← All notes
LeadershipAI

AI Reliability Requires Protocols, Not Blind Trust

A practical note on building AI systems with protocols, evaluation, observability, escalation paths, and rehearsal instead of trusting safeguards by default.

AI systems usually do not fail because one person wanted them to fail.

They fail because a team trusted the wrong thing for too long. A model looked accurate in the demo. A retrieval system worked on familiar documents. A workflow had a human approval step, but nobody defined what the reviewer was supposed to verify. A dashboard showed green status, but the team was not measuring the failure that actually mattered.

Then small issues start to stack.

The support assistant answers from an outdated policy page. The agent retries a tool call until it hits a rate limit. The summarizer drops a crucial exception. A natural-language analytics feature turns a vague metric definition into a confident chart. Product assumes engineering reviewed tool permissions. Engineering assumes the provider’s safety layer is enough.

None of these problems may look serious alone. Together, they can turn an impressive AI feature into a reliability problem, a compliance problem, or a trust problem.

This is why I do not think AI reliability can be treated as a feature you add at the end. It has to be built into the way the team works. Safeguards matter, but safeguards without protocols can create a false sense of safety. The better question is not, “Do we have guardrails?” The better question is, “What do people do when a guardrail fails, produces a warning, or quietly stops matching reality?”

That question is becoming more urgent as AI moves from experiments into production. LangChain’s 2026 State of Agent Engineering reported that 57% of respondents had agents in production, while quality remained a major barrier. Datadog’s 2026 State of AI Engineering found that production AI systems now involve model fleets, orchestration frameworks, tool calls, long prompts, retries, cost control, and debugging across service boundaries.

In other words, AI work is starting to look less like a chatbot demo and more like distributed systems work. That is good. It also means the operating discipline has to catch up.

A Safeguard Is Not A System

A safeguard is one control. A system is the combination of controls, ownership, monitoring, escalation, maintenance, and behavior around those controls.

This distinction sounds obvious until a team starts building with AI. It is easy to believe that a model provider’s safety policy, a moderation endpoint, a prompt instruction, a retrieval filter, a human approval step, or an observability tool has “handled” the risk. Each of those things can help. None of them removes the need for engineering judgment.

A prompt that says “do not reveal private information” is not an access-control model. A human approval button is not a review process unless the reviewer knows what to check. A vector database permission filter is not enough if documents are misclassified before indexing. A monitoring dashboard is not enough if nobody owns the alert. A fallback model is not enough if nobody has tested the fallback path under real failure conditions.

The danger is not only technical. The danger is organizational. Once people believe the system is protected, they may stop looking closely. A manager may approve broader rollout because the demo looked controlled. A team may accept more autonomy for an agent because “it still has guardrails.” A user may follow a fluent answer with citations without checking whether the cited passage actually supports it.

This is where AI reliability becomes a management issue. The technical design and the human workflow cannot be separated. If the workflow teaches people to assume the safeguard will handle the problem, the workflow is part of the risk.

I see this pattern in many AI discussions. People ask whether the model is powerful enough, whether the agent framework is modern enough, or whether the vendor has a safety layer. Those are reasonable questions, but they are incomplete. The reliability question is broader:

  • What can go wrong even when the model is working as designed?
  • Who notices the first weak signal?
  • What happens when one control is unavailable, stale, bypassed, or misunderstood?
  • Which decisions require human approval, and what counts as a meaningful approval?
  • How often do we rehearse unusual but predictable failures?

If a team cannot answer those questions, it does not yet have a reliable AI system. It has a useful component surrounded by assumptions.

Overconfidence Is Easier When The Interface Looks Calm

AI interfaces can make risk feel smaller than it is.

A command-line error looks like an error. A failing API returns a status code. A broken data pipeline usually leaves a trace. LLM applications can fail in a softer way. The answer is still grammatical. The summary still sounds reasonable. The retrieval system still returns documents. The dashboard still loads.

That smoothness can be helpful for users, but it can also hide uncertainty.

An AI assistant may produce an answer that is 80% right and 20% dangerous. A coding agent may fix the visible bug while changing behavior somewhere else. A workflow agent may complete a task by using a tool in a way the team did not intend. A document assistant may cite a source but skip the conflicting paragraph. These are not always loud failures. They often look like normal work unless the team has defined what to inspect.

This is one reason overreliance is a real AI risk. OWASP’s Top 10 for Large Language Model Applications includes overreliance, prompt injection, insecure output handling, and excessive agency among the major concerns for LLM systems. Those categories are useful because they remind us that the risk is not only “the model made a mistake.” The risk is that people and downstream systems treat the model’s output as more authoritative than it deserves.

For technical leaders, the practical lesson is simple: do not let a calm interface become a substitute for a controlled process.

If an AI system recommends refunds, the control should not be only “a person clicks approve.” The reviewer should see the evidence, the confidence boundaries, the policy reference, the customer history that matters, and the action the system is about to take. If an internal assistant answers HR or legal questions, the interface should make it clear when it is summarizing policy and when it is directing the user to an authoritative owner. If an agent writes code, the workflow should include tests, diff review, dependency checks, and permission boundaries.

