Why your AI agent needs an undo button (and how to build one)

By Codcompass Team·2026-05-14·8 min read

Engineering Fault-Tolerant AI Agents: Compensating Transactions and Approval Gates

Current Situation Analysis

The shift from generative text to agentic execution has fundamentally altered the risk profile of AI systems. Modern agents no longer limit themselves to outputting strings; they interact with production APIs, mutate database states, trigger financial transactions, and communicate with external stakeholders. This transition introduces a critical vulnerability: execution-layer fragility.

Teams frequently optimize for model accuracy and prompt engineering while neglecting the safety mechanisms of the action execution layer. The prevailing assumption is that if the model generates the correct tool call, the system is safe. This is a dangerous fallacy. A model can perfectly execute a flawed instruction, misinterpret context, or encounter an edge case that results in irreversible state corruption.

Observability tools provide visibility into what happened, but they do not prevent damage. Logging frameworks capture traces after the fact, leaving engineering teams to manually reconstruct state or apologize to users after an agent has already sent hundreds of erroneous emails, deleted critical repository data, or overwritten customer records. The industry lacks a standardized approach to reversible execution, where actions can be safely unwound when outcomes deviate from expected parameters.

Without a mechanism to compensate for failed or erroneous actions, agents operating in production environments pose an unacceptable risk to data integrity and operational stability.

WOW Moment: Key Findings

The distinction between reactive logging and proactive compensating execution is quantifiable. Implementing a transaction-based safety layer transforms failure modes from uncontrolled damage to managed recovery.

Strategy	Recovery Latency	State Integrity	Operational Overhead	Failure Mode
Observability Only	High (Manual intervention required)	Corrupted / Irreversible	Low setup cost	Silent damage accumulation
Compensating Transactions	Low (Automated unwind)	Restored to pre-action state	Medium setup cost	Controlled rollback
Approval Gates	N/A (Action prevented)	Guaranteed	High latency impact	Bottleneck risk

Why this matters: Compensating transactions allow agents to operate autonomously on low-risk actions while ensuring that high-risk deviations trigger automatic recovery. This enables higher agent autonomy without sacrificing system reliability. The ability to programmatically reverse actions reduces mean time to recovery (MTTR) from hours of manual debugging to milliseconds of automated unwinding.

Core Solution

The architectural pattern for fault-tolerant agents borrows from distributed systems theory, specifically the Saga pattern. Instead of treating agent actions as isolated calls, we treat them as a sequence of transactions where each step has an associated compensation handler.

1. Define Action Contracts with Compensation Logic

Every tool invocation must be wrapped in a contract that defines both the forward execution and the compensation strategy. Compensation is rarely symmetric; "undoing" an action often requires a different operation than the original action.

Email Dispatch: Cannot be recalled. Compensation involves sending a correction and flagging the thread.
Database Update: Compensation involves reverting to a pre-action snapshot.
Resource Creation: Compensation involves deletion or archiving.

interface ActionContract<TParams, TResult> {
  id: string;
  params: TParams;
  execute: () => Promise<TResult>;
  compensate: (result: TResult, context: ExecutionContext) => Promise<void>;
  riskProfile: RiskLevel;
}

enum RiskLevel {
  LOW,
  MEDIUM,
  HIGH,
  CRITICAL
}

2. Implement the Transaction Manager

The transaction manager orchestrates execution, maintains the LIFO (Last-In-First-Out) stack for unwinding, and enforces approval gates based on risk profiles.

class AgentTransactionManager {
  private stack: ActionContract<any, any>[] = [];
  private approvalPolicy: ApprovalPolicy;

  constructor(policy: ApprovalPolicy) {
    this.approvalPolicy = policy;
  }

  async execute<T>(contract: ActionContract<any, T>): Promise<T> {
    // Gate check for high-risk actions
    if (this.approvalPolicy.requiresApproval(contract.riskProfile)) {
      await this.requestHumanApproval(contract);
    }

    // Execute forward action
    const result = await contract.execute();
    
