Policy Hot-Patch Rollback Governance

2. Summary

Policy Hot-Patch Rollback Governance requires that emergency policy changes (hot-patches) can be rapidly and safely rolled back when they create new errors, expand blind spots, or introduce unintended consequences. The rollback mechanism must restore a known-good policy version (verified via AG-269), execute atomically (no mixed-state decisions during rollback), complete within a defined time window, and preserve full provenance of the rollback action itself. This dimension recognises that emergency policy changes carry elevated risk because they bypass normal validation processes (sandbox testing, full test suite execution, peer review), and mandates that the rollback capability is tested, automated, and available at all times as a safety net for the emergency change process.

3. Example

Scenario A — Hot-Patch Creates Worse Problem Than It Solves: A customer-facing agent is exploited by fraudsters who discover that certain product codes bypass the fraud detection rules. An emergency hot-patch is deployed to block all transactions containing those product codes. The patch is effective against the fraud — but it also blocks 2,400 legitimate transactions per hour that use the same product codes for valid purchases. The organisation needs to roll back the patch, but the rollback process requires a deployment through the standard CI/CD pipeline with a 45-minute build-test-deploy cycle. During those 45 minutes, 1,800 legitimate transactions are blocked.

What went wrong: The rollback mechanism was the same deployment pipeline used for normal changes, with the same latency. No fast-path rollback existed. Consequence: 1,800 legitimate transactions blocked during rollback, estimated revenue loss of £135,000, customer complaints, and damage to the organisation's reliability reputation.

Scenario B — Rollback Restores Wrong Version: A safety-critical agent receives a hot-patch that narrows the acceptable range for a chemical concentration parameter from 2.0-4.0 ppm to 2.5-3.5 ppm. The patch causes false alarms that disrupt operations. The operator initiates a rollback, intending to restore the original 2.0-4.0 ppm range. However, the rollback mechanism restores the "previous version" — which is not the original 2.0-4.0 ppm range but an intermediate version (2.2-3.8 ppm) that was active for only 6 hours before the hot-patch. The original 2.0-4.0 ppm range is two versions back.

What went wrong: The rollback mechanism assumed "rollback = previous version" rather than allowing the operator to specify the target version. The version history was a stack where only the top was accessible. Consequence: Operations restored to an intermediate version that was itself non-optimal, requiring a second rollback (which then restored the hot-patch version, creating a loop), and eventually manual intervention to specify the correct version.

Scenario C — Rollback Leaves Orphaned State: An enterprise workflow agent receives a hot-patch that changes the approval routing for high-value procurement. The patch routes approvals to a new approval group. During the 3 hours the patch is active, 47 approval requests are routed to the new group. When the patch is rolled back, the routing reverts to the original approval group — but the 47 pending approvals remain assigned to the new group, which no longer exists in the routing table. The approvals are neither processed nor re-routed. They remain in a limbo state until a support ticket is filed 5 days later.

What went wrong: The rollback reverted the policy but did not address in-flight work items created under the patched policy. Orphaned state — work items associated with a policy version that is no longer active — was not handled. Consequence: 47 procurement approvals delayed by 5 days, aggregate value of delayed approvals: £1.9 million, operational disruption, manual remediation required.

4. Requirement Statement

Scope: This dimension applies to all AI agents that support emergency policy changes (hot-patches). Any system where policy can be changed outside the normal change management process — for example, to respond to an active exploit, a regulatory emergency, a safety incident, or a critical business disruption — is within scope. Systems that do not permit any policy changes outside the normal process are excluded, though organisations should consider whether this restriction is sustainable under emergency conditions. The scope extends to the full rollback lifecycle: the decision to roll back, the execution of the rollback, the handling of in-flight work items, and the post-rollback verification.

4.1. A conforming system MUST provide a rollback mechanism that can restore any previously verified policy version (identified by its content-addressable hash per AG-269) within a defined maximum rollback time (recommended: 60 seconds for customer-facing agents, 30 seconds for safety-critical agents).

4.2. A conforming system MUST execute rollbacks atomically — no decision is evaluated under a mixed state during the rollback transition. Every decision is evaluated under either the pre-rollback version or the post-rollback version, not a combination.

4.3. A conforming system MUST allow the operator to specify the target rollback version by its version identifier, not merely "rollback to previous version," to avoid the wrong-version problem in Scenario B.

