ML systems challenges — design it, then debug it

100 ms sounds generous until you account for network round trips. A user in the median location is ~20 ms from your nearest data centre. That leaves 80 ms for your backend. Your backend is not one service — it is a chain: candidate fetch → retrieval model → feature lookup → light ranker → heavy ranker → response serialisation. Each hop adds latency. The key constraint is that heavy neural ranking on 2,000 items is impossible in 80 ms on a GPU (the GPU call alone would take 200+ ms at that scale). You must reduce the candidate set aggressively before the expensive stage.

Think about this: if your heavy ranker can score 50 items in ~15 ms on GPU, how many items must the light ranker have already eliminated before it? Work backwards from that number.

The industry-standard solution for this constraint is a two-tower retrieval model followed by a point-wise or list-wise ranker. The retrieval model does approximate nearest-neighbour (ANN) search in an embedding space to get from 2,000 (or more) candidates down to ~200. The ranker then uses richer features (cross-features between user and item) that are too expensive to compute for 2,000 items but fine for 200.

A further split often helps: a light ranker (logistic regression or a small gradient-boosted tree on precomputed features) reduces 200 → 50, and a heavy ranker (small neural net with cross-features) produces the final 50 to display. Think about what features each stage can afford given its latency budget, and where those features come from.

For cold-start users (fewer than 10 engagement events), personalised two-tower embeddings are meaningless — the user embedding is just noise. Two standard approaches: (a) popularity-based fallback — rank by global or demographic-cohort popularity for the first N sessions; (b) content-based bootstrap — if the user indicated interests at signup, use item embeddings directly without a user tower. The transition from cold to warm is gradual: after 10–30 interactions, blend cold and warm signals.

For position bias: items shown at the top of the feed are clicked more regardless of quality. If your training labels are clicks without position correction, your model learns "items shown first are good", which is circular. The standard fix is inverse propensity scoring (IPS) or a position feature during training that is zeroed out at inference. Make sure your solution mentions this — it is a common interview probe.

The most common first mistake is to think about latency targets first and GPU count second. Flip it: figure out how many tokens per second the fleet must generate, then divide by what one H100 can do. Throughput determines fleet size; latency determines per-device batch size and scheduling policy.

Useful number: a single H100 (80GB, fp16, no quantization) running a 13B model with a realistically-sized batch can sustain roughly 3,000–5,000 output tokens/second on the decode phase. Where does that number come from? Memory-bandwidth bound: at 3.35 TB/s HBM3 bandwidth and ~26 GB of model weights (13B × 2 bytes), each decode step reads the entire model in ~8 ms, implying ≈ 125 decode steps/sec with batch=1. With batch=32 the same memory read is amortized over 32 tokens → 4,000 tokens/sec. Confirm you can reconstruct this from first principles before peeking at the solution.

On an H100 with 80 GB VRAM: the 13B fp16 model occupies ~26 GB. That leaves ~50 GB for KV cache + activations. Before you decide on batch size, work out how many bytes one token of KV state costs for this model. With GQA (8 KV heads, head dim 128) the calculation is per-layer-per-token: 2 (K and V) × 8 heads × 128 dim × 2 bytes (fp16) = 4,096 bytes per layer. Multiply by 40 layers = 160 KB per token. Now ask: how many 1,900-token sessions does 50 GB support? That tells you the max concurrent sequences a single GPU can hold in-cache.

With static batching you commit a batch at request arrival and wait for all sequences to finish before accepting new ones. With continuous batching (aka iteration-level scheduling), each forward pass picks the "ready" sequences from a waiting pool — sequences can enter and leave mid-batch. This keeps GPU utilization high even when response lengths vary wildly. Think about how this interacts with prefill vs. decode: prefill of a long prompt (1,500 tokens) for ONE new request takes many more FLOPs than a decode step. If you mix prefill and decode in the same forward pass, long prefills starve decodes → TTFT of other users spikes. What is the fix?

Offline metrics that are too GOOD are as diagnostic as online metrics that are too bad. What class of bug systematically inflates offline evaluation? What information could the training set contain that serving never will?

Training sets are built monthly from the warehouse's CURRENT feature tables. A label from June 3rd is joined against… which version of the user's 7-day aggregate? What did serving see on June 3rd?

