Back to articles

Your AI assistant has too much autonomy, not too little intelligence

The routing, tool boundaries, and failure handling your AI assistant needs before it touches a real workflow — and the three predictions for what breaks next.

Applied AI
Agents

Autonomy without routing, approvals, and failure handling is not a production system. It is a demo with a larger blast radius.

Your assistant demoed beautifully and then started embarrassing you in production. In 2024, McDonald's pulled its AI drive-thru pilot with IBM from more than 100 restaurants after viral videos showed orders mangled into things like bacon-topped ice cream and hundreds of dollars' worth of chicken nuggets, per the Associated Press. That failure was not a language model deficit. It was structural: an autonomous system meeting messy real-world inputs without the routing, tool boundaries, or escalation paths to contain them.

By the end of this post, you will know how to:

  • Spot the five failure modes that kill production assistants before they hit your users
  • Decide which actions need routing, approval, or refusal — not just better prompts
  • Design tools narrow enough that they cannot quietly do the wrong thing
  • Predict the next two structural problems your team will hit after you add the rails

The demo trap is a category error

In a demo your assistant gets a clean request, a narrow task, a happy path, and a forgiving audience. In production it gets messy inputs, incomplete context, conflicting tools, ambiguous targets, and side effects that touch real systems. That is a different sport.

A lot of teams mistake "the model can do this" for "the system can support this safely." Those are not the same claim. The first is a capability statement about a single turn. The second is an operational statement about thousands of turns, including the bad ones.

The rule: production reliability is a property of the system around the model, not the model itself.

The five ways your assistant will fail in production

When AI assistants fail under real load, they fail in one of five shapes. You can predict which one will hit you first by looking at what structure is missing.

  1. They take actions out of order. Your assistant updates before it checks, drafts before it understands, acts on partial context. Humans can repair this. Systems should prevent it.
  2. They overuse tools. Instead of choosing the smallest useful action, they call too many tools, repeat work, or chain multi-step execution without need. You pay for it in latency, cost, and accuracy at the same time.
  3. They treat every task as equally safe. Reading a record and deleting a record are not comparable actions. If your assistant has the same posture toward both, you do not have a reliable production system. You have a liability with a chat interface.
  4. They fail unclearly. Your assistant hits an error and either loops, hallucinates a fallback, or returns "something went wrong." That creates rework, not confidence.
  5. They hide uncertainty. This is the most damaging mode. The reply sounds smooth, but the underlying claim is unverified. That is how the McDonald's drive-thru ended up confidently adding bacon to ice cream — and how trust quietly dies inside your enterprise pilot.

Routing is the control plane, not the prompt

A production assistant needs a routing layer that decides, for every request, which tools are relevant, which actions can happen automatically, which require confirmation, which must be serialized, and which must be refused outright. Without that layer the model is the entire control plane and every safety property depends on a prompt holding under adversarial input. It will not.

The rule: the model decides what to do inside the routing layer. The routing layer decides what is allowed.

Bounded tools beat broad permissions

The fastest way to reduce failure is to make tools narrow and legible. A well-designed tool answers five questions before you wire it in: what is it allowed to do, what input shape does it expect, what systems can it touch, what side effects does it create, and what does success or failure look like.

Bad tool design sounds like "general CRM access" or "browser automation for anything." That feels flexible. It creates ambiguity at exactly the point where precision matters most — when the model picks one tool out of many under time pressure.

The rule: production assistants do better when tools are boringly specific. One verb, one object, one observable outcome.

Failure handling is architecture, not cleanup

Your assistant should not only succeed well. It should fail well. That requires explicit patterns: retry only when the error is truly retryable, stop immediately on validation or auth failures, prevent repeated loops on the same error, trip a circuit breaker when the system is clearly off track, and return a useful summary of what happened.

This is the line between "AI that feels clever" and "AI that survives contact with reality." The second kind is worth shipping.

Escalation is a designed path, not a vibe

Most teams know their assistant will sometimes need human approval. Fewer design that path. A strong escalation model answers five questions: when should it pause, what should it show before asking, how should it describe uncertainty, what happens after approval, and what happens if approval is denied.

If you skip this, your assistant will feel either reckless or annoying — and your operators will route around it within a week.

The rule: escalation is a product surface, not an exception handler.

Context degrades unless you manage it

Real conversations get long. Long sessions accumulate repeated instructions, outdated assumptions, stale tool outputs, buried decisions, and rising cost. Unmanaged, the assistant gets slower, less precise, and more likely to make bad calls — and you will not notice until p99 quality drops.

Reliable systems treat context as a managed resource: keep recent decisions visible, compress older detail, preserve critical facts, drop low-value noise, and never let the model reason over garbage. That is systems work, not prompt polish.

What enterprise buyers are actually asking

When enterprise buyers ask hard questions about your AI, they are asking for structure in disguise. Can we control what it does? Can we constrain what it sees? Can we verify what it changed? Can we understand why it acted? Can we stop it from doing the wrong thing fast? Those are architecture questions. "The model is really smart" is not an answer to any of them.

What you will hit next

Three predictions for the team that adds these rails:

  1. Approval fatigue will appear within the first 100 escalations. Your operators will start rubber-stamping confirmations because everything looks the same. The fix is risk tiers, not removing approvals — high-risk actions get full context and a real pause, low-risk actions get a one-click confirm with a 5-second undo.
  2. Your routing layer will become the new bug surface. Once the model is no longer the entire control plane, every failure that used to be "the AI was wrong" becomes "the router sent it to the wrong tool" or "the wrong action was marked auto-approve." You will need per-route eval sets, not just a global one.
  3. The tools you thought were narrow will turn out to be wide. A tool called update_customer_record will get used to change pricing, ownership, and lifecycle stage because the field-level permissions never existed. You will redesign at least one tool into three within the first quarter.

If you are already feeling any of these, that is the signal the rails are working — and your structure problem just moved one layer deeper.

The real lesson

Three sentences. Most assistants fail in production not because they were too simple but because they were too loose. Give the system freedom inside boundaries, not power without shape. The winning systems are rarely the most magical — they are the most disciplined.

If you are about to ship an assistant into a real workflow, send me a list of every action it can take and I will tell you which three need a confirmation gate before your next deploy. [email protected].