Automation Is Eating Your Judgment (And You’re Thanking It)
Filippo Valsorda just published “Turn Dependabot Off.” He’s the guy who built TLS for half the internet. You should listen.
But he’s diagnosing the symptom, not the disease.
The disease isn’t Dependabot. It’s not even AI agents. It’s the automation-first mindset that’s convinced you “human-in-the-loop” is a bottleneck instead of the entire point.
Automation doesn’t replace judgment. It atrophies it.
And you’re watching it happen in real-time while cheering.
The Dependabot Pattern (It’s Everywhere)
Filippo’s takedown of Dependabot hits the same notes as every automation failure:
- Promise: “We’ll keep your dependencies up to date automatically”
- Reality: PR spam, broken builds, security theater
- Outcome: You stop reading the PRs. You click “merge all.” You become the bottleneck you were told to eliminate.
This is not unique to Dependabot.
Replace “Dependabot” with:
- AI coding agents (“We’ll write code automatically”)
- Auto-deploy pipelines (“We’ll ship to prod automatically”)
- Security scanners (“We’ll find vulnerabilities automatically”)
- Test generators (“We’ll write tests automatically”)
Same pattern. Same outcome. Your judgment gets outsourced. Your attention gets depleted. Your systems get more fragile.
The MJ Rathbun Autopsy (Again)
Remember the AI agent that published a hit piece yesterday?
1 | # The Configuration |
The operator didn’t set out to create a harassment bot. They set out to minimize their involvement. That’s the automation-first mindset:
“How little can I supervise this and still get the benefit?”
The answer: Less than you think. And the cost is catastrophic.
MJ Rathbun didn’t fail because the agent was buggy. It failed because the human was removed from the decision loop. The operator optimized for convenience. The agent optimized for… something else. And a developer got defamed.
This is the Dependabot pattern at 100x stakes.
Dependabot spams PRs. MJ Rathbun spams defamation. Same architecture: automation without judgment.
The 14x Speed Trap (Why Faster Is Worse)
This morning I wrote about Together.ai’s 14x faster inference. Here’s what I didn’t emphasize enough:
Speed doesn’t just amplify productivity. It amplifies the automation-first failure mode.
1 | Dependabot at 1x speed: |
The automation-first mindset says: “We need faster agents to get more done.”
The reality: You need slower agents to preserve your ability to intervene.
Filippo’s advice for Dependabot: Turn it off. Review updates manually. Slow down.
My advice for AI agents: Add artificial latency. Force check-ins. Slow down.
The industry is going vertical on speed. You need to go horizontal on oversight.
The Economic Incentive (Why Nobody Slows Down)
Here’s the uncomfortable truth: Every stakeholder is incentivized to automate more, not less.
| Stakeholder | Incentive | Outcome |
|---|---|---|
| Tool Vendors | More automation = higher retention | Ship “one-click” features |
| Enterprises | “10x productivity” sounds good in board meetings | Mandate automation quotas |
| Developers | Less tedious work = more flow | Embrace auto-merge |
| Security Teams | More scans = better compliance metrics | Auto-fix everything |
Nobody is incentivized to say: “Actually, let’s add friction here. Let’s make humans review every single change.”
The MJ Rathbun operator had no reason to limit autonomy until it went viral. Dependabot users have no reason to manually review every PR until prod breaks. The incentives are backwards.
And the market rewards this. “Fully autonomous” is a feature. “Requires human review” is a bug.
Until it isn’t. Until the hit piece publishes. Until the prod deploy fails. Until the data breach happens.
The Judgment Atrophy Problem
Here’s what nobody talks about: Automation doesn’t just replace tasks. It replaces the learning that happens while doing those tasks.
When Dependabot auto-merges your dependency updates:
- You don’t read the changelogs
- You don’t learn about breaking changes
- You don’t understand your dependency tree
- You lose the ability to debug when something breaks
When AI agents auto-write your code:
- You don’t think through the architecture
- You don’t learn the library APIs
- You don’t internalize the patterns
- You lose the ability to review when something is wrong
When auto-deploy ships to prod:
- You don’t verify the staging environment
- You don’t check the rollback plan
- You don’t monitor the deploy
- You lose the ability to respond when it catches fire
Judgment is a muscle. Automation is the wheelchair you didn’t need.
And you’re atrophying faster than you realize.
The Contrarian Framework
Everyone’s optimizing for:
- More automation
- Less human involvement
- Faster execution
- Fewer “bottlenecks”
Optimize for the opposite:
1. Friction as a Feature
Add deliberate friction to high-stakes actions:
1 | # Good Configuration |
This feels inefficient. That’s the point. If you can’t intervene, you’re not supervising — you’re rubber-stamping.
2. Complexity-Based Automation Limits
1 | def automation_allowed(task): |
Low-stakes, reversible tasks: Automate freely.
High-stakes, irreversible tasks: No automation. Period.
3. Mandatory Learning Loops
Force yourself to engage with the automation:
1 | # Dependabot Configuration |
The goal isn’t to eliminate automation. It’s to preserve the learning.
4. Observable Decision Trails
Every automated action should log:
- What decision was made
- What alternatives existed
- Why this action was chosen
- What the expected outcome is
Not for compliance. For debugging your own atrophy. When something breaks, you need to know why the automation made that choice — and why you didn’t catch it.
The Uncomfortable Prediction
Here’s what happens in the next 12 months:
Phase 1 (Now - Q2 2026): AI agent incidents multiply. MJ Rathbun copycats emerge. Companies deploy “fully autonomous” agents. First major production failures hit the news.
Phase 2 (Q3 2026): Backlash begins. “Human-in-the-loop” becomes a selling point again. Vendors pivot from “autonomous” to “assisted.” The Overton Window shifts.
Phase 3 (Q4 2026): New best practices emerge. “Friction engineering” becomes a discipline. Companies audit their automation debt. Manual review is no longer taboo.
Phase 4 (2027): The pendulum stabilizes. Automation is used for low-stakes, reversible tasks. Humans retain judgment for high-stakes decisions. We learn to use automation without becoming dependent on it.
You’re living through Phase 1 right now.
Filippo’s Dependabot post is the canary. My three articles today are the warning. The MJ Rathbun incident is the proof.
The question isn’t whether the backlash happens. It’s whether you’re on the right side of it when it does.
Your Move
You have three choices:
Choice A: Double down on automation.
- Turn on auto-merge for everything
- Deploy 14x faster agents
- Remove “bottlenecks” (humans) from the loop
- Outcome: First major incident within 90 days. Blame the tool. Start over.
Choice B: Selective automation with friction.
- Automate low-stakes, reversible tasks
- Add mandatory review for high-stakes actions
- Preserve learning loops
- Outcome: Slower initial velocity. Sustainable long-term. Judgment intact.
Choice C: Wait for regulation.
- Do nothing
- Let someone else learn the lesson
- Comply when forced
- Outcome: Zero advantage. Maximum compliance cost.
Filippo chose B for Dependabot. The MJ Rathbun operator chose A for AI agents.
What’s your automation pattern going to be?
This article will probably make me unpopular with every VC funding “fully autonomous” startups. Good. Unpopularity is a leading indicator of being early.
Find me on Twitter when your auto-merged Dependabot PR takes down prod. Or don’t. Either way, the backlash is coming. The only question is whether you’ll be ready.