Every production AI system needs a way to stop itself when something goes wrong. The governance and safety engines provide this — but they also raise a legal question: who is liable when the emergency shutdown fails to trigger?
The Engines
- Emergency Safety Shutdown Engine — Monitors all pipeline outputs for safety gate violations. When a violation is detected, it halts the pipeline and emits a
safety.shutdown.triggeredevent. - Risk Tier Management Engine — Assigns every output to a risk tier (1–4) based on consequence severity and confidence. Tier 4 outputs require written human sign-off before any action.
- Incident Response Engine — When a safety gate fires, automatically: logs the full pipeline trace, notifies the designated responsible person, and initiates the incident response workflow.
- Audit/Rollback Engine — Can reverse a behavioral decision and its downstream effects (CRM updates, billing entries, alerts) as far as the audit trail allows.
Code Walkthrough
// Emergency shutdown gate
const SAFETY_GATES = [
{
name: "clinical-threshold",
test: output => output.domain === "psychological" && output.score > 0.95,
action:"shutdown",
reason:"clinical-threshold-exceeded",
},
{
name: "diagnostic-language",
test: output => DIAGNOSTIC_TERMS.some(t => output.label.includes(t)),
action:"shutdown",
reason:"prohibited-language-in-output",
},
];
function runSafetyGates(pipelineOutput) {
for (const gate of SAFETY_GATES) {
for (const [engineId, output] of Object.entries(pipelineOutput)) {
if (gate.test(output)) {
shutdownPipeline(gate.reason, engineId, output);
incidentResponseEngine.trigger(gate, engineId, output);
return null; // pipeline halted
}
}
}
return pipelineOutput;
}What to Watch For
- Emergency shutdown must be tested regularly. A shutdown gate that has never been triggered in production may not work when it needs to.
- Rollback is only possible as far as your audit trail. If downstream systems (CRM, billing) do not record the AI-driven change that caused them, rollback is incomplete.