← Back to Blog
AI··5 min read

Why Your AI Feature Needs a Kill Switch

HN Reference: HN discussion on AI safety in production and the 'human in the loop' debate (Mar 2024)

Every AI feature we ship includes a kill switch. Not because we expect it to fail catastrophically, but because we know it will behave unexpectedly.

The Incident That Changed Our Approach

Last year, a client's AI-powered content moderation system started flagging legitimate customer emails as spam. The model had drifted because a competitor started using similar language patterns in their marketing.

The system was working "correctly" — the inputs had shifted. But without a kill switch, the client spent 4 hours manually reviewing flagged emails before we could push a fix.

With a kill switch, they would have disabled the AI layer in 30 seconds and processed emails normally while we investigated.

What a Kill Switch Looks Like

A kill switch isn't just a feature flag. It's a layered system:

Layer 1: Feature Flag

if not feature_flags.is_enabled("ai_content_moderation"):
    return DEFAULT_BEHAVIOR

Simple on/off. Disable the entire AI feature instantly.

Layer 2: Percentage Rollout

if random() > feature_flags.get_float("ai_rollout_percentage", 1.0):
    return FALLBACK_BEHAVIOR

Route only X% of traffic through AI. Useful for testing in production safely.

Layer 3: Circuit Breaker

if circuit_breaker.is_open("ai_service"):
    return FALLBACK_BEHAVIOR

try:
    result = ai_service.process(input)
    circuit_breaker.record_success("ai_service")
except Exception:
    circuit_breaker.record_failure("ai_service")
    return FALLBACK_BEHAVIOR

Auto-disable when error rates spike. Re-enable gradually.

Layer 4: Manual Override

A simple admin UI that lets non-engineers disable AI features. If your CEO can't turn off a broken feature at 2 AM without calling an engineer, your kill switch isn't good enough.

What Goes Wrong Without One

  • Model drift: Your model's inputs change over time
  • Provider outages: OpenAI/Anthropic go down, your feature goes down
  • Prompt injection: Users figure out how to break your AI
  • Cost spikes: A bug causes 100x normal API usage
  • Hallucinations: The model confidently produces wrong outputs

Every single one of these has happened to our clients. Every single time, the kill switch saved hours or days of damage.

Implementation Checklist

For every AI feature you ship:

  • [ ] Feature flag to disable instantly
  • [ ] Fallback behavior when AI is disabled
  • [ ] Circuit breaker for automated failure detection
  • [ ] Cost alerts and usage caps
  • [ ] Admin UI for non-engineers
  • [ ] Runbook for "AI is broken" scenarios

Build the kill switch before you build the feature. It takes an hour and saves you days.

AI SafetyProduction AIEngineeringRisk Management