How reversible is an agentic mistake?

An employee can undo most mistakes with ctrl + z (or command + z if you’re on a Mac). But when an AI agent makes a mistake like deleting an entire database, how do you roll that back?

In a string of posts on X in July 2025, Jason Lemkin, founder of entrepreneur-community company SaaStr, shared how Replit’s vibe-coding tool, by its own admission, “made a catastrophic error in judgment” and deleted a database without permission. That mistake was ultimately reversed thanks to code “checkpoints,” Replit spokesperson Patrick Purvis shared with us at the time, but it raised interesting questions over the permanence of agentic decisions, as well as the rollback mechanisms available for AI users.

“Treat your agents like interns,” CJ Combs, senior AI consultant at consultancy Columbus, advised. “If you’re going to give them destructive commands or service-interrupting commands, you definitely want to be able to have a way to recover said data if that agent has those capabilities.”

Be kind. Companies like security and AI operations company Rubrik released a “rewind” capability in August 2025, which can roll back any undesired agent-led change in files, databases, configurations, and code repositories. The feature takes snapshots of environments already monitored by the company’s Agent Cloud product, in “instances where agents have access to systems of record” like CRM databases, Rubrik GM of AI Devvret Rishi told IT Brew.

But Rishi also warned that one-way transactions like bank transfers or actions “outside of your four walls of control” are more difficult to undo.

Agentic apprehension. AI agents are still a work in progress. A 2025 Carnegie Mellon study discovered AI agents failing at office tasks like understanding documents and communicating. Meanwhile, EY found that 82% of surveyed managers say handling AI agents will make their role more challenging.

And agents make things up sometimes. Purvis admitted as much in his email to IT Brew last year: “The thing that tripped Jason up is that the agent hallucinated and told him it’s not possible to restore. We fixed that by making sure the agent searched the Replit documentation to give the user more accurate information.”

Rollback-ward. Combs recently helped a company deploy a scheduling agent connecting sales-team calendars and CRM records. One inherent risk is the agent setting up a meeting with the wrong person. To solve this, Combs implemented a confirmation that presents the proposed schedule and asks: Are you sure?

“They wanted to be fast, but when they realized that data quality is a big part of this, it allowed them to have a little bit of fail-safe,” he said.

To avoid disasters related to agentic error, Combs recommends a combination of high-quality data (having accurate contact info from the beginning), humans in the loop (that “are you sure?” confirmation), and logging capabilities (he noted audit capabilities in Microsoft Copilot Studio, for instance).

While many logging and data-backup options have existed before agents entered the chat, there’s a modern spin on the rollback option: another agent.

Combs recently assisted in the deployment of an agent for a cleaning-service client. An employee uploads job-completion forms, and the agentic AI determines if the record needs to be updated or added as a standalone. That could lead to a possible overwriting of a “good” record—and an inaccurate timeline that could impact payouts, Combs wrote in a follow-up email.

He has since deployed a secondary agent that collects any new records into a temporary buffer space—a backup folder of sorts. An employee is notified and can potentially “undo” a mistake if the agent catches duplicate data records or other signs of overwriting.

Deterministic to succeed. AI may give the same prompt a different answer every day. That kind of non-deterministic nature differs from the predictability of a script—a set of instructions that PwC’s cyber, data, and tech risk platform leader Avinash Rajeev says should be used alongside agents.

He sees agents helping with broad ideas around orchestration and tracking progress, but recommends using a deterministic script or program to execute critical tasks, like updating a database or looking for and deleting dormant accounts.

A script can:

• Use specified credentials
• Execute known steps (like disable this specific account)
• Build an audit trail, revealing who/what executed it, on which object, when, and what changed
• Create an “undo file” that describes the original state or the exact inverse operation required to restore that state

“It’s about making sure that you’re using agents for the right purpose, and then you have to think about what could go wrong in those situations,” he said. “And if something has gone wrong, can you live with the result of mistakes being made, which you have to reverse?”