In the last days of August 1854, a five-month-old girl living at 40 Broad Street in Soho came down with a violent stomach illness. Her mother soaked the soiled diapers in a pail and emptied the water into the cesspool in front of the house, just a few feet from the most popular water pump in the parish.

Within ten days, more than five hundred people living within a few blocks of that pump were dead. It remains the most concentrated cholera outbreak in British history. The authorities responded with the full rigor of the era’s best science. They knew exactly what caused cholera: miasma (ie. bad air1, foul vapors rising from filth and decay). William Farr, the finest medical statistician of his time, had years of data behind the theory, including a beautiful data visualization that clearly showed that cholera deaths rose as elevation fell. The lower you lived, the fouler the air, ergo the more you died. The data was internally consistent and perfectly correlated. The only problem was that the model explaining it was wrong.

A physician named John Snow lived a few blocks from the outbreak. He had doubted miasma theory for years, but rather than argue, he walked from door to door and marked every death on a map of the neighborhood. The pattern that emerged showed that the deaths clustered around the Broad Street pump, with three exceptions: the brewery on Broad Street that employed seventy workers breathing the same air as everyone else and experienced a fraction of the fatalities. Why? Because these men had a daily beer allowance and chose to drink that instead of water.2 Similarly the workhouse around the corner, with over 500 inmates packed into exactly the kind of squalor the miasma theory would blame, was barely touched. Why? It had its own well. Finally there was a widow in Hampstead, miles from Soho and its supposedly deadly air, who died along with her visiting niece. Why? Apparently she’d had Broad Street water bottled and delivered to her house because she preferred the taste.3

On the evening of September 7th, Snow presented his map to the parish Board of Guardians. The next morning, the handle came off the pump. They acted on what the outcomes showed, even before there was clear alignment on why.4

The official inquiry that followed ended up rejecting Snow’s explanation, and once the epidemic had passed and the pressure was off, the parish put the handle back on the pump.

A hundred and seventy years later, organizations deploying AI are asking their vendors, their risk committees, and their consultants a version of the same question the Victorians asked: “is the air safe?” Or rather, “Is the model safe? Has it been red-teamed? What’s its benchmark score? Can we see the system card?”

Let’s call these ‘miasma questions.’

I.The Smell Test

The Victorian sanitary establishment was rigorous, but it was operating inside the wrong frame. London employed inspectors who monitored extensively and in good faith: they catalogued smells, condemned filth, ordered nuisances removed. The monitoring watched the layer the prevailing theories said was important. But because the theory was wrong about the layer, the monitoring (no matter how diligent) couldn’t detect the thing that was killing people.

Asking whether an AI model is safe is the same type of fallacy when you consider the question you’re really trying to answer. For example, would you ever consider asking “Is my Excel workbook safe?” The question feels ridiculous. Workbooks don’t misstate earnings or hide trading losses. It’s when you deploy and act on the outputs that you run into issues.5 Safety isn’t the property the artifact carries on its own, because the consequences the law cares about are produced by the artifact when it’s in operation: what data was it pointed at, what prompts was it given, were there people in the loop or absent from it, and what actions were taken downstream on its output.

Now take a hard look at what your AI assurance stack actually describes. Model cards, benchmark scores, red-team reports, vendor attestations: every one of them describes the artifact at rest, and usually on the test bench. Look at every lawsuit involving AI: the law attached to the system in motion. Nothing illegal has ever happened on a benchmark.6

The model can be certified, aligned, guardrailed, and excellent in every way a test can describe, and your deployment can still commit a Title VII violation. None of the artifact-level assurance would have told you, because none of it was watching where the exposure actually lives.

II.Old Pump, New Pump

For the last two decades, your organization has been compiling its judgment into the user interfaces of its enterprise software: here a required field, there a validation rule. The approval chain won’t approve a discount over fifteen percent without a VP’s click. The role-based view shows the service rep the customer’s history but not their Social Security number. There’s a warning modal before an irreversible action. Very few people think about required fields as “governance,” but that’s precisely what they are: a decision somebody once made about how data may be used and what must be true before an action proceeds, compiled into a happy path.

That path is now becoming optional. The largest enterprise platforms are racing to offer dynamic, “headless,” agent-first versions of their products, where the system of record is reached through an API and the interface is whatever the agent (or the prompting user) desires most in that moment. I previously identified (in “The Death of SaaS is Greatly Exaggerated”) that agents would sit on top of the systems of record rather than replace them, and that this would make the underlying data and integration contracts more valuable, not less. That argument is holding up nicely. What it underplayed is what happens when twenty years of judgment baked into the interface layer disappear because work stops traveling through the interface.

If you don’t think this is significant, I’ve got an experiment you can try: pick one workflow your teams have agent-enabled and list the controls that used to exist on the old screens (ie. the validations, the approval steps, and the field-level permissions). Then check which of them exist at the API layer the agent calls. My guess is that some survived the trip, but many didn’t. Almost no organization has inventoried which is which, and the judgment that used to be compiled into the path is now exercised (or exorcised) one prompt at a time, by whoever is doing the prompting, according to whatever they happen to know about how the data is supposed to be used. Headless describes the architecture, and increasingly it also describes the oversight.

