If AI is going to work inside a real project, it should not freely modify your main working directory.
Your normal checkout may contain uncommitted changes, temporary debugging, unsynced documents, production configuration, or personal scripts. If an AI agent deletes, rewrites, or runs the wrong thing there, accountability becomes messy.
That is why a project-specific AI delivery pipeline needs work isolation and stage-gated workers.
Isolation is not distrust
Isolation does not mean AI will always fail. It is normal engineering practice.
Human engineers use branches, PRs, CI, review, and release gates. AI should be placed in a similarly traceable workspace.
Isolation can take many forms:
- a Git branch;
- a worktree;
- a slot workspace;
- a sandbox;
- a temporary project directory;
- a dedicated evidence directory;
- constrained tool permissions.
The important point is that AI execution is separated from the user's normal workspace.
A branch can also be a claim lock
In multi-worker settings, isolation also solves concurrency.
If two AI workers handle the same issue, they may overwrite each other, open duplicate PRs, or corrupt task state. A clear branch claim or workspace slot tells the system that the task is already being handled.
That is more reliable than a chat message saying "I am working on it."
Project state should live in GitHub, issue comments, labels, branches, manifests, or another external system, not only in the model context.
Workers should not jump to the end
AI tends to treat a task as one continuous action: read, edit, test, summarize.
Real projects need stages.
A more stable worker flow is:
triage
-> analysis
-> implementation
-> validation
-> evidence packaging
-> PR or handoff
High-risk systems should separate even more:
release readiness
-> release approval
-> deployment
-> production verification
-> done
Each stage has different permissions. Triage can read code but should not freely edit business logic. Analysis can propose a plan but should stop on high risk. Implementation can modify files but must produce evidence. Release should usually be a separate boundary.
What stage gates do
Stage gates are not there to slow everything down. They make failures earlier and cheaper.
Finding unclear requirements during triage is cheaper than finding them in a PR. Finding high risk during analysis is cheaper than after implementation. Finding missing evidence before review is cheaper than finding it in production.
This follows the same logic as a deployment pipeline: each stage increases confidence and usually costs more. The later the stage, the more careful the process should be.
Guarded full-speed is not blind execution
I like full-speed execution, but only as guarded full-speed.
Guarded means:
- the task contract is clear;
- the context package is prepared;
- the workspace is isolated;
- high-risk boundaries are written down;
- validation commands and evidence requirements are defined;
- stop conditions are enforced.
Under those conditions, AI can ask fewer unnecessary questions, keep moving, debug failing tests, and package evidence.
Without those conditions, "full speed" is just faster loss of control.
Conclusion
An AI worker that enters a real project should work in an isolated space and move through stages.
This does not reduce efficiency. It lets the project absorb AI efficiency safely.
The useful goal is not "AI finishes everything in one shot." The useful goal is "AI works in the right space, with the right permissions, through the right gates, up to the right delivery boundary."
Originally published on my personal site:
https://marlinbian-site.pages.dev/writing/isolated-stage-gated-ai-worker/
More links: GitHub · YouTube · LinkedIn · Bluesky · Mastodon · Discord
Top comments (0)