Most AI rollouts treat the off-switch as a future problem. We treat it as a design constraint, in the first scoping conversation.
The reason is simple: the team has to trust the system enough to operate it. If turning it off is risky, they will treat the system as fragile, and they will work around it the first time it produces something they don't trust. Working around the system is what kills it.
What an off-switch actually is
It's three things, not one.
- A pause that doesn't drop work. Items in flight have to land somewhere, a manual queue, a flagged inbox, a holding state. The team can deal with a backlog. They cannot deal with cases that vanish.
- A documented manual fallback. The runbook for "what to do when the AI is off" lives next to the workflow itself, not in a Notion page nobody can find. If the operator can't find it in 60 seconds, it doesn't exist.
- A data continuity plan. Everything the AI was about to do, did, or partially did needs to be auditable from the moment of shutdown. No ghost states.
The three tests we run
Before sign-off, we run a tabletop exercise on the off-switch. Three scenarios:
- Pause. Vendor outage. The model is unavailable. Can the team route the in-flight work to a manual queue and keep operating? We time it.
- Redirect. The model is misbehaving, outputs are bad. Can we route to a backup model, or to manual, without losing the current state? We time it.
- Audit. A regulator or a customer asks: what did the AI do, when, on what input, with what output. Can the team produce the trail in under an hour?
If all three are clean, the workflow is ready. If any of them takes a sprint to figure out, we go back to the design.
You should be able to turn the system off and have the team go back to the manual workflow inside the same workday. If you can't, you don't have an off-switch, you have a one-way commitment.
None of this is exotic engineering. It's the same continuity thinking ops teams do for any critical system. AI workflows just got introduced as if they were special. They're not.