Protect the investment — operate, don't scrap
A model your company depends on turns out to have a problem. It has been in production for months. Teams built on top of it, workflows assume it, customers rely on the feature it powers. Now an audit finds something in it that should not be there. What do you do with an asset you cannot simply trust and cannot easily replace?
The reflex is expensive
The instinct is to rip it out and start over. Pull the model, pick a new one, re-tune it, re-test everything downstream, re-certify the whole feature, and absorb the outage — or the frozen roadmap — while it happens. That reflex treats a localized fault as a total loss. It throws away the working ninety-nine percent to be rid of the one percent that went wrong.
That is rarely the right trade. The model you already run is not just weights. It is months of integration, tuning, evaluation, and institutional knowledge — a real investment, most of it perfectly sound. Scrapping it converts a contained problem into a company-wide project, and it does so on the worst possible schedule, because the discovery of a fault is never convenient.
Cut the fault, keep the model
There is a narrower move: remove the specific bad behavior and keep everything else. Not retrain, not replace — excise. Take the fault out of the model you already operate, and leave the capability your business runs on intact.
This is Excise, and it exists precisely so a discovered fault does not force a rebuild. It is the difference between surgery and demolition. The feature keeps working. The integration stays. The investment is protected. What leaves is the part you needed gone.
One honest note on availability: Excise is trust-gated, not open self-serve. Cutting into a model your business relies on is not a button we hand to anyone unattended — it is done in a trusted engagement, with the care that changing a production asset deserves. The Audit that finds the fault is open now; the correction that removes it is deliberately gated.
Proof that only that changed
The reason to trust a repair over a replacement is evidence, and this is where the discipline earns its keep. When something is cut out, the correction carries its own attestation: a witnessed record that the bad behavior is gone and that only that changed. You are not asked to take the fix on faith any more than you were asked to take the model's original description on faith.
That record is what makes "operate, don't scrap" defensible to the people who will ask about it — your risk function, your auditors, your customers. A correction you can prove is a corrective-action record. A correction you merely assert is a new claim to worry about. The attestation turns a nervous patch into documented, standable maintenance.
The honesty holds here too. The proof is bounded to a stated coverage: it is never a certificate of a "provably clean" model, and never a promise that nothing else in the weights will ever surprise you. What it gives you is a specific, witnessed statement about a specific change — which is exactly what a corrective action is supposed to be.
The math of the decision
Set the two paths side by side. One is a full replacement: cost, delay, downstream churn, and the risk that the new model carries its own undisclosed surprises. The other is a targeted removal with a proof attached. For most businesses, most of the time, the second protects far more value than it spends.
The point of the apparatus was never to make you distrust the models you run. It is to give you a repair that is smaller than the problem — so a fault becomes maintenance instead of a rebuild, and the investment you made keeps paying off.