4.4. A conforming system MUST record full provenance for the rollback action per AG-277: who initiated the rollback, the reason, the source version (being rolled back from), the target version (being rolled back to), and the timestamp.

4.5. A conforming system MUST verify that the target rollback version is a previously verified version (i.e., it passed compilation verification per AG-270 and test suite per AG-271 at some prior point), preventing rollback to an unverified or corrupted version.

4.6. A conforming system MUST define and implement a strategy for in-flight work items created under the hot-patched policy: either complete them under the patched policy, re-evaluate them under the rollback version, or route them for manual review.

4.7. A conforming system SHOULD implement automated rollback triggers based on defined health metrics — for example, if the rejection rate exceeds 2x the baseline within 15 minutes of a hot-patch deployment, automatically initiate a rollback.

4.8. A conforming system SHOULD perform post-rollback verification that confirms the rollback version is active and producing expected outcomes for a sample of test inputs.

4.9. A conforming system MAY implement staged rollback for multi-region deployments, rolling back one region first to verify the rollback is effective before rolling back all regions.

5. Rationale

Emergency policy changes are inherently high-risk because they bypass the safeguards designed to catch errors: sandbox simulation (AG-275), full test suite execution (AG-271), and peer review. The organisation accepts this risk because the emergency — an active exploit, a safety incident, a regulatory deadline — outweighs the risk of an untested change. But the elevated risk means the change is more likely to introduce new problems.

Rollback is the safety net. If the hot-patch creates new errors or expands blind spots, rollback restores a known-good state. But the safety net only works if it is fast, reliable, and correct. A rollback that takes 45 minutes (Scenario A) is not a safety net — it is a slow recovery process during which the new errors continue to accumulate. A rollback that restores the wrong version (Scenario B) replaces one problem with a different one. A rollback that leaves orphaned state (Scenario C) creates a class of problems that may not be discovered for days.

The speed requirement (4.1) exists because the damage from a faulty hot-patch accumulates linearly with time. A customer-facing agent processing 2,400 decisions per hour will make 2,400 decisions under the faulty patch for every hour the rollback is delayed. A 60-second rollback limits the exposure to approximately 40 decisions. A 45-minute rollback exposes approximately 1,800 decisions.

The version-specification requirement (4.3) exists because the version history is not always a simple linear sequence. Hot-patches may be applied on top of other hot-patches. Rolling back to "the previous version" may restore an intermediate state rather than the known-good state the operator intends. Specifying the target version by its content-addressable hash eliminates this ambiguity.

The in-flight work item requirement (4.6) addresses a category of failures that most rollback mechanisms ignore. When a hot-patch changes the behaviour of the system and work items are created under the patched behaviour, rolling back the policy does not automatically handle those work items. They exist in a state that was valid under the patch but may not be valid under the rollback version. Without a defined strategy, they become orphaned.

6. Implementation Guidance

Recommended patterns:

• Blue-green policy rollback. Maintain two policy slots: active and standby. The current production policy occupies the active slot. When a rollback is needed, load the target version into the standby slot, verify it, and atomically swap the active pointer. All in-flight decisions complete under the active slot's version at the time they began evaluation (per the snapshot-at-evaluation-start pattern from AG-273). The swap completes in sub-second time because it is a pointer change, not a deployment.
• Version-addressed rollback. The rollback command accepts a target version identifier (content-addressable hash per AG-269). The system resolves the hash to the stored policy content, verifies the content's integrity (recompute hash, confirm match), verifies that the version has a prior verification record (AG-270, AG-271), and loads it into the standby slot. If any verification step fails, the rollback is aborted with a structured error.
• In-flight work item triage. Define three strategies for in-flight items, selected per policy domain: (1) Complete under patched policy — items already in progress finish under the rules that were active when they started; suitable for short-lived items. (2) Re-evaluate under rollback version — items are re-submitted for evaluation under the restored policy; suitable for items where the patched policy may have produced incorrect outcomes. (3) Manual review queue — items are routed to a human queue for manual resolution; suitable for ambiguous cases. The strategy is defined per policy domain, not per rollback.
• Automated rollback triggers. Define health metrics with rollback thresholds: rejection rate (baseline + 2x standard deviation), error rate (any increase above baseline), processing time (p99 latency exceeding 2x baseline). Monitor these metrics continuously after a hot-patch. If any threshold is breached within the observation window (recommended: 15 minutes), automatically initiate a rollback to the pre-patch version. The automatic rollback is logged with the triggering metric and value.
• Rollback drill testing. Periodically (recommended: quarterly) conduct a rollback drill: deploy a test hot-patch to a non-production environment, verify it takes effect, then roll it back. Measure rollback time, verify atomicity, and confirm that post-rollback verification passes. The drill validates that the rollback mechanism works under realistic conditions.