Diagnosis. The monthly build joins labels against end-of-month feature snapshots — every training row sees features computed AFTER its label event, including the label's own consequences. That's point-in-time leakage; the 0.92 is fiction. The wrong-vs-right join:

Architecture. (1) Timestamped feature log: every feature value is appended with its computation timestamp — the offline store is feature HISTORY, not current state. (2) As-of join engine for training-set builds: for each label, fetch the latest value with ts ≤ label_ts (and optionally ts ≥ label_ts − staleness_bound to mimic serving staleness). (3) Online store holds latest values, written by the same pipelines that append history — one definition, two materializations. (4) Registry: per-feature owner, freshness tier, lineage. (5) API: get_online(keys, features) for serving; build_training_set(labels_df with timestamps, features) for offline — teams never hand-write joins.

Freshness tiers. Classify the 200 features: batch daily (demographics, long aggregates), near-real-time micro-batch (hourly counters), streaming (fraud velocity — the fraud team's true requirement). Each tier ~10× the ops cost of the previous; default down.

Parity & late data. Continuous online/offline parity check: sample serving reads, replay as-of offline, alert on divergence rate. Late-arriving events: features recompute with event-time watermarks; the as-of join must use the value as it WAS at serving time — which logged-at-scoring features give you for free (log features at inference; train on the logs; the leak class disappears by construction — say this as the strongest variant).

Common wrong answers. "Retrain more often" (doesn't touch the join), "add regularization" (the 0.92 isn't overfitting in the classical sense), "feature selection to remove the leaky ones" (every aggregate leaks when joined wrong — the JOIN is broken, not particular features).

Draw the retrieval pipeline as a sequence of stages: query → candidate retrieval → filtering → re-ranking → generation. Now ask: at which stage do you know which documents the user is allowed to see? At which stage is it too late? The key insight is about what the LLM does with context it receives — does it reliably ignore unauthorized passages?

Also think about the difference between filtering 1M candidates down to 50 authorized ones, versus retrieving the top-50 and then checking authorization. The numbers are the same only if your retrieval is perfect — and it never is.

When a document is deleted or its ACL is restricted (e.g., a page is moved to exec-only), what happens to chunks that were already indexed? Vector stores are append-friendly but deletion is expensive. A tombstone is a marker that tells the retrieval layer "this chunk exists in the index but is logically deleted — skip it." Think about how tombstones interact with your filtering logic.

Freshness within 1 hour means your ingestion pipeline cannot batch daily. What does an event-driven pipeline look like? What triggers it?

Caching is obvious for performance: if 100 employees ask "what is our parental leave policy?" you should not run 100 RAG pipelines. But the cache key cannot be just the query string. Think about what happens if Alice can see HR-confidential docs and Bob cannot — they ask the same question and you cache the result. Whose answer gets served to the other?

The fix requires the cache key to encode the user's permission set, but permission sets are large (thousands of doc IDs) and change hourly. What is a practical approximation?

The crux: filter at query time, against an index, never post-hoc. Post-hoc filtering (retrieve 50, ask an LLM or rule layer to drop unauthorized docs) fails three ways: the unauthorized content already left the vector store toward your application layer (leak surface), recall collapses when most of the top-k gets filtered (the user with narrow permissions gets 2 results), and an LLM judging permissions will eventually be wrong once — which is once too many. Correct: the retrieval query carries the user's permission predicate, evaluated INSIDE the search engine against indexed ACL metadata, so unauthorized vectors are never candidates.

Permission model. Per-doc ACLs (users, groups, classification labels) flattened into indexable terms (group IDs, tenant IDs, sensitivity tier) stored alongside each chunk's vector. Query side: resolve the user → their groups/entitlements (cached minutes, not hours — hourly ACL churn is the requirement) → filter expression ANDed into both the BM25 and the dense ANN search (filtered HNSW / pre-filtered IVF; modern engines support metadata-filtered ANN natively).

Ingestion & freshness. Source connectors emit (doc, ACL, content) change events → Kafka → incremental pipeline: re-chunk/re-embed only changed docs; ACL-only changes update metadata WITHOUT re-embedding (cheap, hits the <1h SLA); deletes write tombstones that suppress results immediately and compact later. Full re-index stays as a weekly repair job, not the freshness path.

Retrieval stack. Hybrid BM25 + dense with RRF fusion (enterprise queries are full of exact tokens — error codes, project names — where keywords beat embeddings), then a permission-safe cross-encoder re-rank over the top ~50. Generation cites only retrieved chunks; the answer layer never sees unauthorized text by construction.

