The arithmetic of catastrophe
Consider a simple scenario: an AI agent tasked with "clean up old log files" misinterprets the scope. A human developer making the same mistake deletes one directory, realizes the problem, stops. Damage: recoverable.
The agent, operating at full velocity, deletes 47 directories across 12 servers in 90 seconds before the next heartbeat check fires. Damage: a recovery incident that takes 6 hours and surfaces on a postmortem.
The agent wasn't "more wrong" than the human. It was equally wrong, but faster. Speed transformed a mistake into a cascade.
The velocity multiplier: At 50 commands/minute, an agent operating on a bad assumption for 3 minutes has executed 150 actions. Even if 99% are benign, the 1% that aren't compound faster than any human can intervene.
Three ways velocity creates risk
1. Irreversibility accumulation
Some commands are reversible. Some aren't. Agents executing at speed tend to mix them freely. A pipeline of git commit (reversible) → git push (reversible with effort) → helm upgrade --atomic (partially reversible) → db migrate --no-rollback (not reversible) creates a dependency chain where the terminal action is irreversible and the intermediate actions make reversal of earlier steps pointless.
Human review naturally breaks this chain at each irreversible step. Agent velocity skips the natural pause points.
2. Feedback loop collapse
Human operators develop judgment through feedback: run a command, observe the output, adjust. At high velocity, agents often don't observe intermediate outputs before executing the next action in the plan. They're operating on a model of the world that was accurate when the session started, but may have diverged by action 20.
A deployment agent that doesn't check health metrics between each rollout step will happily deploy to 8 regions after the first region shows errors — because the plan said "deploy to all regions" and it's executing the plan.
3. Blast radius expansion
Velocity expands blast radius in direct proportion. An agent touching 10 systems per minute over 10 minutes of undetected bad behavior has a blast radius of 100 systems. The same agent with a 30-second mandatory human review checkpoint after every 5 high-risk actions has a blast radius of at most 5 systems.
| Agent velocity | Detection lag | Max blast radius | Recovery complexity |
|---|---|---|---|
| 50 cmd/min | 5 minutes | 250 actions | Very high |
| 50 cmd/min | 30 seconds | 25 actions | Moderate |
| 50 cmd/min | Per high-risk action | 1 action per gate | Low |
| Human pace (~3/hr) | Continuous | 1–3 actions | Minimal |
Velocity governance patterns
Pattern 1: Risk-tiered rate limits
Not all commands warrant the same velocity treatment. A sensible tiering:
- Tier 0 (read-only): No rate limit.
ls,cat,grep,git log— observe freely. - Tier 1 (low-impact writes): Rate limit per session (e.g., 20/minute). File creates, local git commits, config reads.
- Tier 2 (system writes): Rate limit + mandatory review above threshold. Package installs, service restarts, permission changes.
- Tier 3 (irreversible/external): Mandatory review per action, regardless of velocity. DB migrations, production deploys, external API writes, destructive filesystem operations.
The whitelist controls what can auto-approve; the rate limit controls how fast. They're orthogonal controls that compound in effectiveness.
Pattern 2: Checkpoint gates
Insert mandatory pause points at natural phase boundaries in long-running agent tasks:
Phase 1: Gather information (unrestricted velocity)
→ CHECKPOINT: Show collected data, confirm scope
Phase 2: Plan changes (unrestricted velocity)
→ CHECKPOINT: Show planned changes, human approves list
Phase 3: Execute changes (per-action review for Tier 2+)
→ CHECKPOINT: Review results before proceeding
Phase 4: Verify (unrestricted velocity)This maps human approval to decisions, not to individual commands. The agent moves fast where speed is safe (information gathering, planning), and slows to human pace where errors are costly (execution).
Pattern 3: Anomaly-triggered throttle
Use behavioral baselines to dynamically throttle when something looks off. If an agent's normal pattern is 5 write commands per session, and the current session has hit 40 writes in 10 minutes, automatically route subsequent write commands to human review — even ones that would normally auto-approve.
This doesn't require predicting what went wrong. It just requires noticing that the current session is anomalous, and injecting friction proportional to that anomaly.
The key insight: Rate limiting and approval gates aren't the same control. Rate limits cap total velocity. Approval gates are synchronization points with a human. Both matter; they address different failure modes.
What "acceptable velocity" looks like
There's no universal answer, but a useful heuristic: the agent should never be executing faster than the fastest plausible human can be monitoring it.
If your reviewer is checking the approval queue every 2 minutes, and the agent can queue 100 commands in that window, you don't have a human-in-the-loop system. You have a human who occasionally glances at what the agent already finished.
Acceptable velocity means:
- High-risk action execution rate ≤ human review rate for that risk tier
- Any 5-minute window of agent activity is reviewable in under 5 minutes of human time
- Blast radius of a session gone wrong is bounded to something recoverable within an hour
The "but it's slower" objection
Yes. Velocity governance makes agents slower for consequential actions. This is the point.
The value proposition of AI agents isn't raw speed — it's intelligent automation of work that would otherwise require constant human attention. An agent that moves at 80% of maximum speed but operates with bounded blast radius is more useful than one running at 100% speed that requires a recovery incident every month.
Speed without control isn't leverage. It's exposure.
The teams that get the most from AI agents aren't the ones who remove all the guardrails to maximize throughput. They're the ones who design agents that can run autonomously precisely because the controls are trusted — and can therefore run with less human babysitting.
Practical starting point
If you're deploying agents today and haven't thought about velocity governance:
- Classify your command surface. Which commands are reversible? Which touch external systems? Which are irreversible? This is your risk tier map.
- Set a maximum blast radius target. "If this agent runs unsupervised for 10 minutes on a wrong assumption, what's the worst case?" If the answer is "catastrophic," the velocity is too high for the current oversight model.
- Add one approval gate before your highest-risk tier. One gate, consistently enforced, is more valuable than five inconsistently enforced.
- Log everything, including auto-approvals. You can't retroactively reconstruct velocity patterns from partial logs.
- Review your auto-approval rate weekly. If it's trending toward 100%, you've probably lost meaningful oversight — even if nothing has gone wrong yet.
Command-level control for fast-moving agents
expacti intercepts every command, classifies by risk tier, enforces approval gates, and rate-limits high-impact actions — without requiring manual review of every ls.