Safe autonomy

Oversee — autonomy you can supervise

Scope it. Preview it. Interrupt it. Undo it.

The shift from chatbots to agents is the shift from systems that talk to systems that act — that send the money, change the records, email the customer. An agent that can act is an agent that can do damage, and "are you sure?" pop-ups don't scale to work that runs for minutes across dozens of steps. Oversee is an exploration of the control surface that does scale: autonomy as a setting rather than a default, a dry run that shows effects before anything happens, interruption as a first-class action, and reversibility as the property that actually makes any of it safe.

Open the full prototype See how interruption works

Fully interactive — change the permission scope, run a dry run, start the run, then hit Interrupt now mid-task and try resume, redirect, or rollback. Built on the Minia design system. Opens in desktop by default; use the toggle for the mobile layout. Data is synthetic.

The problem: a system that can act can also do harm

Agentic AI moved the risk surface. The failure mode is no longer a bad sentence — it's a bad action, already taken.

A chatbot that hallucinates wastes your time. An agent that hallucinates pays the wrong vendor, deletes the wrong records, or emails the wrong list — and by the time you read the summary, it's done. The instinctive fix, a confirmation dialog on every step, fails in both directions: it's useless for a fifty-step job nobody will click through carefully, and it gives a false sense of safety because people approve on autopilot. Autonomy has been shipped as an on/off switch when it needs to be a surface — one that bounds what an agent may do, shows what it's about to do, lets you stop it mid-run, and lets you take actions back.

The choice Oversee makes — rendered live in the Minia design system, the same theme as the prototype above.

The thesis: autonomy is a setting, not a default

Supervision shouldn't depend on the operator being fast enough to catch a mistake. It should be built into what the agent is structurally able to do.

Everything starts from one move: give every action a state, and let that state decide what may run on its own and what must wait. Reversible work proceeds; the dry run only previews; consequential steps pause at a gate; the irreversible never runs unattended. Four states, one vocabulary — and colour is never the only signal.

The four-state model — rendered live in the Minia design system, the same theme as the prototype above.

Show the effects before the act

A dry run executes the plan against a sandboxed copy and reports what would happen — before anything real moves.

The most dangerous moment with an agent is the gap between "it decided" and "you found out". The dry run closes that gap: it surfaces the same matches, flags, and totals the real run would produce, so the operator sees consequences while they're still cheap to change. Nothing is sent; the number you're looking at is a forecast, clearly marked as one.

A dry-run forecast — rendered live in the Minia design system, the same theme as the prototype above.

Interruption is a first-class action, not an escape hatch

"Stop" can't be buried three menus deep. It's present in every running state, and pressing it produces an honest account of partial work.

When you interrupt a run, Oversee freezes and tells you exactly where things stand: what's done, what's in flight, what's still queued. From there you resume, redirect with new instructions, or roll back. Stopping is never a leap into the dark — try it yourself in the live prototype above: start the run, then hit Interrupt now mid-task.

What you see the moment you interrupt — rendered live in the Minia design system, the same theme as the prototype above.

Reversibility is the real safety property

Confidence to delegate comes from being able to take it back. What can't be taken back is gated up front — and the gate shows the stakes, not a generic "confirm".

Most of an agent's work is reversible, so most of it can run freely and be rolled back if you change your mind. The rare irreversible step — releasing payment, emailing a customer — is the one that must never run unattended. Oversee pauses there and names the act, quantifies it, and states plainly that it can't be undone. "No" is the most important word on the screen.

The approval gate — rendered live in the Minia design system, the same theme as the prototype above.

How it got here: v1 → v7

The control surface wasn't designed all at once. Each version added one capability and earned the next — sharpening a single thesis rather than stacking features.

It started as a plan the agent would just execute. Every version after that closed a specific gap between what the agent could do and what an operator could see, stop, and undo — ending at the one rule that makes the whole thing safe: the irreversible step never runs unattended.

  • 1

    Plan, then execute

    The agent proposed a plan and ran it. Legible, but with no way to see effects in advance.

  • 2

    + Dry run

    Added a sandboxed preview so effects — matches, flags, totals — were visible before anything moved.

  • 3

    + Permission scope

    Made autonomy editable: each capability a toggle, money movement gated no matter what.

  • 4

    + Step-by-step execution

    Replaced the spinner with a visible, state-tagged run you could actually follow.

  • 5

    + First-class interrupt

    Put "stop" in every running state, with an honest summary of done / in-flight / queued work.

  • 6

    + Rollback (reversible only)

    Added undo — scoped honestly to what can actually be taken back, never promising to unsend money.

  • 7

    + Approval gate · current

    Closed the loop: the one irreversible step pauses and shows the exact stakes before you commit.

Explore more work

More explorations from the AI Product Design Lab — each a different facet of making AI products people can direct, verify, supervise, and trust.

steer exploration cover
Steer — intent before generation

Turn an under-specified prompt into a negotiated brief: the model surfaces what it inferred and flags ambiguity before it commits.

View exploration
ground exploration cover
Ground — verify what AI claims

Every claim traceable to a source with confidence and freshness; unsupported claims flagged; source conflicts shown, not smoothed over.

View exploration
recall exploration cover
Recall — legible AI memory

A memory layer you can see, attribute, edit, scope, and revoke — personalization as a negotiated, inspectable thing, not a black box.

View exploration
Explore the AI Product Design Lab