The cache subtlety. A shared answer/retrieval cache keyed only on the query leaks across users (user A's cached answer contains doc X; user B without access asks the same question). Options: key the cache by (query, permission-set hash) — works when permission sets cluster into groups; or cache only retrieval candidates pre-filter and re-apply the user's filter on every hit (cache the expensive part, never the authorization). Never cache post-authorization content across principals.

Eval. Two suites: quality (recall@k/MRR against a labeled query→doc set, per department) and LEAKAGE red-team: synthetic users with known entitlements issue queries engineered to surface forbidden docs (exact-title queries, quote fragments); the gate is zero unauthorized chunks retrieved across the suite, run on every index/code change. Audit log of (user, query, docs retrieved) for compliance.

Common wrong answers. Post-retrieval LLM filtering (leak surface + recall collapse); per-user indexes (5M docs × 50k users doesn't exist); ignoring ACL-only updates (forcing re-embeds blows the freshness SLA and the GPU bill).

p50 is flat; p99 is 3× worse. What does that tell you about the distribution of affected requests? If the scoring model were slow, every request would be slower and both percentiles would shift. If a downstream call were slow, every request would also be slower. So what class of event affects only the slowest requests?

Think about caches. When a cache returns a hit, the request is fast. When it misses, the request falls through to the origin and is slow. If your cache hit rate drops from 92% to 61%, what fraction of requests now experience the slow path? Does that fraction match the percentile that spiked?

The feature fetch fan-out went from 14 calls/request to 26 calls/request. Those 12 extra calls correspond exactly to the 12 new features. Now: each of those calls is a cache miss (the keys have never existed). A cache miss on a shared Redis cluster triggers a synchronous read from the feature store backend. The ranking service's p99 latency is bounded by the slowest of its parallel fan-out calls. What happens to the maximum of 26 independent random variables compared to the maximum of 14?

Extreme-value statistics: the expected maximum of n i.i.d. random variables grows with n. More calls → higher chance one of them hits a slow path (GC pause, hot key, network jitter). That's why p99 blows up while p50 stays flat.

Before the deploy, cache occupancy was 71 GB out of 80 GB. The 12 new features are being written into the cache on first fetch. Under LRU eviction, the new keys displace old ones. Which old keys get evicted first? The least-recently-used ones — which are often low-frequency features that were already borderline. This creates a secondary wave of cache misses on previously-warm features, further degrading hit rate beyond just the 12 new features. This explains why hit rate fell by 34 pp rather than a smaller amount proportional to just the new features.

Causality reads off the telemetry order: gradients went pathological first, loss followed. What produces a sudden gradient pathology mid-run when LR hasn't changed — and what coincided at ~41k?

Shard 41 started at ~41,200 and came from a different preprocessing pool. What does a corrupted/undeduplicated/mis-tokenized shard do to gradients, and how would you check WITHOUT reading 40GB by eye?

Ordered hypotheses. (1) Bad data shard — boundary coincidence + grad-first signature + different preprocessing pool: prior ~70%. (2) bf16 numeric instability amplified by the shard's distribution (the overflow counters halving loss-scale support this as the MECHANISM riding on cause 1). (3) LR-schedule kink at 41k (check, it's cheap — but schedules rarely have step-function changes mid-decay). (4) Hardware (a flaky GPU producing NaNs — would usually show as rank-localized grad anomalies, not synchronized).

Cheapest probes, in order. (1) Resume from the 40k checkpoint with shard 41 SKIPPED — one config change; if training sails past 41,200-equivalent tokens, the shard is convicted (deterministic data order makes this experiment possible at all). (2) While that runs: stats on shard 41 vs shard 40 — token-length histogram, repeated-sequence rate, tokenizer round-trip failures, % non-language bytes; a dedup failure or binary contamination shows up in minutes. (3) Per-rank grad-norm breakdown at the spike: synchronized across ranks = data; localized = hardware.

Recovery. Resume at 41k with shard skipped (lose 200 steps, ~minutes), tighter grad-clip for the next few thousand steps as a belt, and requeue shard 41 for re-preprocessing through the GOOD worker pool, re-inserting later in the schedule. Don't fast-forward the optimizer past corrupted moments: the 41k checkpoint predates contamination (verify by grad-norm history).

Prevention. Data validation gates per shard before admission (token stats, dedup rate, tokenizer round-trip, contamination heuristics — the same checks probe 2 ran, run ALWAYS); grad-norm alerting (page on z-score, don't wait for NaN); spike-skip logic (auto-skip batch + log when grad-norm > k×rolling-median); preprocessing-pool version pinning so "different worker pool" can't silently mean "different code"; loss-scale/overflow-counter dashboards for bf16/fp8 runs.