The more natural the interface feels, the more explicit the review process should become.

Protocols Turn Concern Into Action

One of the hardest parts of reliability work is converting vague concern into required action.

People often notice weak signals before a system fails. A support lead sees more corrections than usual. A data analyst notices that answers are inconsistent for a certain metric. An engineer sees an agent taking more steps than expected. A product manager hears users say, “It usually works, but I double-check it.” These signals matter, but they are easy to normalize when the product is under pressure.

Protocols help because they remove some of the social friction from action.

Without a protocol, someone has to decide whether a concern is serious enough to slow the team down. That can feel personal. Nobody wants to be the person who blocks a launch, questions a popular tool, or asks for more testing when leadership wants momentum. With a protocol, the decision becomes less about personality and more about an agreed threshold.

For AI systems, useful protocols can be very concrete:

  • If retrieval precision falls below a defined threshold on the evaluation set, the feature does not ship.
  • If an agent exceeds a step limit, it stops and asks for human review instead of continuing.
  • If a model returns invalid structured output twice, the system falls back to a safer path.
  • If a workflow touches money, customer records, production infrastructure, or regulated data, tool permissions require explicit approval.
  • If a prompt, model, index, or tool schema changes, a regression test runs before release.
  • If the system cannot cite supporting evidence, it says so instead of producing a confident answer.

These rules do not make AI perfect. They make action predictable.

That matters because many AI failures are not caused by total ignorance. They are caused by ambiguity. The team knows there is risk, but nobody knows the exact moment when concern should become a rollback, a shutdown, a narrower rollout, or an incident review. Protocols define that moment before the pressure arrives.

NIST’s AI Risk Management Framework is useful here because it frames AI risk management across design, development, use, and evaluation. That is the right scope. A risk control that exists only in a policy document will not help much if the product workflow, engineering process, and user interface all encourage people to ignore weak signals.

Evaluation Is The Checklist For Model Behavior

In traditional software, a checklist might confirm that backups run, alerts route correctly, permissions are reviewed, and deployment steps are followed. In AI systems, evaluation becomes part of that checklist.

I do not mean evaluation as a one-time benchmark copied from a model card. I mean evaluation as a living part of the workflow.

A RAG system should have test questions that represent real user needs, ambiguous queries, outdated documents, restricted documents, missing documents, and adversarial inputs. The team should measure retrieval separately from answer quality. It should know whether the system found the right evidence before judging whether the final answer was good.

An agent should be evaluated on task completion, tool choice, step count, unnecessary retries, policy violations, cost, latency, and recovery from tool failure. If the agent can take action, the evaluation should include cases where it must refuse, ask for clarification, or escalate to a human.

A structured-output workflow should test schema validity, missing fields, edge cases, null handling, and downstream behavior when the model produces a plausible but wrong value. If the output feeds another system, the receiving system must validate it like any other untrusted input.

This is where practical AI skill becomes visible. In How to build practical AI skills for today’s tech job market, I argued that knowing AI vocabulary is not the same as building reliable systems. Evaluation is one of the clearest differences. A demo shows that something can work. Evaluation shows when it works, when it fails, and whether a change made it better or worse.

Current production trends point in the same direction. LangChain’s agent survey found that observability adoption was higher than evaluation adoption, and that teams use both human review and automated approaches when evaluating agent behavior. Datadog’s report also emphasizes continuous evaluation, cost awareness, context engineering, and telemetry as production AI systems become more complex.

That should tell us something. The industry is moving past the stage where “the model answered my question” is enough evidence. Serious teams need test sets, traces, reviews, regression checks, and failure categories.

The practical question for every AI feature is not only “Did it work in the demo?” It is “What evidence would convince us that it is still working after the data, model, prompt, users, and business process change?”

Observability Should Show Decisions, Not Just Errors

AI observability has to do more than count requests.

A production team still needs the basics: latency, cost, token usage, errors, rate limits, retries, provider status, and uptime. Those signals matter. Datadog reported that rate limits were a major source of LLM call failures in production traces, which is a reminder that AI reliability also depends on ordinary capacity engineering.

But AI systems need deeper visibility too. Teams need to see the inputs, retrieved context, tool calls, intermediate decisions, structured outputs, fallback paths, and human overrides that shaped the final result. Without that visibility, the team may know that something went wrong without knowing why.

This is especially important for agents. An agent can fail because the model misunderstood the user, a tool description was vague, retrieved context included conflicting information, a tool returned malformed data, or the workflow allowed too many retries. These are different failures. They need different fixes.

Good observability helps the team separate them.

It also changes the conversation with stakeholders. Instead of saying, “The AI was wrong,” the team can say, “The answer was unsupported because retrieval returned an outdated policy page,” or “The agent spent six steps retrying a tool after a rate limit,” or “The model followed the tool result correctly, but the tool returned stale data.” That level of explanation matters. It turns trust from a feeling into evidence.

