The dangerous thing about AI isn’t that it’s wrong.
It’s that it sounds right.
A language model sounds roughly equally competent whether it has read the source, remembers something similar, inferred something reasonable — or simply filled a gap. Linguistic confidence is not a quality signal. This page describes the four mechanical controls my factory uses to keep confident machines honest — and a catalogue of ten real failure patterns, each with the countermeasure that now prevents it. Not from a course. From production.
Move truth out of the wording, into the artifacts.
You cannot QA an agent by judging how convincing it sounds — it always sounds convincing. The entire defence rests on one move: truth-checking shifts from the agent’s formulation to observable artifacts — diffs, test runs, previews, screenshots, live platform readbacks. What follows is that principle applied four times.
Prove you actually read it.
Early on, a specialist agent delivered convincing analyses of a dataset it had no access to. The text was well-structured, specific, professional. It just wasn’t an analysis of the source — it was a plausible reconstruction of what such an analysis would look like. That episode produced a ground rule:
Every strong operational claim is therefore classified by evidence strength:
- Source-based — directly supported by readback or artifact.
- Mixed — source plus professional interpretation.
- Heuristic — qualified judgment without full readback.
- Unverified — a claim without source evidence. Labelled as exactly that.
“The system says” is not evidence. “The agent analysed it” is not evidence either. And state must be fresh: an automated report once described a CI run as in progress when live readback showed it had already finished. The report wasn’t malicious — just stale. Live state beats the agent’s description of state. Always.
The explanation is not the deliverable. The artifact is.
An agent cannot make its own answer true by writing “done”. Doneness demands different proof depending on the work:
Code change
- The diff
- Tests
- CI result
- Updated requirement status
User interface
- Working preview
- Screenshots at relevant breakpoints
- Page / flow smoke test
- Visual approval
Runtime / third-party action
- API or platform readback
- Timestamp
- Concrete result
- Error & rollback status
Analysis / architecture
- Source map
- Stated assumptions
- Observation vs. judgment, separated
- Open uncertainties & precise scope
Adversarial review — mandate diversity, not just model diversity.
Friendly re-reading has a known weakness: the reviewer adopts the author’s framing. If a design says “this solution is secure”, a friendly reviewer checks whether the security argument is well written. An adversarial reviewer gets the opposite mandate: find the strongest way to break it. Find the hidden assumption. Find the path where a privileged actor bypasses the control. Find where the documentation promises more than the system enforces. Find the case where every test is green and the user outcome is still wrong.
A second model given the same task can confirm the same blindness. A reviewer with an explicit refutation mandate looks for something else entirely. In practice the chain looks like this:
- Architect designs the boundary
- Implementation agent builds
- QA reviewer reads the artifacts
- Adversarial reviewer attacks the premises
- The human makes the GO / HOLD call
No AI role is ever allowed to ratify its own work. The same actor may never define the requirement, build the solution, declare it correct and approve it into production — that’s segregation of duties, applied to AI.
Uncertainty is a state — not a gap to fill with text.
When important information is missing, the correct system state is unverified, blocked, awaiting readback, quarantined or requires human decision — never a fluent paragraph that papers over the hole. In tightly bounded runtime work the rule is absolute:
Ten real patterns — and the mechanics that stop them.
Every one of these was observed in live operation. Publishing them is the point: if your AI vendor can’t show you their failure catalogue, they haven’t run long enough to have one.
1 · Plausible analysis without source access
2 · Done-inflation
3 · Drift under pressure
4 · Too many hats
5 · Plausible synthesis without analysis
6 · Stale-state hallucination
7 · Visually false green
8 · Authority smuggling
9 · Hidden deviations
10 · Placeholder & internal leakage
What the defence does not fully catch.
Strong, not magic. It can still miss:
Which is why human judgment remains part of the architecture. The goal was never to make AI infallible. The goal is to make errors visible, traceable, bounded, reversible — and much harder to promote to production.
Your AI initiative will meet every one of these patterns.
The question is whether it meets them with a defence already standing — or discovers them one production incident at a time. I’ve built the defence once. I can help you build yours.