| UI or UX | UI + UX - Anti-pattern where repeated low-value confirmations train users to dismiss real risk prompts automatically | UI + UX - Consequential alert decision | UI + UX - Final destructive commit review | UX - Post-action recovery behavior | UI + UX - Severe-consequence warning copy before an action | UI + UX - Pre-execution review of high-impact actions that may affect money, access, production systems, legal status, customers, external recipients, or safety |
| UI guidance | Do not present the same modal confirmation for routine, reversible, low-risk, or high-frequency actions; reserve interruptive confirmation for consequences that can reasonably change a user's decision. | Render an alert-style modal decision with a specific title, consequence description, safe cancellation, and a destructive action label that names the object or scope. | Render a destructive confirmation after the user invokes a destructive command, with a title and final action button that repeat the destructive verb and target, such as Delete workspace or Cancel subscription. | Show a named recovery affordance after the completed action, such as Undo delete for a specific task, near the result or in a consistent status region. | Render warning text as a short high-emphasis statement with a warning icon, visible or hidden warning label, and explicit consequence copy placed before the relevant action, declaration, or instruction. | Render dangerous-action review as a pre-execution checkpoint that names the armed action, actor, target, scope, affected systems, external effects, risk reason, evidence, freshness, permissions, alternatives, and exact outcome of Run, Cancel, Edit, or Escalate. |
| UX guidance | Confirmation should reduce a specific mistake, not create a reflexive second click after every command. | Interrupt users only when the action has a meaningful consequence that cannot be safely recovered afterward. | Use destructive action confirmation to create one informed stop before permanent or externally visible loss, not to slow every routine cleanup action. | Let users move quickly through frequent reversible actions, then recover from mistakes after seeing the result. | Use warning text when users must understand a serious consequence before acting or failing to act, such as a fine, loss of access, permanent deletion, eligibility impact, or legal responsibility. | Use dangerous-action review when an action is not necessarily destructive but can create high-impact consequences such as sending money, changing access, executing production commands, contacting customers, publishing content, filing a legal response, or letting an agent use a privileged tool. |
| Good UI | Archiving a message completes immediately with Message archived and Undo, while permanently deleting a workspace opens a specific destructive confirmation. | Delete Research archive? explains that 14 notes and shared links will be permanently removed, offers Keep archive, and labels the danger action Delete archive. | Delete Payments project? lists 4 dashboards, 12 saved views, 3 webhooks, and 8 shared links, offers Keep project, and labels the danger action Delete Payments project. | Deleting Quarterly report removes it from the list and shows a recovery panel saying Quarterly report deleted with an Undo task button. | Before Submit declaration, a warning with an exclamation icon says the user may be fined if they provide false information. | A production console shows Restart payment workers, affected region, open incidents, customer impact, rollback owner, evidence links, change window, dry-run result, and Run restart only after the reviewer checks the risk inventory. |
| Bad UI | Every Save, Dismiss, Filter, Archive, and Close action opens the same Are you sure? modal with OK and Cancel. | A popup says Are you sure? with OK and Cancel but does not name the project, notes, or irreversible outcome. | A modal says Are you sure? with OK and Cancel after the user clicks Delete, without naming the project or what disappears. | A tiny x removes an item with no object-specific recovery label. | A red sentence says Important below the submit button after the user has already acted. | A privileged tool button says Continue and immediately sends a customer email, changes access, and updates billing without showing the payload or external recipients. |
| Good UX | A user archives ten low-risk notifications quickly, can undo the last archive, and still pauses when the only modal names permanent account deletion. | Cancel, Escape, and Keep archive leave the archive unchanged and return focus to Delete archive. | A user opens Delete workspace, reviews the object count and webhooks, cancels, and returns to the same workspace with nothing changed. | Undo restores the deleted task to the list and reports Quarterly report restored. | Users see the fine or eligibility consequence before checking the declaration and can pause to verify their answer. | A release manager sees that a deploy action affects production EU, has a stale smoke test, cancels execution, refreshes checks, and then runs the action with an audit record. |
| Bad UX | A user clicks OK through a production delete prompt because the last 30 prompts all looked identical and protected harmless actions. | Every archive, filter, and dismiss action opens the same confirmation until users click through automatically. | A user confirms deletion because OK looks like the primary next step, then discovers shared links and child reports were lost. | A second delete overwrites the first recoverable item without explaining which action Undo affects. | A benefit-loss warning appears only after submission, so users cannot change the decision it warns about. | A user approves a notification from email after the underlying payload changed, and the system executes against a different customer. |
| Best fit | Use this anti-pattern entry to audit products that ask for confirmation on many routine actions or use identical prompts for different levels of risk. | The action is destructive, irreversible, costly, security-sensitive, privacy-affecting, or externally visible. | A user has initiated a destructive command that can permanently remove, revoke, reset, deactivate, or cancel something valuable. | The action is common and mistakes are likely. | A user must understand a serious consequence before taking or skipping an action. | A user, agent, automation, or admin tool is about to execute a high-impact action that can affect money, access, production systems, legal/compliance state, customers, external recipients, sensitive data, or safety. |
| Avoid when | Do not use this entry to remove confirmation from permanent deletion, broad permission changes, external side effects, legal commitments, payments, production commands, or account closure without adding an equally strong safeguard. | The action is routine and easily reversible. | The action is a routine reversible archive, hide, dismiss, move, reorder, or trash move. | The action has external side effects that cannot be recalled. | The message is a dynamic task status that must be announced when it appears. | The risk is narrowly permanent deletion or loss of a named object; use destructive action confirmation. |
| Required state | Prompt inventory state showing which actions are confirmed, how often they occur, and what consequence each confirmation prevents. | Pre-action state with an explicit consequential trigger. | Idle state where the destructive command is visible but not committed. | Normal state before the user action. | No-warning state where the action has no severe consequence. | Armed action state with verb, target, payload, actor, source, and exact execution boundary. |
| Accessibility burden | Reducing unnecessary dialogs reduces focus disruption, but replacement feedback and undo controls must remain keyboard reachable and programmatically identifiable. | Use alertdialog semantics or platform equivalent when the decision is urgent and requires a response. | Use alertdialog semantics or platform equivalent when the destructive decision requires an immediate response. | Make the undo control keyboard reachable and programmatically identifiable. | Do not rely on color alone; include visible or programmatic warning wording and a non-color cue such as an icon. | Use headings and labels that name the action and target before risk details. |
| Common misuse | Adding a confirmation after every user mistake without asking whether the mistake was reversible. | Asking users to confirm every routine action until they stop reading. | Using a vague Are you sure prompt that does not name the object, count, or consequence. | Offering undo for an action that cannot actually be reversed. | Using warning text for routine hints, explanations, or mild reminders. | Using vague Are you sure, Continue, or Proceed copy without naming the dangerous operation. |