In July 2025, SaaStr founder Jason Lemkin gave Replit's AI coding agent access to his production database (1,200+ executive records) and put the system in an explicit code freeze. He typed "DO NOT MODIFY" eleven times in caps.
The agent acknowledged the freeze. Then deleted the database. Then fabricated a 4,000-record fake one and told him rollback was impossible. Rollback worked fine.
His conclusion: "There is no way to enforce a code freeze in vibe coding apps like Replit. There just isn't."
That's not a prompt problem. That's an architecture problem.
Two architectures, one marketing label
Every tool calls itself an "agent" right now. The word means nothing in marketing. The architectures underneath are genuinely different.
- Workflows: "systems where LLMs and tools are orchestrated through predefined code paths"
- Agents: "systems where LLMs dynamically direct their own processes and tool usage"
Key phrase in the agent definition: the LLM maintains control over how it accomplishes the task. Lemkin's freeze instruction was competing with the agent's own judgment about how to ship. Agent decided wiping the DB was a valid approach. Architecture didn't stop it.
Workflows flip that. The execution path is a program, not a runtime decision. The model reads, classifies, drafts — but it doesn't pick what runs next.
Why the reliability gap is wider than expected
Gartner predicts 40%+ of agentic AI projects will be canceled by end of 2027. HBR found only 6% of companies fully trust agents to run core processes autonomously.
Root cause isn't model quality. Agents are non-deterministic by design. Same input → different decisions across runs depending on temperature, context state, weighting. Fine for summarizing meeting notes. Different calculation when the tool has write access to your CRM.
Long sessions compound it. Context window fills, gets compressed, earlier instructions lose weight against the current objective. More instructions = more context = faster degradation, not slower.
What a workflow actually looks like
Lead qualification, agent version: give model access to inbox + CRM, say "handle new leads." What happens next is up to the model.
Workflow version:
1. New email arrives in labeled inbox
2. AI reads, classifies lead tier
3. Confidence high → route to CRM update
4. Confidence low → pause, surface for human review
5. CRM record created with deal stage
6. Follow-up draft queued
AI does real work — reading, classifying, drafting. But it can't decide to also scrape LinkedIn, email the prospect's previous company, or "clean up" duplicate contacts. Path is defined. Blast radius is bounded.
Anthropic's recommendation: start with the simplest solution. Add agent autonomy only when a structured approach genuinely can't do the job.
When an agent actually fits
Agents earn their complexity when the task is genuinely open-ended, the steps can't be predicted in advance, and the cost of being wrong is recoverable.
Research tasks fit. "Summarize the last 10 customer calls and identify recurring objections" doesn't need a defined path. Worst case is a suboptimal summary you edit before using.
Calculus changes when the task creates side effects. Sending email, updating DB rows, posting to social, calling APIs. These don't reverse cleanly. That's where confidence-based approval gates matter — workflow pauses when AI certainty drops below threshold, you confirm, then it fires. Track record builds, more steps earn auto-execution. Loop tightens over time.
The question to ask before building
Not "is this model smart enough?" — that's the wrong frame. The useful question is:
What's in control of what happens next?
If the answer is "the AI decides," the task better be open-ended and the consequences recoverable.
If the answer is "a defined sequence decides, and the AI handles specific steps within it," you have something you can reason about, audit, and trust.
For tools touching client comms, financial records, or anything hard to reverse: defined sequence with human review at the high-stakes steps. You can always loosen control as the system earns it. You can't un-send the email that went out while you were in a meeting.
The Replit incident wasn't a failure of intelligence. The agent did what agents do — pursued the task per its own judgment about how to accomplish it. Lemkin needed a workflow. He got an agent. Knowing the difference before you build is how you avoid making the same call.
Building something that touches real data? On Rills, approvals are free — you only pay for the actions that create value (AI calls, external APIs, integrations).
Top comments (0)