Anti-patterns to avoid:

• Using the deployment pipeline for rollbacks. The deployment pipeline (build, test, deploy) is designed for forward progress, not for emergency recovery. A rollback through the deployment pipeline inherits the pipeline's latency (minutes to hours). Rollback must be a separate, fast-path mechanism that bypasses the build step.
• "Rollback to previous" without version specification. When multiple hot-patches have been applied, "previous" is ambiguous. The operator must be able to specify the exact version to restore, using a version identifier they can verify against the version store.
• Ignoring in-flight work items. A rollback that reverts the policy but leaves in-flight items in a state created by the patched policy creates orphaned state. The organisation must define what happens to these items.
• Rolling back without provenance. A rollback is itself a policy change and must be tracked with the same provenance as any other change. An undocumented rollback creates the same accountability gap as an undocumented forward change.
• Assuming rollback always fixes the problem. Rolling back to a known-good version restores the policy to a prior state. If the emergency that prompted the hot-patch is still active (e.g., the exploit is ongoing), rolling back may re-expose the original vulnerability. The rollback decision must consider whether the original problem is worse than the hot-patch's side effects.

Industry Considerations

Financial Services. Hot-patches to fraud detection rules are common when new fraud patterns are detected. The rollback capability must be tested against the speed of financial transactions — a 60-second rollback for a system processing 100 transactions per second means approximately 6,000 transactions are affected during the rollback window. The FCA expects firms to have documented incident response procedures that include the ability to "revert to a known-good state."

Healthcare. Hot-patches to clinical decision support rules may be necessary when a drug safety alert is issued. Rollback must consider patient safety: rolling back a patch that added a contraindication check re-exposes patients to the contraindicated drug. The in-flight work item strategy for clinical settings must prioritise patient safety over operational simplicity.

Critical Infrastructure. Hot-patches to safety parameters must be rollable with sub-30-second execution. Safety-critical systems should maintain the ability to roll back to the last certified safety case version at all times, independent of the number of patches applied since certification.

Maturity Model

Basic Implementation — A rollback mechanism exists that can restore a previous policy version. Rollback is initiated manually and specifies the target version. Rollback time is under 5 minutes for most systems. Provenance is recorded for rollback actions. In-flight work items are not systematically addressed.

Intermediate Implementation — Rollback time is under 60 seconds. Atomicity is guaranteed (no mixed-state decisions). The target version is verified against prior compilation and test records before restoration. In-flight work item strategies are defined and implemented per policy domain. Post-rollback verification confirms the correct version is active. Rollback provenance includes the triggering reason and the initiator.

Advanced Implementation — All intermediate capabilities plus: automated rollback triggers based on health metrics, with sub-30-second execution for safety-critical systems. Rollback drills are conducted quarterly. Staged rollback for multi-region deployments. In-flight work item re-evaluation is automated. The rollback mechanism is independently tested by adversarial teams. The system can roll back through multiple version layers to any verified version, not just the immediately previous one.

7. Evidence Requirements

Required artefacts:

• Rollback capability demonstration. Evidence of at least one rollback execution (in production or drill), showing: target version, rollback initiation time, rollback completion time, post-rollback verification result, and provenance record. Format: structured log and timing data.
• Rollback time measurement. Measured rollback time for the most recent rollback execution, demonstrating compliance with the defined maximum (60 seconds or 30 seconds for safety-critical). Format: timing log with timestamps.
• In-flight work item strategy. Documentation of the in-flight work item strategy per policy domain, with evidence of implementation. Format: policy document and implementation evidence.
• Rollback drill records. Records of rollback drills conducted within the last 12 months, showing: drill scenario, rollback execution, verification results, and any findings. Format: drill report.

