How to Design a Recoverable Failure Path for Governed Operations
A recoverable failure path is not error handling — it is the governance architecture for what happens when an operation fails. This framework gives the structure for designing it as a first-class artifact.
A recoverable failure path is not error handling. It is the governance architecture that specifies what state is preserved when an operation fails, what evidence is recorded, what triggers rollback, and what constitutes a safe stop. Every governed AI operation has a policy gate, a scope boundary, and a receipt obligation — but most governance designs specify only what happens when those mechanisms succeed. A system that has governed only the happy path has not fully governed the operation. This framework gives the structure for designing the failure path as a first-class governance artifact.
When to use this framework
- When designing a policy gate for an AI agent operation and need to specify what the gate does when it fails or is unavailable
- When an agent's scope boundary is declared in policy but no procedure exists for what happens if the agent exceeds it
- When a receipt obligation is defined but no response is specified for the case where the operation completes without producing a receipt
- When a governed operation involves irreversible actions and rollback has not been formally scoped
- When an existing governed system has escalation paths only for successful operations, not for governance failures
The four failure classes
Before designing the recovery path, classify the failure:
| Failure class | What happened | Recovery goal |
|---|---|---|
| Scope violation | Agent exceeded declared scope | Stop + record + alert; do not continue |
| Missing receipt | Operation completed with no verifiable record | Flag gap; do not treat completion as governed |
| Policy gate failure | Gate returned error or was skipped | Treat as blocked; do not fail open |
| Unrecoverable state | Rollback is impossible; record is incomplete | Preserve partial evidence; escalate |
Classification is not administrative labeling. It determines which recovery procedure applies and whether the operation may continue at all. A scope violation and a missing receipt are different problems with different responses: one stops the operation, the other flags the completion record as ungoverned. Treating them interchangeably produces neither governance nor recovery.
The four classes also define the evidence requirements. A policy gate failure must be evidenced differently from a missing receipt — the gate failure requires a record of what gate was invoked, what it returned, and what was done with that response. A missing receipt requires a record that the gap was detected and what was blocked as a result. These are not the same record.
Classification must happen before recovery is designed, not during an incident. A failure path that requires a human to determine the failure class at the moment of failure is not a designed failure path — it is an escalation that depends on judgment under pressure.
Step 1: Define the safe stop condition
A safe stop is not the same as a clean exit. A clean exit means the operation completed. A safe stop means the operation halted in a state where the evidence record is complete, authority has been returned to the appropriate party, and no downstream operation has been allowed to proceed as if the halted operation succeeded.
For each governed operation, define the safe stop condition before the operation is deployed. This requires specifying three things: what state must be preserved when the operation stops, what record must be written regardless of whether the operation succeeded, and what authority must be explicitly returned.
State preservation is operation-specific. For a write operation, it may mean recording what was written before the stop. For a read-and-summarize operation, it may mean recording that the summary was not delivered and the source material was not modified. The point is not to preserve everything — it is to preserve enough that a subsequent human review can determine what the operation did and did not do.
The record written at safe stop is separate from the operational receipt. The operational receipt records what the operation did. The safe stop record records that the operation was stopped, why, at what point, and what state was preserved. Both records must exist.
Template:
For this operation, safe stop means:
State preserved: _______________
Record written: _______________
Authority returned to: _______________
Step 2: Design the receipt gap response
A receipt gap occurs when an operation completes — or appears to complete — without producing a verifiable record. This is not a minor logging failure. In a governed system, an unreceipted completion is not a governed completion. It is an event that cannot be audited, cannot be used as evidence of compliance, and cannot be trusted as the basis for downstream action.
