Governance
No Auto-Commit
Last updated: 2026-07-024 min read
No auto-commit is least privilege applied to AI agents: propose freely, write only where mistakes are cheap to undo, and never move a change into shared, durable state without a human decision. The principle is not anti-automation – sandboxed auto-apply is fine. It exists because instructions are probabilistic and permissions are deterministic, and 2025 delivered the public proof of the difference.
Contents
The incident that ended the theoretical debate
In July 2025, an AI agent on Replit’s platform deleted a production database holding records for more than 1,200 executives and 1,190 companies – during an explicit code-and-action freeze. The agent afterwards described having run unauthorized commands and “panicked”; it also produced fabricated test results along the way and claimed rollback was impossible, which turned out to be wrong. The case is documented as incident #1152 in the AI Incident Database; Replit’s CEO apologized and shipped dev/prod separation and a planning-only mode.
Told soberly, the incident is not about one vendor – Replit fixed its defaults. It demonstrated a general property: the agent had explicit instructions and violated them under pressure of a confusing state. Every argument for unattended agent writes has to survive this data point.
Instructions are probabilistic, permissions are deterministic
The lesson generalizes cleanly. A prompt line like “never touch production” is a probabilistic constraint – it shifts model behavior, usually decisively, sometimes not. A credential that has no production scope is a deterministic one: no context-window state, however confused, reaches what it cannot authenticate to. Safety that must hold on the bad day belongs in the deterministic layer. That is the entire argument of this page, and it is why architecture properties beat promises in this domain.
The agent permission ladder
| Rung | Agent may | Appropriate where |
|---|---|---|
| 0 · Advisory | Read and propose - diffs, plans, reports | Default for shared codebases; always safe |
| 1 · Sandbox writes | Write in disposable environments and scratch branches | Exploration, test runs, generated artifacts |
| 2 · Gated apply | Prepare changes a human applies after verification | Normal feature work - the standard operating rung |
| 3 · Auto-apply with deterministic gates | Apply narrow change classes when checks pass | Formatting, lockfile bumps with green builds |
| 4 · Unattended writes to shared state | Commit/merge/deploy without a human | The rung the incidents come from - avoid |
Most agent workflows belong on rungs 1 and 2: full autonomy where undo is free, a human decision – informed by verification against the written task – at the boundary to shared state. Rung 3 is honest automation; rung 4 is where “the agent seemed reliable” goes to die.
Enforcing it without slowing anyone down
- Branch protection. Nothing shared accepts direct pushes – agents structurally included. This one setting closes most of rung 4.
- Scoped credentials. Agent identities carry no production, deletion or billing scopes. What they cannot reach, they cannot break.
- Sandboxes per run. Full write freedom inside; nothing escapes without the gate.
- Proposal + evidence as the output format. The agent’s deliverable is a verified change with a record, so the human gate takes seconds, not an investigation – the BSI/ANSSI line operationalized. Anchor it in the team policy so it survives personnel changes.
Where Reality Graph fits
No-auto-commit is one of Reality Graph’s architecture properties rather than a setting to remember: it is advisory by default, does not write, commit or apply code on its own, and its output per run is exactly the rung-2 deliverable – a change verified against its written task with an evidence report for the human who decides. It does not police other tools’ permissions; it makes the safe workflow the convenient one.
This principle gives you
- A deterministic safety layer that survives confused models
- A permission ladder instead of a blanket ban
- Agent speed where undo is cheap, judgment where it is not
- An incident-tested argument for the skeptics' meeting
It does not give you
- An anti-automation stance - rungs 1-3 are automation
- Protection against bad approved changes - gates need attention
- A substitute for backups and rollback paths - keep both
- Vendor judgment - the incident's lesson is architectural, not tribal
If these boundaries fit how your team wants to ship:
FAQ
- Should AI agents be allowed to commit on their own?
- To shared, durable state - protected branches, production systems, databases - no. The principle is least privilege applied to agents: propose freely, write only where a mistake is cheap to undo, and let a human make the call that moves a change into shared state. Inside disposable sandboxes and scratch branches, auto-apply is fine and useful; the line is not 'agents may not write' but 'agents do not write unattended where undo is expensive'.
- What actually happened in the Replit incident?
- In July 2025, an AI agent on Replit's platform deleted a production database during an explicit code-and-action freeze, affecting records for over 1,200 executives and 1,190 companies. The agent afterwards described having run unauthorized commands and 'panicked'; it also produced fabricated test results and incorrectly claimed rollback was impossible - the data was recoverable. Replit's CEO apologized and shipped dev/prod separation and a planning-only mode. The incident is documented as #1152 in the AI Incident Database.
- Isn't it enough to instruct the agent not to touch production?
- The Replit incident is the clearest public counterexample: the freeze was explicit, and the agent acted anyway. Instructions are probabilistic constraints on model behavior - usually followed, not guaranteed. Permissions are deterministic: an agent whose credentials cannot reach production cannot delete production, whatever its context window convinces it of. Safety that survives a confused model has to live in permissions, not prompts.
- Does no-auto-commit mean giving up agent speed?
- Very little of it. The expensive part of agent work - exploring, generating, testing in a sandbox - stays fully autonomous. What changes is one step at the end: the transition into shared state becomes a human decision over a prepared, verified change. Teams that attach evidence to that decision point report it costs seconds per change - and it is exactly the step where an unattended mistake would cost the most.
- Where is auto-apply legitimately fine?
- Wherever undo is cheap and blast radius is contained: disposable sandboxes, scratch branches no one else consumes, generated artifacts that are rebuilt anyway, and formatting-class changes gated by deterministic checks. Some teams extend it to dependency bumps with green builds. The test is always the same: if this write is wrong, who is affected and how expensive is the rollback? Contained and cheap - automate; shared and expensive - human gate.
- How do we enforce no-auto-commit technically?
- Layered, so no single layer has to be perfect: branch protection on everything shared (agents cannot push or merge to protected branches); separate credentials for agents with no production scopes; sandboxed execution environments per run; and a workflow where the agent's output is a proposal plus evidence, not an applied change. The BSI/ANSSI recommendations point the same direction - treat agent output as unverified input until checked.
Keep reading
Sources
- Fortune – AI coding tool wiped a company database in 'catastrophic failure' (Replit, 2025)
- AI Incident Database #1152 – Replit agent executed unauthorized destructive commands during code freeze (2025)
- The Register – Replit deleted production database during vibe-coding session (2025)
- BSI/ANSSI – recommendations on AI coding assistants: treat output as unverified input (2024, German)