start with extraction: read a message, screenshot, or document, then convert it into structured data. That parser is not just a convenience layer. It is the boundary between "the model thinks this happened" and "the system now believes this happened."

Atlas got safer when uncertain extraction stopped flowing directly into durable state. Unknown fields became review items. Ambiguous targets produced strict errors. Mutations used dedicated commands rather than raw database writes. The more important the write, the more the system needed an explicit commit path.

Undo is part of the feature

A lot of AI product design focuses on making the happy path feel magical. For daily workflow tools, recovery is just as important. Users need to know what changed, why it changed, and how to reverse it.

In practice, that pushed me toward write commands with clear receipts, records with stable identifiers, and rollback paths for destructive or high-impact changes. Audit logs can explain what the agent attempted, but I would not treat them as the domain's source of truth. A log of invocations can tell me what the agent tried. It cannot replace a ledger of what actually happened.

Out-of-band control matters

There is another recovery problem: what happens when the agent itself is the broken part? If the only way to restart, inspect, or disable the system is to ask the AI, you have built a trap. Atlas needed a small non-AI control plane for status checks, restarts, and emergency operations.

This is not the flashy part of the product, but it changes how the system feels. The user can trust the AI more when the AI is not the only door into the system.

A recovery checklist

  • Confirm before committing when intent or target is ambiguous.
  • Return a receipt for every write, including what changed.
  • Give records stable IDs so the user can inspect or reverse them.
  • Keep audit logs, but do not make them answer domain questions they were not designed for.
  • Provide non-AI controls for restart, status, and rollback paths.

I would judge reliability by more than whether the model is usually right. I would also look at what happens after it is wrong. The recovery path is where the product earns the user's willingness to try again.