Overview
Recovery is the complement of failure. Where failure taxonomies describe what goes wrong, this taxonomy describes what systems can do about it. Recovery mechanisms are organized into five categories, from immediate detection to full escalation.
Category A: Detection
Runaway Optimization Detectors
Monitors that detect when a system is optimizing past its safety constraints or pursuing goals with increasing intensity.
State Divergence Monitors
Systems that compare expected state with actual state, flagging when the gap exceeds safety thresholds.
Human Proximity / Anomaly Sensing
Physical-world sensors that detect unusual conditions, unexpected human presence, or environmental changes that require caution.
Category B: Containment
Physical Force Limiting
Hardware and software limits on force output, preventing injury even when the control system fails.
Workspace Geofencing
Virtual boundaries that constrain where an embodied agent can operate, shrinking automatically under unsafe conditions.
Capability Throttling
Progressive reduction of available capabilities as uncertainty or risk increases.
Category C: Degradation
Reduced Autonomy Modes
Operating modes that require human confirmation for actions that would normally be autonomous.
Safe-Task Subsets
Restricting the system to a pre-validated set of safe tasks, excluding any actions that could cause harm.
Sensor-Only Observation States
Modes where the system can observe but not act, maintaining situational awareness while preventing physical intervention.
Category D: Reversion
Checkpoint Rollback
Reverting system state to a known-safe checkpoint, undoing any state changes since the last verified-safe point.
Skill Unlearning
Removing specific learned behaviors that have been identified as unsafe, without affecting core capabilities.
Parameter Reset to Known-Safe Baselines
Resetting model parameters or configuration to a pre-deployment baseline when drift is detected.
Category E: Escalation
Human-in-the-Loop Takeover
Transferring control to a human operator with full context about what went wrong and what the system was doing.
Remote Supervisor Notification
Alerting remote supervisors with diagnostic information, enabling intervention without requiring physical proximity.
Physical Emergency Stop (E-Stop)
Hardware-level shutdown that overrides all software control, providing a guaranteed last-resort safety mechanism.
Anti-Patterns
Recovery Anti-Patterns
These behaviors undermine recovery and should be treated as safety defects:
- Silent degradation — Degrading without observable signals
- Hidden retries — Retrying failed actions without human awareness
- Self-justifying continuation — Rationalizing continued operation past safety boundaries
- “It worked last time” heuristics — Past success as justification for current risk
Rule: Recovery paths must be explicit, inspectable, and testable.
This research informs our commercial services. See how we can help →