III.Check your Sources

If the headless architecture is the controlled end of the spectrum, the other end is the application that never had any scaffolding to begin with.

You know the one I’m talking about.7 Somebody on the operations team needed a thing to exist by Friday, and a vibe-coded solution got them 80% of the way there by Thursday afternoon. The race was to functionality, and on those terms it was a massive success. But by Monday the questions start popping up: how are we handling consent posture, retention rules, adverse-action notices, disclosure timing? None of those made the requirements (because there were no requirements, other than a timeline). There was a prompt, and then there was an app.

Roughly four in five employees report using AI tools their organization never approved.8 Every one of those tools is the equivalent of a new pump in your parish: unmapped, undocumented, drawing from sources nobody has tested, serving water to your customers and your records with your name on the handle. Ironically, pausing the official AI program doesn’t close these wells, it just means the only pumps still running are the ones you can no longer see.

IV.Per House, Per Decision

All of this should be helping you reframe your thinking about where to point the monitoring. The law attaches to outcomes the way cholera attached at the point of consumption. Per house. Per glass. Per decision.

Title VII doesn’t read your model card. ECOA’s disparate impact analysis doesn’t care that the vendor passed your security questionnaire. The FCRA adverse-action requirements fire on each individual notice, and the TCPA assesses statutory damages per call. And the courts have been consistent that the vendor isn’t a shield. In Mobley v. Workday, the screening vendor was held in as the employer’s agent, and the case was certified as a collective covering over a billion applications. The regimes attach to the deployment, and the deployment is yours, whether the decision came out of a frontier model, a headless API call, or the intern’s Friday app.

Snow proved this logic with what may still be the most elegant study ever run in production. During the same epidemic, he realized that two water companies served the same South London neighborhoods, street by street, house by interleaved house. One drew from the sewage-laden Thames in the city; the other had moved its intake upstream. Same air, same streets, same poverty, same miasma. The only variable was the pipe, and nobody’s framework had considered the pipe worth tracking. Deaths in homes served by the contaminated supply ran roughly eight times higher than in the homes next door.9

Your organization is running that experiment right now. Same policies, same training, same governance framework, same air. And underneath, workflow by workflow, the outcomes are diverging pipe by pipe: one team’s deployment producing clean decisions, the neighboring team’s tripping a threshold a regulator will eventually compute. Framework-level governance can’t see the divergence, for the same reason the miasma inspectors couldn’t. It is monitoring the air, while the difference between safety and exposure runs through the plumbing.

V.Evidence for the Plaintiff

At this point the instinctive response is the obvious one: “fine, we’ll monitor the outcomes.” Log everything, dashboard it, surface the anomalies. Unfortunately that has the potential to make your position worse.

An unprivileged monitoring record is a discoverable timeline of your own knowledge. Every flag your dashboard raises is a timestamped entry establishing what you knew and when you knew it, and every flag that didn’t lead to documented remediation matures from “finding” into “notice.” Internal monitoring data has already begun showing up in litigation as evidence of knowledge rather than evidence of governance. And the compliance toolsets most organizations are buying right now generate exactly this material at scale (questionnaires, attestations, model inventories, risk-scored dashboards), all of it discoverable. There’s a word for diligent observation records that nobody is empowered to act on, and the word is “exhibits.”10

You have to design for observation that makes you safer rather than merely better informed, and that means the monitoring has to run inside a legal structure built for it: findings flowing to counsel rather than to a BI tool, evaluation conducted as legal judgment against the actual regimes in play rather than as scoring against a voluntary framework, and remediation drafted under privilege, so the record of fixing the problem doesn’t become the record of having had it. Two parties watching a system make a discoverable record. Add technically savvy counsel and you get something different: vigilance you can actually afford to practice, because finding the problem strengthens your position instead of compounding it.

VI.Replacing the Handle

Remember how the Broad Street story actually ends. The handle came off, the outbreak collapsed, and the official inquiry still sided with miasma. The mechanism Snow had inferred wasn’t accepted for decades, and the physician who finally vindicated him with national mortality data was William Farr, the same statistician whose elevation tables had backed the wrong theory for twenty years.11 Vigilance that only runs during outbreaks is just incident response with slightly better branding.

The organizations getting AI into production fastest right now are the ones that stopped trying to win the miasma debate. They aren’t waiting for consensus on which framework is correct, which benchmark matters, or what the federal (or state) enforcement posture will be next quarter. They are watching the water: the actual outcomes their systems produce, per decision, per interaction, continuously, against the regimes that already apply, with counsel reviewing what surfaces and privilege protecting the record from day one.

At Privlex, this is the work we do. We turn your policies into continuous evaluation that runs wherever humans or agents make decisions (headless or not, sanctioned or shadow), and we run it inside a privileged structure so that testing your systems strengthens your defense rather than manufacturing testimony against you. The model debate can rage on without you.

Let us help you keep an eye on the water.