Common wrong answers. "Lower the LR and restart from scratch" (burns the run, no diagnosis); "switch to fp32" (10× cost to mask a data bug); "it recovered after NaN so continue" (Adam moments are corrupted; the run is silently damaged).

The new ranker was trained on features logged by the OLD pipeline, but serves on features computed by the NEW one. What's that called, and what would it do to score distributions?

Scores don't just rank — they feed a value formula and thresholds. If the top decile's probabilities run hot, what happens to the blend with other objectives and to any score-gated behavior?

The taxonomy (recite it, always). (1) Training-serving skew — features differ between train and serve paths. (2) Offline-eval leakage/exposure bias — labels exist only for what the OLD policy showed, so offline replay rewards imitating it. (3) Calibration shift breaking downstream consumers — combination formulas and thresholds need probabilities, AUC doesn't. (4) Position-bias mismatch between replay and live. (5) Metric mismatch — AUC is ranking-only; CTR is absolute behavior under an ecosystem.

Fit to evidence. The logging change in the same release makes (1) the prime suspect — the model trains on old-pipeline features and serves on new-pipeline ones; even small definition drift (null handling, window boundaries) shifts the score distribution… which is also exactly what an overconfident-at-the-top calibration plot shows, implicating (3) as the damage mechanism: hot top-decile probabilities over-weight this model's head in the value formula and push wrong items past thresholds. (2)/(4) can't be excluded by this evidence but don't explain the calibration signature; (5) is always true but doesn't explain a REGRESSION.

The discriminating experiment. Dual-scoring on live traffic: score the SAME requests with the new model fed by (a) old-pipeline features (reconstructed/logged) and (b) new-pipeline features. If score distributions diverge between (a) and (b), skew is convicted, and the diff localizes WHICH features moved (compare per-feature distributions where the two pipelines disagree). One day of shadow compute, no user impact. In parallel: recalibrate (isotonic on recent live data) and re-read the value-formula output distribution — if recalibration alone restores sane blending in offline simulation, (3) was carrying the regression.

Fix & prevention. Fix: align the feature definitions (or retrain on new-pipeline logged features), recalibrate per head, re-canary. Prevention: logged-at-scoring features as the contract (the change couldn't have diverged train from serve), feature parity tests in CI between pipeline versions, calibration as a launch gate (predicted/observed ratio per decile must sit in bounds), and never shipping a model and a feature-pipeline change in the same release — separate the variables.

Common wrong answers. "The model overfit" (doesn't explain the release coupling), "roll back the model only" (if the pipeline changed, the OLD model now skews too — roll back as a PAIR or fix forward consciously), "AUC went up so the model is better, the metric is wrong" (the value formula is the product; calibration is part of the model's job).

KV per token = 2 (K and V) × layers × kv_heads × head_dim × bytes. Then multiply by 2k vs 32k and compare against the batch the GPU used to hold.

A 32k-token prefill is a multi-second compute burst. If it shares an engine iteration with 30 decoding sequences, what happens to their inter-token interval?

The memory math. Per token: 2 × 40 × 8 × 128 × 2B = 164KB. At 2k context: ≤0.33GB per sequence — 38 concurrent sequences ≈ 12.5GB of KV, comfortable. At 32k: up to 5.2GB per sequence — 16×. A handful of long sessions (7% of traffic, but they LINGER — long documents mean long conversations) eat the KV pool: occupancy pins at 97%, admission stalls, concurrency collapses 38→9, and since decode throughput scales with batch, tokens/sec falls proportionally (2,400→710 ≈ the concurrency ratio). The hourly OOMs are reservation overflow on max-length sequences colliding at peak.

The p99 story. Two mechanisms: (1) prefill interference — a 32k prefill is seconds of compute-bound work; every decode sequence co-scheduled with it stalls, so short-prompt users' TPOT spikes whenever any long request arrives (tail-shaped harm, mean barely moves); (2) KV pressure evictions/admission queuing add jitter. The signature "TTFT fine, TPOT awful" says decode is the victim, not prompt processing capacity.

Same-day mitigations. Cap effective context server-side (truncate middle, keep head+tail) below the product cap while you fix; admission-control long requests into a concurrency-limited lane (max 1-2 concurrent long sequences per GPU); enable chunked prefill (512-token chunks interleaved with decode — kills the TPOT spikes); quantize KV to fp8 (halves the 164KB/token, doubling effective pool); turn on/verify paged KV (no max-length reservations → OOMs stop, fragmentation waste <5%).

