ctaio.dev
Ask AI Subscribe free

AI Governance / Reversibility Framework

AI Governance · Framework

The Red Button vs Blue Button Problem

AI Governance Decisions Without a Reverse Gear

TBPN has been running a recurring red-button-versus-blue-button bit through 2026, with the buttons standing in for a casual heuristic about decision consequence. The bit is fine as a memory device. The serious version of the idea is older and sharper: Jeff Bezos described it in the 1997 Amazon shareholder letter as the difference between one-way-door and two-way-door decisions, and it is the right frame for the gates that matter most in AI governance. This page is the Bezos framework retrofitted to the six gates a 2026 governance program either gets right or pays for later.

AI Governance Reversibility Framework: One-Way Doors for AI Decisions

30-SECOND POV

  • Most AI governance gates are misclassified. Decisions that feel reversible at the engineering level (model selection, agent tool surface) become one-way doors at the operational level over time as integrations deepen and user expectations form.
  • The fast / slow pattern is Bezos’s, not TBPN’s. Make two-way-door decisions quickly at the lowest defensible level. Make one-way-door decisions slowly, with named senior accountability and a written reversibility cost.
  • Data retention defaults are the most under-appreciated gate. Set on day one, they shape customer expectation and regulatory exposure for the life of the product. Almost always a one-way door, almost never treated like one.

The framework, briefly

Bezos has used the one-way-door / two-way-door framing in shareholder letters and interviews since the late 1990s. The argument runs as follows. Most decisions in a large organization are two-way doors: the cost of being wrong is low because the decision can be reversed at modest cost. For these, the right discipline is speed and delegation; high-quality decisions can be made with roughly 70 percent of the information you wish you had, and waiting for more is itself a cost. A smaller set of decisions are one-way doors. The cost of being wrong is high because the decision cannot be reversed at modest cost. For these, the discipline is the opposite: slow down, name senior accountability, write the reversibility cost down before deciding, and ensure the decision survives scrutiny from the people who will live with it.

The framework is symmetric. Treating a two-way-door decision as one-way is the slow-organization failure mode: meetings on meetings, decisions that should be made by managers escalated to executives, products that ship a quarter late because the reversibility analysis was unnecessary. Treating a one-way-door decision as two-way is the move-fast-and-break-things failure mode: a default-retention posture set in week two of a launch that becomes a regulatory event in year two. Both errors are common. AI governance in 2026 is unusually prone to the second one because the engineering surface feels malleable and the operational consequences land later.

SIX GATES

Where the framework changes the decision

These are the six AI governance gates where the door classification matters most. The pattern across them is that engineering instinct usually classifies a gate as more reversible than it actually is over time. The framework forces the longer-horizon view.

01

Model selection and provider commitment

Mostly two-way, conditional

The model itself is replaceable in 60 to 120 days at most enterprise scales. What is built on top of the model (prompts, evals, fine-tuned weights, agent tooling) increases the reversibility cost. Decide quickly but architect for portability so the door stays two-way over time.

02

Fine-tuning commitment on proprietary data

One-way, often

Fine-tuning on proprietary data under terms that do not allow weight export is close to a one-way door. The investment is durable inside the vendor’s ecosystem and rarely portable. Treat as a senior decision with explicit reversibility cost named up front.

03

Customer-facing data retention defaults

One-way, almost always

The default retention posture set on launch shapes customer expectation, regulatory positioning, and the cost of any future change. Changing later requires a customer-communication event and triggers attrition. Decide deliberately.

04

Long-term compute or capacity contract

One-way for the duration of the contract

A multi-year reservation on a specific GPU class is a commitment that cannot be reversed without writing down the unused capacity or paying an exit fee. The reversibility cost is the depreciation gap. Stage-gate the commitment into shorter tranches where the workload allows.

05

Public regulatory positioning

One-way

Once an organization has taken a public position on an AI regulatory question (transparency, training data, autonomous action), reversing the position is a credibility event. Decide at the level of the CAIO and General Counsel together, with board awareness.

06

Agent tool surface and authorization tier

Two-way technically, one-way operationally

The technical surface can be changed; the operational expectation set by the deployment is harder to walk back. If users have learned the agent can act on their behalf, removing the capability is a degradation event. Decide as if it were closer to a one-way door than the engineering suggests.

Why model selection is conditional

The model selection decision is the gate where engineering instinct is closest to right. At most enterprise scales the model itself can be swapped in 60 to 120 days if the integration was architected with portability in mind. The conditional part is the architecture: if the prompts are hard-coded to a specific model’s instruction-tuning quirks, if the evaluation harness has been built for a specific output format, if the agent tooling has been wired to a specific function-calling syntax, the swap cost grows with each layer. The discipline is to make the model decision quickly and the architecture decision deliberately, because the second is what determines whether the door stays two-way.

For a CAIO running the governance side of this, the practical artifact is a portability spec: a written description of how the AI program could move to a different provider, with timelines and costs estimated at the current state. Re-audit the spec quarterly. A model selection decision that is two-way at launch can become one-way by year two if no one tracked the accumulating integration depth.

Why data retention is almost always one-way

The default data retention posture set on day one of a customer-facing AI feature is the gate most often misclassified. The engineering team treats it as a configuration value that can be changed in a future release. In operational reality it is one of the closest things to a one-way door in the framework. Customers form expectations about what is retained and for how long. Sales and marketing build the value proposition around the posture. Regulators may codify the position as a baseline expectation in the sector. Changing the default later requires a customer-communication event, often triggers attrition, and in some jurisdictions requires regulatory notification.