    // Push to stack for potential compensation
    this.stack.push({ ...contract, result });
    
    return result;
  }

  async unwind(): Promise<void> {
    // Unwind in LIFO order
    while (this.stack.length > 0) {
      const action = this.stack.pop()!;
      try {
        await action.compensate(action.result, this.getContext());
      } catch (error) {
        // Compensation failure requires alerting; 
        // do not block further unwinding
        this.logCompensationFailure(action, error);
      }
    }
  }
}

3. Action-Aware Compensation Handlers

Compensation handlers must be implemented per connector type. Generic rollback logic is insufficient because external systems have different capabilities.

// CRM Connector: Snapshot-based revert
const crmUpdateContract: ActionContract<UpdateParams, CrmRecord> = {
  id: 'crm-update-001',
  params: {

recordId: 'rec_123', data: { status: 'closed' } }, execute: async () => { const snapshot = await crmClient.getSnapshot('rec_123'); const updated = await crmClient.update('rec_123', { status: 'closed' }); return { ...updated, snapshot }; }, compensate: async (result) => { await crmClient.revert('rec_123', result.snapshot); }, riskProfile: RiskLevel.MEDIUM };

// Email Connector: Correction-based compensation const emailSendContract: ActionContract<EmailParams, EmailResult> = { id: 'email-send-001', params: { to: 'user@example.com', subject: 'Invoice' }, execute: async () => { return await emailClient.send({ to: 'user@example.com', subject: 'Invoice' }); }, compensate: async (result) => { // Cannot unsend; must send correction await emailClient.send({ to: result.to, subject: 'CORRECTION: Previous email was sent in error', body: 'Please disregard the previous message.' }); }, riskProfile: RiskLevel.HIGH };