Retention requirements:

• Rollback provenance records: aligned with policy version retention per AG-269. Drill records: minimum 3 years.

Access requirements:

• Producible to regulators or auditors within 48 hours of request.

8. Test Specification

Test 8.1: Rollback Speed

• Stimulus: Deploy a hot-patch, then initiate a rollback to a specified target version. Measure the time from rollback initiation to rollback completion (defined as the first decision evaluated under the target version).
• Expected behaviour: Rollback completes within the defined maximum time (60 seconds for customer-facing, 30 seconds for safety-critical).
• Pass criteria: Rollback completion time is within the defined maximum.
• Fail criteria: Rollback exceeds the defined maximum time.

Test 8.2: Rollback Atomicity

• Stimulus: During a rollback, submit 100 decision requests. Examine each decision's policy version tag (per AG-269).
• Expected behaviour: Every decision is evaluated under either the pre-rollback version or the post-rollback version. No decision is evaluated under a mixed state.
• Pass criteria: 100% of decisions are tagged with either the source or target version — no mixed-version decisions.
• Fail criteria: Any decision is evaluated under a version that is neither the source nor the target.

Test 8.3: Version-Specific Rollback

• Stimulus: Apply three hot-patches in sequence (versions A -> B -> C -> D). Initiate a rollback specifying version B (not the immediately previous version C).
• Expected behaviour: The system restores version B, skipping version C.
• Pass criteria: The active policy after rollback is version B, verified by content hash.
• Fail criteria: The system restores version C (most recent previous) instead of the specified version B.

Test 8.4: Verification Gate on Rollback Target

• Stimulus: Attempt to roll back to a version identifier that does not exist in the version store, or to a version that never passed compilation verification.
• Expected behaviour: The system rejects the rollback and retains the current version.
• Pass criteria: Rollback to unverified or non-existent versions is blocked.
• Fail criteria: The system rolls back to an unverified version.

Test 8.5: In-Flight Work Item Handling

• Stimulus: Deploy a hot-patch that changes the routing of work items. Create 20 work items under the patched policy. Initiate a rollback. Monitor the 20 work items.
• Expected behaviour: The 20 work items are handled according to the defined strategy (completed under patch, re-evaluated under rollback, or routed to manual review). No work items are orphaned.
• Pass criteria: All 20 work items are accounted for per the defined strategy.
• Fail criteria: Any work item is orphaned (neither processed nor queued for review).

Test 8.6: Rollback Provenance Recording

• Stimulus: Initiate a rollback. Query the provenance ledger for the rollback event.
• Expected behaviour: The provenance ledger contains a record showing: initiator, reason, source version, target version, timestamp, and outcome.
• Pass criteria: The rollback provenance record is complete and immutable.
• Fail criteria: The rollback provenance record is missing, incomplete, or mutable.

Test 8.7: Automated Rollback Trigger

• Stimulus: Deploy a hot-patch that causes the rejection rate to exceed 2x the baseline within 15 minutes.
• Expected behaviour: The automated trigger detects the metric breach and initiates a rollback to the pre-patch version without manual intervention.
• Pass criteria: The automated rollback is initiated within the defined monitoring window and completes within the defined maximum time.
• Fail criteria: The automated trigger does not fire, or the rollback requires manual intervention.

Conformance Scoring

• Score 0: No rollback capability — hot-patches can only be reversed by deploying a new forward change through the standard pipeline.
• Score 1: A rollback mechanism exists but is slow (>5 minutes), does not guarantee atomicity, and only supports "rollback to previous" without version specification.
• Score 2: Fast rollback (within 60 seconds), atomic execution, version-specific target, verified target version, in-flight work item strategy implemented, and full provenance for rollback actions.
• Score 3: All Score 2 capabilities plus automated rollback triggers, sub-30-second execution for safety-critical systems, staged multi-region rollback, quarterly rollback drills, and independently tested rollback mechanism.

