A checklist before you let an agent write to prod.
Before an agent gets permission to change a real system, it earns it. Here's the checklist I run through every time. It's the difference between an automation and an incident.
An agent that only reads is a research assistant. An agent that writes is a colleague with root access. The jump between those two is where almost all the risk lives, and it's worth being deliberate about it. This is the list I don't skip.
Before it can write
- Dry-run mode by default: the agent proposes the change and shows the diff before anything happens.
- A human gate on anything irreversible or high-value; one-click approve, not silent execution.
- Scoped credentials: the agent can touch exactly what it needs and nothing else.
- An eval suite that has to be green before a new version is allowed near prod.
While it runs
- Every action logged with its inputs, its reasoning, and its result, auditable after the fact.
- Confidence thresholds that escalate the uncertain cases instead of guessing.
- A kill switch a non-engineer can hit, and a documented rollback for every kind of write.
- Rate limits and blast-radius caps so a bad loop can't run away.
The principle underneath
None of this is about distrusting the model. It's about giving it the same guardrails you'd give a capable new hire on their first week with production access: clear scope, a review step, and an easy way to undo a mistake. Do that and writing to prod stops being scary. Skip it and it's only a matter of time.
