Logo
October 15, 20255 min read

Why I Built an AI That Can't Act Alone

The story of building an autonomous AI agent with SSH access to production servers — and why the most important feature I added was the ability to stop and ask permission.

It was 3 AM on a Tuesday when I understood, viscerally, what it means for an AI system to have too much power.

I'd been building LadenX for months — an autonomous AI agent designed to SSH into production servers, investigate incidents, and execute fixes. The system managed infrastructure across hundreds of servers. That night, a cascading failure hit one of our client environments. LadenX identified the issue, formulated a fix, and was ready to execute a command that would have restarted a critical database service across multiple nodes simultaneously.

The command was technically correct. The fix would have worked. But the timing was wrong — a restart during that specific window would have interrupted an active data migration that LadenX didn't know about. The AI had the technical knowledge but lacked the contextual judgment that only a human operator possessed.

That was the night I added approval gates.

Capability Without Governance

Not because the AI was broken. Because the AI was working exactly as designed — and that was the problem. I had built a system capable of taking significant action on production infrastructure, and I hadn't built adequate governance around that capability. This is the part that rarely makes it into technical discussions about AI agents. We talk about capabilities, about what AI can do, about pushing boundaries. We talk far less about what AI should not be allowed to do without human oversight.

Three Tiers of Trust

LadenX now operates on a three-tier risk classification system. Every command it might execute is categorized: read operations that only gather information, write operations that modify state, and dangerous operations that could cause significant impact. The system covers over 1,800 command patterns across these tiers.

Read Operations

Checking logs, monitoring resource usage, inspecting configurations — LadenX acts autonomously. These actions are low-risk and fully reversible. The AI does what it's good at: processing information faster than any human could.

Write Operations

The system logs its intent, proceeds if no human objects within a short window, and maintains a full audit trail. Routine fixes — restarting a service, adjusting a configuration, clearing a cache.

Dangerous Operations

Explicit human approval required. Full stop. The AI presents its analysis, explains its reasoning, and waits. It cannot proceed without a human saying yes. Data deletion, security-sensitive changes, anything affecting multiple systems simultaneously.

Auditable Reasoning

The audit logging goes deep. Every action LadenX takes — or proposes to take — is recorded with full context: what the system observed, what it concluded, what it recommended, and whether a human approved, modified, or rejected the recommendation. If something goes wrong at 3 AM next Tuesday, we can trace exactly what happened and why. Credentials are protected with AES-256-GCM envelope encryption. The AI never sees raw credentials — it works with encrypted references that are decrypted only at the moment of use and cleared immediately after.

The Slower Path

Building these governance mechanisms took months. It would have been faster — and more impressive in a demo — to let LadenX operate without constraints. An AI agent that can fix any server issue autonomously sounds incredible in a pitch deck. An AI agent that pauses to ask permission sounds cautious.

But I've managed over 300 production servers supporting more than 50,000 mailboxes. I've seen what happens when automated systems act without adequate oversight. The speed at which an autonomous system can cause damage is exactly the speed at which it can operate — which is the whole point of building it in the first place.

There's a phrase I return to often: technology should amplify human potential, not replace it. LadenX amplifies. It investigates faster than I can, it correlates data across more systems than I could track, and it formulates fixes that account for variables I might overlook. But the decision to act — especially when the stakes are high — remains human.

This isn't a limitation of the system. It's a feature. The most sophisticated thing about LadenX isn't its ability to diagnose server failures. It's its ability to stop and ask.

I didn't set out to build a governance framework. I set out to build a tool that could help me manage infrastructure at scale. The governance emerged from necessity — from the realization that capability without accountability isn't engineering. It's negligence.

If you're building AI systems that can take real-world action, I'd encourage you to think about this early. Not after the 3 AM incident. Before it.