The receipt gap response must be designed as a blocking condition, not a monitoring alert. Downstream operations that depend on the completion of the governed operation must not proceed until the receipt gap is resolved or explicitly accepted by an authorized party.
| Condition | Response |
|---|---|
| Operation completed; receipt not produced | Block downstream; alert receipt owner; do not treat as governed |
| Receipt produced; receipt is incomplete (missing scope, authority, or timestamp) | Treat as partial; flag gap fields; escalate before downstream proceeds |
| Receipt produced; receipt cannot be verified (signature failure, format error) | Treat as ungoverned; do not accept as evidence; escalate |
| Receipt gap detected after downstream already proceeded | Record that downstream acted on ungoverned completion; escalate; do not retroactively govern |
The human-in-the-loop step triggered by a receipt gap is an escalation to the receipt owner — the party responsible for the governance mechanism that was supposed to produce the record. That party decides whether the completion can be accepted under exception or whether the operation must be treated as ungoverned. This decision must itself be recorded.
Step 3: Define the policy gate failure behavior
The default behavior when a policy gate fails or is unavailable is: fail closed. The operation does not proceed. This is not a configurable default — it is the required behavior for a governed operation. A gate that fails open under error conditions is not a gate; it is a conditional gate, and the condition under which it opens is exactly the condition an adversary or a misconfigured system will produce.
Fail-closed behavior must be explicit in the gate's design, not inferred. The gate must be configured to return a blocking response on error, on timeout, and on unavailability. The gate must not have a fallback path that allows the operation to proceed if the gate cannot be reached.
The evidence record for a policy gate failure must show:
- Which gate was invoked
- What the gate returned (error type, timeout, skip signal, or explicit denial)
- What action was taken on the pending operation (blocked, halted, escalated)
- Whether the gate failure was itself alertable (i.e., whether gate unavailability is a monitored condition)
The operation that was pending the gate must be explicitly disposed of. "Pending" is not a persistent state for governed operations — an operation that was blocked by a gate failure is either explicitly retried under a new governance record or explicitly abandoned. It does not remain in a queue waiting for the gate to recover, because a gate that has recovered is a different gate state than the one that failed.
Step 4: Design rollback
Rollback for a governed operation is not undo. It is the procedure for returning the system to a known-good governed state when the operation has failed or must be reversed. The key constraint: rollback that requires trusting the system that failed is not a recovery path — it is a retry.
A rollback procedure is only valid if it can be executed without relying on the state or output of the failed operation as authoritative. If the failed operation wrote a record, that record cannot be used as the authoritative source for what to reverse. The rollback must operate from the pre-operation state, from an independent record, or from a human-verified snapshot.
Define rollback capability per operation before deployment:
- What state is reversible: Actions whose effects can be undone with confidence (e.g., a record that was written and can be deleted, a flag that was set and can be cleared)
- What state is not reversible: Actions whose effects cannot be undone or cannot be undone with confidence (e.g., an external notification that was sent, a write to a system that does not support rollback)
- What evidence must exist for rollback to be possible: A pre-operation snapshot, an independent record of the pre-operation state, or an authoritative log that was written before the operation began — not by the operation itself
When rollback is not possible, the failure class becomes unrecoverable state. The procedure is: preserve partial evidence, record the specific point at which rollback became impossible, and escalate. Do not attempt partial rollback of a state that was partially written — partial rollback of a governance record produces a record that is neither the pre-operation state nor the post-operation state, and cannot be trusted as evidence of either.
The failure path design template
Operation: _______________
Scope boundary: _______________
Safe stop condition:
State preserved: _______________
Record written: _______________
Authority returned to: _______________
Receipt gap response:
Downstream blocked: [ ] Yes [ ] No — reason: _______________
Alert recipient: _______________
Escalation path: _______________
Policy gate failure behavior:
Fail-closed configured: [ ] Yes [ ] No — reason: _______________
Gate failure evidence record: _______________
Pending operation disposition: _______________
Rollback capability:
[ ] Yes — reversible state: _______________
evidence required: _______________
[ ] No — reason: _______________
partial evidence preservation: _______________
Escalation trigger: _______________
Failure class (scope violation / missing receipt / policy gate failure / unrecoverable state): _______________
The principle
A governed system without a designed failure path has governed only the happy path. The policy gates, scope constraints, and receipt obligations that define a governed operation are only as durable as the procedures that activate when those mechanisms fail. A failure path that was never designed is not a failure path — it is an absence that will be filled by improvisation.
See also: Failure Modes Are Not Edge Cases — the note that explains why governance failures require designed recovery paths, not incident response.