The reversibility cost of changing a retention default 18 months after launch is in the same order of magnitude as the cost of changing a public regulatory positioning. The framework treats it that way. The decision belongs at the CAIO and General Counsel level, with explicit written-down options and trade-offs, and a board awareness moment.

A review schedule that actually runs

A framework that is invoked only at the decision moment is a framework that misses the slow accumulation of reversibility cost. The schedule below is the cadence that makes the framework operational rather than ornamental.

CadenceWhat happens
On every gate decision Name the door (one-way / two-way / conditional). Name the reversibility cost. Name the owner. Name the trigger for a re-decision.
Quarterly Re-audit two-way-door decisions whose reversibility cost has grown. A door that was two-way at launch can become one-way over time as integrations deepen.
Annually Re-audit one-way-door decisions for whether the original posture still serves. Regulatory positions and data retention defaults are the most common candidates.
On any major model or vendor event Open the framework. Many AI governance decisions made under one set of vendor assumptions need re-decision when the vendor landscape moves materially.

The TBPN bit, and where it sits in the toolbox

The TBPN red-button-blue-button segment is a memory device that travels well across a leadership team. It is useful for that reason and not because it is the rigorous version of the framework. The rigorous version is Bezos, and the practical version for AI in 2026 is the six-gate mapping on this page. Use whichever metaphor your audience absorbs; do not let the metaphor do the work. The work is naming the door, writing the reversibility cost, and assigning the named owner before the decision goes through.

Cross-link: the framework feeds the broader governance work. The AI governance hub covers the top-level operating model; the AI governance roles page covers who owns which gate; the vendor capture risk page covers a related decision class where reversibility erodes silently over time.

AI Reversibility Framework: Frequently Asked Questions

What is an example of a one-way-door decision?
Bezos’s canonical examples in the 1997 and subsequent Amazon shareholder letters: launching a public-facing product under the brand, taking a public position on a regulatory question, signing a long-term exclusive partnership, hiring or firing a senior executive. In an AI context the one-way-door decisions are: committing to a multi-year compute contract on a specific GPU class, fine-tuning a foundation model on proprietary data under terms that do not allow export, setting a default data-retention posture on a customer-facing AI feature, and choosing a regulatory positioning that has to be defended publicly.
What is Jeff Bezos’s 70 percent rule?
Bezos has described the rule in interviews and shareholder letters as follows: high-quality decisions need to be made with about 70 percent of the information you wish you had. Waiting for 90 percent is slow enough that the cost of slowness exceeds the cost of being wrong on the remaining 20 percent. The rule applies to two-way-door decisions, where the cost of being wrong is low because the decision can be reversed. One-way-door decisions are the exception: those merit slower, more careful analysis because the cost of being wrong is not symmetric.
What is the difference between a one-way door and a two-way door?
Two-way-door decisions can be reversed at low cost. The lesson Bezos draws is to make them quickly and at the lowest defensible level of the organization. One-way-door decisions cannot be reversed at low cost. The lesson is to make them slowly, deliberately, and at a senior level with named accountability. The framework is symmetric: misclassifying a one-way door as two-way is dangerous, misclassifying a two-way door as one-way is slow.
What are the 3 Cs of decision-making?
A common framing in management literature is Context, Consequences, and Commitment. Context: what is the decision actually about, what changes are happening around it. Consequences: who is affected and by how much, with attention to second-order effects. Commitment: who owns the decision and what is the next reversibility step. For AI governance the most useful version is: which door, who owns it, what triggers a re-decision. The framework on this page is essentially that, applied to four specific AI governance gates.
How does reversibility apply to model selection?
Model selection is usually closer to a two-way door than CTOs assume, with one caveat. The selection itself can be reversed in 60 to 120 days at most production scales if the integration was built with portability in mind. The caveat is what was built on top of the model: prompts, evaluation harnesses, fine-tuned weights, agent tooling. Each layer that has been tuned to the specific model adds reversibility cost. The framework forces the question: what would it cost us to swap the model 18 months from now, and is the answer acceptable.
Is data retention an AI governance gate?
Yes, and it is the most under-appreciated one. The default-retention posture set on day one of a customer-facing AI feature is, in practice, very close to a one-way door. Customers form expectations, regulators may codify the position, and changing the default later requires a customer-communication event that triggers attrition. The reversibility framework treats data retention defaults as a senior decision deserving the same deliberation as a regulatory positioning.
What about the red-button / blue-button thing?
TBPN has run a recurring bit through 2026 about red-button versus blue-button decisions, with the buttons standing in for a heuristic about consequence and reversibility. The bit is useful as a memory device and dismissive as analysis. The framework on this page does not depend on the TBPN version; it derives from Bezos’s one-way-door / two-way-door framing, which predates the bit by decades and is the more rigorous parent. Use the metaphor that lands with your audience; the underlying discipline is the same.
·
Thomas Prommer
Thomas Prommer Technology Executive — CTO/CIO/CTAIO

These salary reports are built on firsthand hiring experience across 20+ years of engineering leadership (adidas, $9B platform, 500+ engineers) and a proprietary network of 200+ executive recruiters and headhunters who share placement data with us directly. As a top-1% expert on institutional investor networks, I've conducted 200+ technical due diligence consultations for PE/VC firms including Blackstone, Bain Capital, and Berenberg — work that requires current, accurate compensation benchmarks across every seniority level. Our team cross-references recruiter data with BLS statistics, job board salary disclosures, and executive compensation surveys to produce ranges you can actually negotiate with.

Profile LinkedIn Newsletter

Continue the AI governance cluster

Reversibility is one lens. The rest of the cluster covers policy, audit, roles, and the responsible-AI baseline.

AI Policy Template Vendor Capture Risk → AI Governance hub