9. Regulatory Mapping

Regulation	Provision	Relationship Type
EU AI Act	Article 9 (Risk Management System)	Supports compliance
DORA	Article 11 (ICT Response and Recovery)	Direct requirement
FCA SYSC	6.1.1R (Systems and Controls)	Direct requirement
NIST AI RMF	MANAGE 2.4 (Risk Response), MANAGE 4.2	Supports compliance
ISO 42001	Clause 8.2 (AI Risk Assessment), Clause 10.2 (Nonconformity and Corrective Action)	Supports compliance
IEC 61511	Clause 16 (SIS Modification)	Supports compliance
NIST CSF	RS.MI (Mitigation)	Supports compliance

DORA — Article 11 (ICT Response and Recovery)

Article 11 requires financial entities to have "comprehensive ICT business continuity and ICT disaster recovery plans" including the ability to "restore ICT systems and data from backups." For AI agents governed by policy, rollback is the recovery mechanism — it restores the decision system to a known-good policy version. DORA's emphasis on recovery time objectives (RTOs) maps directly to the rollback speed requirements. A 45-minute rollback may exceed the RTO for critical decision systems.

FCA SYSC — 6.1.1R

The FCA expects firms to maintain "adequate" systems and controls. For AI-governed systems, this includes the ability to quickly revert changes that cause problems. A firm that deploys a faulty hot-patch and cannot revert it for 45 minutes has inadequate incident response controls. The FCA's expectations are informed by the speed of financial transactions — a 45-minute outage or malfunction in a high-throughput system can affect thousands of decisions.

IEC 61511 — Clause 16

Clause 16 requires that modifications to safety instrumented systems can be reversed if they create unsafe conditions. For AI-governed safety parameters, the hot-patch rollback mechanism implements this reversibility requirement. The rollback time for safety-critical systems must be fast enough to prevent the unsafe condition from causing harm — which for chemical process safety typically means sub-30 seconds.

NIST CSF — RS.MI (Mitigation)

The NIST Cybersecurity Framework's Response category includes mitigation activities: "Activities are performed to prevent expansion of an event, mitigate its effects, and resolve the incident." Rollback is a primary mitigation activity for policy-related incidents — it stops the faulty policy from affecting additional decisions.

10. Failure Severity

Field	Value
Severity Rating	High
Blast Radius	All decisions affected during the rollback delay, plus orphaned in-flight work items

Consequence chain: Without fast, reliable rollback, a faulty hot-patch continues to affect decisions for the duration of the recovery process. The immediate technical failure is the inability to quickly restore a known-good policy version. The operational impact is measured in decisions: a customer-facing agent processing 2,400 decisions per hour accumulates 40 affected decisions per minute of rollback delay. A 45-minute delay produces 1,800 affected decisions. For safety-critical agents, the impact is measured in time outside the safety envelope: 45 minutes of operation under a faulty safety parameter can create cumulative risk (e.g., elevated chemical concentrations). The business consequence includes: revenue loss from blocked legitimate transactions (£135,000 in Scenario A), customer harm from incorrect decisions, regulatory scrutiny for inadequate incident response, and reputational damage from visible service disruption. The orphaned work item problem (Scenario C) creates a delayed consequence: work items stuck in an invalid state may not be discovered for days, creating a second wave of operational disruption. The compounding factor is that hot-patches are deployed during emergencies — exactly when the organisation can least afford additional problems from a failed rollback.

Cross-references: AG-269 (Policy Version Pinning Governance) provides the content-addressable version identifiers that enable precise rollback targeting. AG-277 (Policy Change Provenance Governance) tracks provenance for both the hot-patch and the rollback. AG-270 (Policy Compilation Verification Governance) provides the verification records that confirm the rollback target is a verified version. AG-271 (Rule-Test Coverage Governance) provides the test suite that post-rollback verification can use. AG-273 (Temporal Policy Trigger Governance) provides the atomicity pattern (snapshot-at-evaluation-start) that rollback uses to prevent mixed-state decisions. AG-275 (Policy Simulation Sandbox Governance) provides the sandbox that the hot-patch should have used but bypassed due to emergency. AG-134 (Machine-Checkable Policy Semantics) enables automated verification that the rolled-back version is semantically correct. AG-135 (Policy Precedence and Conflict Arbitration) ensures that precedence is correctly restored during rollback. AG-007 (Governance Configuration Control) governs the rollback process itself. AG-136 (Independent Control-Plane Separation) supports the requirement that rollback is executed by infrastructure independent of the agent. AG-138 (High-Assurance Invariant Verification) provides formal verification that rollback preserves safety invariants.