For leaders, this means observability should be planned before launch. It should not be a panic purchase after the first embarrassing failure. The team should know which traces are captured, which data is redacted, who can inspect sensitive prompts, how long logs are retained, and how incidents are reviewed.

Visibility without governance can create its own privacy risk. Governance without visibility becomes theater. Reliable AI work needs both.

Human Approval Has To Be Designed

“Human in the loop” is one of those phrases that sounds reassuring until you ask what it means.

Sometimes it means a person carefully reviews evidence before an action. Sometimes it means a person clicks approve because the system usually works and the queue is long. Sometimes it means nobody knows who the human is. Sometimes it means the human does not have enough context to disagree with the model.

That is not a reliable control.

If human approval is part of the safety design, the review has to be designed like any other workflow. The reviewer needs the right information, enough time, clear authority, and a defined standard. The interface should make disagreement easy. It should not punish the reviewer for slowing down a questionable action.

For example, if an AI agent drafts a contract summary, the reviewer should see the source clauses and the sections the model may have missed. If a system recommends a loan exception, the reviewer should see the policy rule, relevant data, and explanation of uncertainty. If a coding agent proposes a change, the reviewer should see tests, generated files, dependency changes, and security-sensitive diffs.

The goal is not to make every human review slow. The goal is to make the important reviews meaningful.

That requires deciding which actions deserve friction. A low-risk summary may only need lightweight review. A customer-facing message may need stronger checks. A workflow that changes production data, sends money, modifies access, or affects someone’s rights needs a much higher bar.

This is also where “excessive agency” becomes practical, not abstract. An agent with access to tools can do useful work. The same access can create risk if permissions are broad, actions are hard to inspect, or approvals are vague. The answer is not to avoid agents entirely. The answer is to design authority deliberately.

Give agents narrow tools. Separate recommendation from execution. Use read-only access where possible. Require approval for irreversible actions. Log every tool call. Set budgets for steps and tokens. Make failure states explicit. Review permissions regularly as the workflow changes.

Autonomy should be earned through evidence, not granted because the demo was impressive.

Rehearsal Finds Problems Documentation Misses

Many teams have incident documents that look reasonable until the first real incident.

The contact list is stale. The dashboard link is wrong. The alert fires in a channel nobody watches. The person with permission to disable the feature is on vacation. The rollback plan assumes an index version that no longer exists. The legal or security escalation path is unclear. The customer-support script does not match the actual product behavior.

This is why rehearsal matters.

AI teams should practice predictable failures before those failures arrive. What happens if the model provider has an outage? What happens if the vector index includes restricted documents? What happens if a prompt injection attempt appears inside retrieved content? What happens if a new model version changes structured output behavior? What happens if token cost doubles for a high-volume workflow? What happens if an agent starts retrying a tool and creates a queue backlog?

These are not exotic scenarios. They are normal production risks.

A rehearsal does not need to be dramatic. A small tabletop exercise can be enough. Pick a realistic failure, walk through who notices it, who decides severity, who disables or narrows the feature, who communicates with users, who investigates, and what evidence the team needs. Then update the system based on what was missing.

The best result of a rehearsal is not a perfect score. The best result is finding a weakness while the stakes are low.

For learners, this is a strong portfolio habit too. If you build a RAG assistant, do not only show the happy path. Show what happens when retrieval fails, when a document is missing, when a user asks for restricted information, when the model returns invalid JSON, or when the API is unavailable. A project that includes failure handling is more credible than a polished demo that pretends failure does not exist.

For teams, the same idea scales. Reliability is not proven by confidence. It is proven by preparation, measurement, and response.

Build Trust With Operating Habits

The lesson I take from many technology failures is not that humans are careless or that technology is too dangerous to use. The lesson is more practical: people adapt to the systems around them. If the system rewards speed over escalation, people will hesitate to escalate. If the interface hides uncertainty, people will overtrust confident output. If approval is vague, approval becomes routine. If nobody rehearses failure, failure will expose the gaps at the worst time.

So the answer has to be operational.

For an AI team, that means:

  • define the actions the system may take and the actions it may only recommend
  • build evaluation sets before major rollout
  • test prompts, models, retrieval, tools, and structured outputs after changes
  • use observability that shows decision paths, not only request counts
  • create clear escalation thresholds
  • make human review meaningful for high-impact actions
  • rehearse likely failures
  • review permissions, cost, latency, and quality as the workflow evolves

None of this guarantees that an AI system will never fail. That is not a realistic standard. The goal is to reduce preventable failure, notice weak signals earlier, and make it easier for people to act before small issues accumulate.

AI reliability is not blind trust in models, vendors, guardrails, or dashboards. It is a set of habits that make trust reasonable.

The market will keep changing. Models will improve. Agent frameworks will mature. Evaluation tools will get better. New standards and security practices will appear. But the deeper principle will remain: a safeguard is only useful when people know how to maintain it, question it, test it, and respond when it stops being enough.

That is the work behind dependable AI. It is less exciting than a demo, but it is far more valuable.

More notes