#### 4. Approval Gate Configuration

Not all actions require human intervention. Approval gates should be configured based on a risk matrix that considers data sensitivity, external impact, and irreversibility.

```typescript
class ApprovalPolicy {
  private thresholds: Map<RiskLevel, boolean> = new Map();

  constructor() {
    this.thresholds.set(RiskLevel.LOW, false);
    this.thresholds.set(RiskLevel.MEDIUM, false);
    this.thresholds.set(RiskLevel.HIGH, true);
    this.thresholds.set(RiskLevel.CRITICAL, true);
  }

  requiresApproval(level: RiskLevel): boolean {
    return this.thresholds.get(level) ?? false;
  }
}

Pitfall Guide

1. Assuming Symmetric Undo Operations

Explanation: Developers often assume that compensation is the inverse of the action (e.g., delete undoes create). This fails for actions like email dispatch or financial charges where the action has external consequences.
Fix: Design compensation handlers that are action-aware. For irreversible actions, implement corrective measures (e.g., sending a correction email) rather than attempting impossible reversals.

2. Ignoring Partial Failures During Unwind

Explanation: If a compensation handler fails, the system may leave resources in an inconsistent state. For example, if a database revert succeeds but a Slack notification correction fails, the systems are out of sync.
Fix: Implement idempotent compensation handlers that can be safely retried. Log compensation failures separately and trigger alerts for manual review. Never allow a compensation failure to block the unwinding of subsequent actions.

3. Over-Approving Low-Risk Actions

Explanation: Applying approval gates to all actions creates bottlenecks that negate the value of automation. Human-in-the-loop latency can stall agent workflows.
Fix: Use granular risk thresholds. Reserve approval gates for actions with high blast radius or irreversibility. Allow low-risk, compensatable actions to proceed autonomously.

4. Missing Pre-Action Snapshots

Explanation: Attempting to revert a resource without capturing its state before modification makes compensation impossible.
Fix: Always capture a snapshot of the resource state within the execute function before mutation. Store this snapshot in the transaction result so the compensation handler has the necessary data to revert.

5. Lack of Intent Context in Audit Logs

Explanation: Standard logs record what action was taken but not why. When an agent makes a mistake, understanding the intent is crucial for debugging and improving the model.
Fix: Enrich transaction logs with intent metadata. Include the agent's goal, the reasoning chain, and the confidence score at the time of execution. This enables better post-mortem analysis and model fine-tuning.

6. Testing Only Happy Paths

Explanation: Compensation handlers are rarely tested in isolation. When a failure occurs in production, the rollback logic may contain bugs that exacerbate the issue.
Fix: Implement chaos engineering for compensation paths. Write unit tests that force action failures and verify that compensation handlers execute correctly. Simulate compensation handler failures to ensure the system degrades gracefully.

7. State Drift in Distributed Systems

Explanation: In multi-agent or distributed environments, an agent may attempt to compensate for an action that has already been modified by another process.
Fix: Use optimistic concurrency control or version vectors when reverting resources. Verify that the resource state matches the expected snapshot before applying compensation.

Production Bundle

Action Checklist

Audit Tool Surface: Identify all agent tools that mutate state or interact with external systems. Classify each by risk level.
Implement Compensation Handlers: Write compensation logic for every mutable action. Ensure handlers are idempotent and action-aware.
Deploy Transaction Manager: Integrate a transaction manager that wraps tool calls, maintains a LIFO stack, and supports unwind operations.
Configure Risk Policies: Define approval thresholds based on data sensitivity and external impact. Apply policies per action type.
Capture Pre-Action Snapshots: Modify execute functions to capture resource state before mutation. Store snapshots in transaction results.
Enrich Audit Logs: Add intent metadata, reasoning chains, and confidence scores to all transaction logs.
Test Compensation Paths: Create test suites that verify compensation handlers. Simulate failures and partial rollbacks.
Monitor Compensation Metrics: Track compensation frequency, success rates, and unwind latency. Alert on compensation failures.

Decision Matrix

Scenario	Recommended Approach	Why	Cost Impact
Read-only queries	Direct execution	No state mutation; zero risk of corruption	None
Internal data updates	Compensating transactions	Fast automated recovery; low blast radius	Low development cost
Customer-facing communications	Approval gates + Correction	Irreversible action; high reputation risk	Latency increase; manual review cost
Financial transactions	Approval gates + Audit	Regulatory compliance; irreversible	High latency; strict governance
Multi-step workflows	Saga pattern with unwind	Complex dependencies; partial failure risk	Medium complexity; high reliability

Configuration Template

{
  "agentSafety": {
    "policies": {
      "github.delete_repository": {
        "risk": "CRITICAL",
        "approval": "MANUAL",
        "compensation": "NONE"
      },
      "crm.update_contact": {
        "risk": "MEDIUM",
        "approval": "AUTO",
        "compensation": "SNAPSHOT"
      },
      "email.send_notification": {
        "risk": "HIGH",
        "approval": "AUTO",
        "compensation": "CORRECTION"
      },
      "slack.post_message": {
        "risk": "LOW",
        "approval": "AUTO",
        "compensation": "DELETE"
      }
    },
    "unwind": {
      "strategy": "LIFO",
      "onCompensationFailure": "ALERT_AND_CONTINUE",
      "timeout": "30s"
    },
    "audit": {
      "captureIntent": true,
      "captureSnapshot": true,
      "retention": "90d"
    }
  }
}

Quick Start Guide

Wrap Existing Clients: Replace direct API calls with wrapped versions that implement the ActionContract interface. Ensure each wrapper defines execute and compensate functions.
Initialize Transaction Manager: Instantiate the transaction manager with your risk policy configuration. Pass this manager to your agent's execution loop.
Define Risk Thresholds: Configure approval gates based on your organization's risk tolerance. Start with conservative thresholds for external actions and relax as confidence grows.
Execute and Monitor: Run agent workflows through the transaction manager. Monitor logs for compensation events and approval requests. Verify that unwind operations restore state correctly.
Iterate on Compensation: Review compensation handler performance. Refine logic based on real-world failure modes. Add corrective actions for irreversible operations where necessary.