Docs / AI Pilot / Why AI May Refuse an Action

Why AI May Refuse an Action

Published · Last updated: May 2026 · 4 min read

Who this is for

Users who asked AI Pilot to do something and received a refusal, and want to understand why and what to do next.

What you will complete

Understand every reason AI Pilot may decline to act, and learn the specific fix for each refusal type.

Overview

AI Pilot is designed to be helpful — but it refuses certain requests. Refusals fall into three categories: permission-based (a configuration setting is blocking it), safety-based (an immutable guardrail applies), and ambiguity-based (the AI needs more information to proceed safely).

Understanding which type applies helps you resolve the refusal quickly.

Category 1: Permission-based refusals

These are resolved by changing a setting in Settings → AI Agent → Agent Controls.

AI Pilot master switch is off

Refusal message: "AI Pilot is currently disabled for your organization."

Fix: Enable AI Pilot toggle under Agent Controls.

Write Actions is off

Refusal message: "I can provide advice, but I am not permitted to perform write actions in your organization."

Fix: Enable Write Actions toggle under Agent Controls.

Specific operation category is disabled

Refusal message: "I am not permitted to perform [category] operations for your organization." For example: "I am not permitted to perform backup operations."

Fix: Go to Agent Controls → Fine-tune Write Actions and enable the corresponding operation category or sub-operation.

Per-server access is Read Only or None

Refusal message: "I do not have write access to server [server-name]. I can only observe this server."

Fix: Change the per-server access to Full Access under Settings → AI Agent → Per-Server Access.

Role restriction

Refusal message: "Your current role does not permit this action."

Fix: Contact your organization Owner to elevate your role to Admin or Owner.

Category 2: Safety-based refusals

These cannot be overridden by configuration. They are platform-level protections.

Production Protection is active

Refusal message: "This server is marked as production, and Production Protection is enabled. I cannot perform write actions on production servers."

Fix options:

  1. Perform the action manually without AI Pilot.
  2. Temporarily disable Production Protection under Agent Controls, perform the action, then re-enable it immediately.

Destructive action without confirmation

Behavior: The Allow button on the approval card is greyed out.

Reason: You have not typed the required confirmation name.

Fix: Type the exact server or site name shown in the red confirmation prompt in the text box. The Allow button activates when the name matches.

Secrets access

Refusal message: "I cannot retrieve or display secret values, API keys, or credentials."

Reason: The AI is blocked from reading sensitive values such as environment variable contents, cloud API keys, or credentials.

Fix: This is by design and cannot be changed. Access secrets manually through the dashboard.

Category 3: Ambiguity-based refusals

These are resolved by rephrasing or providing more detail.

Target is ambiguous

Refusal message: "I found multiple servers/sites matching that name. Which one did you mean?"

Fix: Re-state your request with the exact, full name of the target as shown in the dashboard.

Action scope is unclear

Refusal message: "I want to make sure I understand the full scope before proceeding. Can you confirm..."

Reason: The AI is not certain what you want and is asking for clarification before proposing an action.

Fix: Answer the clarifying question directly. Be specific about which server, site, or service you mean.

Request is outside AI Pilot's operational scope

Refusal message: "That is outside what I can help with in AI Pilot. I can assist with cloud infrastructure management..."

Reason: You may be asking the AI to do something unrelated to infrastructure (write code, create documents, etc.).

Fix: Keep requests focused on cloud infrastructure management: servers, sites, apps, backups, monitoring, and deployments.

If none of the above apply

If AI Pilot is refusing an action and none of the above categories explain it:

  1. Start a new conversation and rephrase the request more specifically.
  2. Check the Activity Center for any pending or failed operations that may be locking the target.
  3. Check the alert history — if a server is in a critical alert state, some operations may be blocked until the alert resolves.
  4. Contact support with the exact refusal message you received.

Related articles