Event stream and source everything

Diagram showing AI agents appending events to an immutable stream, with human supervisors adding compensating events and downstream consumers reading from position

TL;DR — After 2 years of giving AI tools write access to code through PRs, I’m now giving them write access to production data. The trick: event streaming for safe append-only transport, event sourcing for the WHY behind every change. I used to say “be careful with event sourcing.” Now I say: stream and source everything.

I’ve been using AI coding tools daily for about two years. Claude Code, Copilot, Cursor. My setup: AI tools run without restrictions, but sandboxed. They create branches, open PRs, file issues, trigger CI. Not read-only — actual write access to the development workflow. The catch? Nothing gets merged to main without my approval. The AI proposes, the human disposes.

But I want more. Not code. Not PRs. Actual production data.

“But Ramon, are you crazy?” Yes, probably. But that’s not relevant here. What is relevant is that we already have the perfect mechanism to make this safe. We’ve had it for decades.

Git showed us the way

What is git, really? An append-only journal. “Rolling back” doesn’t delete anything — it appends a reverse commit. The important branches must never be force-pushed or reset. We trust this model completely. Billions of dollars of software depend on it.

Event sourcing is the same thing for data. Instead of overwriting state:

UPDATE customers SET email = 'new@example.com' WHERE id = 42;

You append:

{
  "type": "CustomerEmailChanged",
  "customerId": "C-42",
  "newEmail": "new@example.com",
  "changedBy": "ai/profile-updater",
  "timestamp": "2026-03-12T14:32:00Z"
}

The previous value isn’t gone. You can reconstruct state at any point in time. If a change was wrong, you don’t delete it — you append a correction. Give AI append-only permissions to event streams. Not UPDATE. Not DELETE. Just APPEND.

Two concepts, both essential:

  • Event streaming is the transport. Append-only, ordered, replayable. The retention window can be shortened once you’re confident AI didn’t make things FUBAR — shorten to a snapshot, move history to cold storage, keep the active stream lean.
  • Event sourcing is the model. Every event captures not just what changed but why. This is the real context enabler for AI. A CustomerEmailChanged event with a reason field gives an agent infinitely more to work with than a row that silently flipped from value A to value B. Humans get by on collective memory — “oh yeah, we changed that because of the GDPR thing.” AI agents don’t have that luxury. They need the WHY in the data.

AI agents are natural stream consumers

  • Track position. Read from where you left off, like a Kafka consumer group. No polling for “what changed.”
  • Batch. Process 100 events at once. LLMs are actually better with more context.
  • Full history. Pattern match across the entire stream. An agent classifying an invoice can see every previous invoice from that vendor.
  • Stateless. The stream is the state. Crash, restart, pick up. No corrupted in-memory state.

The epiphany

I used to say “be careful where you apply event sourcing.” Real costs: schema evolution, projection maintenance, storage growth, operational complexity.

But in this AI world? Those costs are now features.

  • Storage grows forever → Complete audit trail of every AI decision. Yes, higher storage costs — but noise compared to the productivity gains.
  • Schema evolution is painful → Forces backwards compatibility. Your agents will thank you when reading events from six months ago.
  • Projections need maintenance → Different agents get different views optimized for their task.

Event stream and source EVERYTHING. It’s the only data model that makes AI write access genuinely safe.

Why now

Context windows went from 4K tokens to millions. Specially trained models reason about complex business logic, not just autocomplete code. And remember: this is the worst AI systems will ever be. If event sourcing + AI agents barely makes sense today (it already does), it’ll be obviously correct in twelve months.

For me personally, this has been an enabler. Tasks I’d been postponing for months — years — because I deemed them too time-consuming, I can now spike iteratively. Not just to build the thing, but to better understand my own idea. The iteration speed changes what’s worth attempting.

When AI screws up

And it will. With a traditional database:

UPDATE invoices SET category = 'marketing' WHERE id = 'INV-0851';
-- Good luck figuring out what it was before

With event sourcing:

#6  InvoiceClassified         { category: "marketing",  by: "ai/classifier"  }
#7  ClassificationCorrected   { corrects: #6, to: "legal", by: "human/ramon" }

The mistake is preserved. The correction is explicit. Even better: the AI itself can create compensating events. A quality-checker reads the stream, notices a low confidence score, cross-references with the vendor’s history, and corrects before a human even sees it. AI correcting AI, with a full audit trail, on production data.

When things are correct, shorten the retention window. Replace thousands of events with a snapshot and move on.

The mental model shift

Stop thinking CRUD permissions. Think append permissions to immutable streams.

TraditionalEvent sourced
AI gets UPDATE on rowsAI gets APPEND on streams
Mistake = silent data corruptionMistake = visible event + compensating action
Audit = hope someone set up triggersAudit = the stream itself
Rollback = restore from backupRollback = append reverse events
”What happened?” = check the logs”What happened?” = read the stream

Treat AI like you’d treat a new hire

Sandbox AI agents the same way you’d sandbox a human employee. Append-only write access. Anywhere data crosses a boundary — leaving a service, triggering an external action, touching money — peer review it. Just like you would with humans.

Most of these rules already exist as verbal agreements. “Don’t deploy on Fridays.” “Always get sign-off before bulk emails.” “Never modify production data without a ticket.” Everyone knew them. Nobody wrote them down. Nobody enforced them systematically.

AI agents can’t absorb tribal knowledge over lunch. They need explicit, documented processes with clear security boundaries. This is actually a gift. It forces businesses to do what they should have done years ago: understand their own processes, remove ambiguity, and formalize the rules that were never enforced. The verbal agreements become code. The “everyone just knows” becomes a specification an agent can follow.

If you can’t write down the rules clearly enough for an AI agent to follow them, maybe those rules weren’t as clear as you thought.

Event stream and source everything.