The industry has a name for this mistake now — which is what happens to a mistake once enough people have made it. The agentic top ten (OWASP, 2025) lists "Excessive Agency" as a primary risk and breaks it into three ingredients: too much functionality, too many permissions, too much autonomy. Each one is granted at design time — by someone optimizing for a demo, in a meeting nobody remembers.
The cost of that grant is not a bad answer. It is an action nobody can take back.
That is the whole asymmetry. A wrong summary is an annoyance the user corrects in a second; a wrong order is money gone, and no amount of eloquent post-hoc explanation returns it. Irreversibility changes the price of being wrong, and it should therefore change the architecture — not the prompt.
CVEST is the system ML LABS built on that principle: a non-custodial investing system, in the internal portfolio at Escape Velocity Labs, a sister practice under the same owner. The model drives research, screening, and explanation. It does not place the order. Between it and anything permanent sits a deterministic rules engine, and that engine is the product's actual security model.
Draw The Line At Irreversibility
The line runs exactly where reversibility ends. Upstream of it — understanding intent, ranking candidates, drafting a rationale — the model earns its keep, and its occasional wrongness is cheap and correctable. At and past the irreversible step, control passes to rule-driven code whose behavior is fixed, logged, and replayable.
- The model proposes; a deterministic engine disposes, applying explicit rules the model has no ability to bypass, override, or argue with.
- Every consequential operation is idempotent, so the same logical request submitted twice has the effect of once.
- Custody stays with the customer. The system never holds funds, which caps the blast radius of any failure by construction rather than by policy.
graph TD
A["Model: research, screening, explanation"] --> B["Proposal"]
B --> C["Deterministic rules engine"]
C -->|"Rules pass"| D["Idempotent, logged order"]
C -->|"Rules fail"| E["Refused, with the reason recorded"]
F["Shadow-lane model: scored, no authority"] -.-> C
style A fill:#1a1a2e,stroke:#0f3460,color:#fff
style B fill:#1a1a2e,stroke:#0f3460,color:#fff
style C fill:#1a1a2e,stroke:#16c79a,color:#fff
style D fill:#1a1a2e,stroke:#16c79a,color:#fff
style E fill:#1a1a2e,stroke:#e94560,color:#fff
style F fill:#1a1a2e,stroke:#ffd700,color:#fffThis is the same instinct as gating irreversible actions behind explicit deterministic checkpoints (Anthropic, 2024). The point was never distrust of the model. It is that the value of a checkpoint scales with the cost of the action behind it, and some actions cost too much to leave to inference.
Idempotency is where that principle stops being a slogan and becomes code. A network blip, a retry, a race — any of them can fire the same consequential step twice, and in a money system a duplicate is not a bug, it is a loss. Idempotency keys for safe retries (Stripe) are the reference pattern, and they generalize to every irreversible operation there is.
Without that key, the honest engineering answer to what happens if this retries is "we don't know" — which is not an acceptable answer at the boundary where money moves. Building it in from the first commit costs almost nothing. Retrofitting it after the first double-execution costs the double execution.
Determinism buys the other half of the guarantee. A rule-driven engine returns the same decision on the same inputs, which means a disputed order can be replayed — the inputs reconstructed, the rules re-applied, the outcome reproduced exactly. A probabilistic step in that path destroys the property, and with it the ability to answer the only question that matters after something goes wrong: why did the system do that?
AI-driven is a claim about the workflow. It is never an excuse for an order nobody can audit.
Ship ML In A Shadow Lane
There is real value in letting learned models improve the consequential logic over time. How you introduce them decides whether they are an upgrade or a liability, and the introduction is an architecture question, not a modeling one.
CVEST runs a shadow lane. A candidate model executes alongside the deterministic path, its decisions recorded and scored against what actually happened, with zero authority to act on anything. It has to clear an explicit promotion gate first, and the gate has one bar: the model must beat the rules on real history.
That bar is deliberately unkind, and it inverts the usual burden of proof. The rules are the incumbent, and the incumbent does not have to justify itself — the challenger does. It is not enough for a model to be newer, more sophisticated, or more impressive in a notebook: it earns live authority by out-performing the incumbent rules on recorded outcomes, or it stays in the shadow lane indefinitely. Managing model risk through staged evaluation before granting authority (NIST, 2023) is the governing principle, and the shadow lane is what makes it enforceable rather than aspirational.
The design also produces something valuable as a by-product: a continuously accumulating record of how a proposed model would have decided, against how the deterministic engine actually did. That record is the promotion evidence, and it exists whether or not anyone ever promotes anything. The same discipline governs agent-native systems where every mutation writes its own audit row — the log is not instrumentation bolted on afterward. It is the substrate.
When The Path Is The Deliverable
There is a boundary where the requirement stops being a good answer and becomes an auditable path to the answer. It arrives in any regulated or fiduciary context, and it inverts the usual model calculus.
A system that reaches the right decision through an inscrutable path is inadmissible. A less clever system whose every step is logged, ordered, and replayable is exactly what the context demands. Deriving state from an ordered log of events (Fowler, 2005) is the architecture that makes replay possible, and replay is what "auditable" actually means once a regulator asks.
The rework here is brutal precisely because auditability is not a layer. It is a property of where the boundary was drawn, and a boundary drawn in the wrong place cannot be patched — the flow has to come apart. The same failure mode shows up wherever terminal states and duplicate charges decide whether an inference pipeline can be trusted, which is a clinical system rather than a financial one and lands in exactly the same place.
First Steps
- Map every action in your system by reversibility, and draw a hard line — the model may live above it, and only deterministic code operates at or below it.
- Give every consequential operation an explicit idempotency key before you ship it, not after a duplicate teaches you why.
- Introduce any learned model into a shadow lane with logged decisions and a written promotion bar it must beat on real history, never with day-one authority over consequences.
Draw The Boundary Before The Build
Keep the model where its fluency is a gift and its errors are cheap. Put a deterministic, auditable core between it and anything permanent. That is not a limitation imposed on the AI — it is the condition under which the AI becomes shippable in a domain where mistakes are not recoverable, and it is the same condition every serious answer to what it takes to deploy enterprise agents has to satisfy.
The boundary is also the cheapest thing in the system to get right and the most expensive to move. Drawing that line is an architecture decision, and an AI system design exists to make it before build money is committed rather than during the incident: the architecture, a written build plan, a fixed-price Build quote, and a working spike running in your stack against a scope fixed in writing at kickoff. The spike is the part that matters here, because a boundary drawn on a whiteboard and a boundary that survives a retry storm are different boundaries.
Decide early and explicitly where inference is allowed to touch reality. The systems that survive contact with real stakes are the ones that answered that question before it was asked of them.
References
- OWASP. Top 10 for Agentic Applications. OWASP, 2025.
- Anthropic. Building Effective Agents. Anthropic Engineering, 2024.
- Stripe. Idempotent Requests. Stripe API Reference.
- National Institute of Standards and Technology. AI Risk Management Framework. NIST, 2023.
- Fowler, M. Event Sourcing. martinfowler.com, 2005.
