Direct answer: Do not fully automate tasks with severe or irreversible consequences, disputed human judgment, unclear accountability, unreliable inputs, or no effective way to detect and correct errors. AI can often prepare evidence or recommendations, but a qualified person should retain decision authority.
The boundary depends on consequence, not task popularity
No task is risky merely because AI touches it, and no common task is automatically safe. The same capability can summarize an internal meeting with limited consequence or summarize evidence for a termination decision with substantial consequence. Evaluate the specific decision, affected person, authority, reversibility, and ability to verify the result.
“Never automate” should usually mean never delegate end-to-end authority under the current controls. AI may still organize records, identify missing information, draft options, or flag a case for review. That distinction preserves useful assistance without pretending the system can own accountability.
The clearest exclusion rule is operational: if the business cannot state who is responsible, what evidence the decision requires, how an error will be detected, and how harm will be reversed, the task is not ready for autonomous execution.
Keep life, safety, rights, and essential access under qualified control
Decisions that can materially affect health, physical safety, liberty, employment, housing, credit, insurance, education, or access to essential services demand heightened scrutiny. They can involve specialized laws, professional duties, due process, accommodations, and facts that a general model cannot reliably establish.
AI can support a qualified decision-maker by retrieving policy, checking completeness, translating plain language, or surfacing inconsistencies. It should not be the unreviewed final authority when an error can deny a right, cause physical harm, or create a difficult-to-repair outcome. Reviewers need enough time, evidence, training, and authority to disagree—not a ceremonial approval click.
- Final medical diagnosis, treatment, or emergency decisions without qualified clinical control.
- Unreviewed hiring, firing, promotion, compensation, or workplace-accommodation decisions.
- Final credit, housing, insurance, benefit, or eligibility determinations without required review and recourse.
- Safety-critical control of equipment or infrastructure without engineered safeguards and accountable operators.
- Legal conclusions, waivers, filings, or settlements without authorized professional review.
Do not automate authority the business never clearly granted
An agent should not infer permission to spend money, accept contractual terms, publish regulated claims, delete records, change access, disclose confidential information, or represent the company in a dispute. Those powers need explicit scope, identity, transaction limits, validation, and evidence. Natural-language instructions are not a complete authorization system.
Separate analysis from execution. A model may propose a refund based on policy, while deterministic software checks the account, limit, fraud signals, and approval level before issuing it. It may draft a vendor response, while an authorized person accepts terms. High-consequence tools should default to no action when required identity, fields, or approvals are missing.
Avoid open-ended tools such as unrestricted database access, general shell execution, or broad email authority. Expose narrow business capabilities, restrict records and recipients, make retries idempotent, and preserve an audit trail. The objective is to ensure the agent cannot turn a plausible sentence into authority it does not possess.
Avoid autonomous work when truth cannot be checked
Generative output is probabilistic. If the workflow has no authoritative source, objective completion condition, or practical review method, the business cannot distinguish fluent failure from success. This is especially dangerous for original factual claims, accusations, compliance certifications, financial representations, and decisions based on incomplete context.
A task becomes more automatable when claims can be grounded in approved sources, calculations can be performed deterministically, actions produce verifiable system state, and uncertainty triggers escalation. A research agent that cites evidence and labels gaps is controllable; one that silently fills gaps is not. A scheduling agent that confirms calendar state is controllable; one that merely says an appointment was booked is not.
Do not use downstream complaints as the first quality-control mechanism. Establish tests and monitoring before exposure, including edge cases, conflicting inputs, restricted data, malicious instructions, provider outages, and changed business rules.
Preserve human ownership for relationships and contested judgment
Some work is valuable because a responsible person listens, exercises discretion, and remains accountable. Employee discipline, sensitive customer complaints, crisis communication, negotiation, bereavement, safeguarding concerns, whistleblower reports, and ethical disputes often require context and trust that cannot be reduced to a score.
AI may prepare a chronology, retrieve policy, translate, or suggest questions, but people should own the interaction and decision. Automation should not impersonate empathy or conceal that a person is unavailable. When someone reasonably expects a human or requests one, the handoff should be fast and preserve the context already provided.
This is not an argument against efficiency. Removing transcription, lookup, routing, and administrative preparation can give qualified people more time for judgment and relationships. The correct outcome is often partial automation around a human-owned core.
Use four operating modes instead of yes or no
Classify each step, not only the overall process. A single workflow can combine automatic intake, AI-assisted analysis, required approval, and human-only resolution. This creates useful capacity while keeping authority proportional to consequence.
Reassess the classification when inputs, users, models, tools, or consequences change. An action that is safe at a small reversible limit may require approval at a larger amount. A workflow that works for internal drafts may not be suitable for customer-facing publication.
| Mode | AI role | Use when |
|---|---|---|
| Automate | Executes and verifies the step | Low consequence, bounded, testable, and reversible |
| Assist | Prepares evidence, draft, or recommendation | Judgment remains with a qualified person |
| Approve | Pauses before a consequential action | Rules are clear but authority must be confirmed |
| Human only | No model inference in the decision | Use is prohibited, ungovernable, or intrinsically accountable |
A practical test before granting autonomy
For every proposed autonomous step, rate consequence, reversibility, verifiability, data reliability, permission clarity, legal sensitivity, affected-person recourse, and failure visibility. One severe weakness can outweigh several strengths. Do not average away a catastrophic failure mode.
Start with observation or draft mode and compare against experienced operators. Document false positives, false negatives, disparate outcomes, missing information, and attempts to manipulate the system. Expand only the actions that meet a defined threshold, and keep a kill switch, owner, review schedule, and tested manual fallback.
- Can a wrong result materially harm a person or the business?
- Can the result be verified before action and reversed afterward?
- Is authority enforced outside the language model?
- Can an affected person obtain explanation, correction, or human review?
- Will operators detect failure before customers or employees must report it?
- Does a qualified owner accept accountability for the deployed decision?