The redesign. Separate pools: a long-context pool (few, KV-heavy, possibly bigger-HBM GPUs) and the existing short-context fleet — route by prompt length; or full prefill/decode disaggregation if long-context traffic grows. Prefix caching for re-queried documents (the same uploaded doc across turns re-uses its KV — huge for doc-chat). Session TTLs and idle-KV eviction with recompute-on-return. Capacity model updated: price a request by context-tokens-held×time, not request count.

The product conversation. 32k context costs ~16× the KV residency of 2k: either it's priced/tiered (premium feature, stricter rate limits), or capacity grows accordingly — show the \$/request delta. Also surface that 90% of uploaded docs fit retrieval: RAG-style retrieve-then-answer over the doc costs a fraction of full-context stuffing for most queries — context length is a product decision wearing an infra costume.

Common wrong answers. "Add GPUs" (linear cost for a problem with 16× structure — fix utilization first); "lower max_tokens" (output length isn't the driver, context residency is); "the model is too slow, distill it" (weights didn't change; the cache did).

Cheap reversible action first: none needed yet — and saying so is the correct call. Nothing user-facing is moving, so the reversible action is "don't touch production at 3am." But you do NOT silence and go back to sleep either; a flat top-line with a drifted input can mean the model has simply stopped using that feature's signal, and fraud losses show up with a multi-week lag (chargebacks). Flat-right-now is not flat.

Minutes 0–5: confirm the alert is computed correctly — is the PSI spike in the live feature values or in the reference window? Check whether device_age_days moved for all traffic or one slice (one country, one app version). A single-slice jump after an app release is usually a logging change, not fraud.

Minutes 5–10: check "what changed": app releases, upstream schema deploys, and whether the feature's null/default rate jumped (a drift alert is often a missing-data alert in disguise — values collapsing to a default of 0 shifts the distribution violently). If null rate spiked, this becomes Simulation 2 and you escalate to the owning team's on-call.

Minutes 10–15: if it's genuinely a population shift with healthy logging: annotate the alert with findings, file a morning ticket to (a) check model performance on the shifted slice once labels arrive, and (b) re-tune the PSI threshold or reference window, because an alert with a 100% "no action" history is training the team to ignore the one that matters.

Why this is correct: the staff-level move is treating alert quality as part of the incident. You neither dismissed it (lagged-label risk) nor took a 3am production action with zero user impact (unjustified risk). Common wrong answers: "retrain immediately" (retraining on a possibly-corrupt feature bakes the problem in) and "mute the alert" (destroys the safety net).

Cheap reversible action first: you cannot roll back upstream quickly, so mitigate on YOUR side: change the null-handling for this feature from "impute 0" to "impute the population median / last known per-user value," or — often better — flip the ranker to a fallback model or config that excludes the broken feature. Both are config-level, reversible in minutes, and turn a corrupted signal into a merely missing one. A model fed plausible defaults degrades gracefully; a model fed 60% zeros on a heavy-weight feature is actively wrong, because "0 engagement" is a strong negative signal the model learned from real users.

Minutes 0–5: pull the mitigation lever (fallback config), verify CTR on a canary slice recovers direction-wise. Open an incident, severity matching 8% CTR: this is revenue-visible.

Minutes 5–10: coordinate with upstream: get a committed ETA for revert-plus-backfill, and confirm whether the rename hit other consumers (fraud? ads?) — you may be the first to notice a multi-team incident. Blast-radius discovery is on-call work, not politeness.

Minutes 10–15: guard the future: if any training/retraining job consumes this feature, pause scheduled retrains now — three hours of 60%-null data flowing into a training set is how today's incident becomes next week's "model mysteriously worse." Write the timeline in the channel.

Why this is correct: "their pipeline is green" and "your model is fine" can both be true while the contract between them is broken — schema is part of the interface, and nulls imputed to 0 convert a data bug into a model-behavior bug. Staff+ answers add the prevention: schema contracts with CI checks on the producer side, and a null-rate alert per critical feature on the consumer side (you found this via a PM, 3 hours late — that is itself a finding). Common wrong answer: waiting 2 hours for the upstream revert with no consumer-side mitigation.

Cheap reversible action first — and it is the whole answer: BLOCK THE PROMOTE. Pause the 07:30 auto-promotion before doing anything else. This costs nothing: production keeps serving yesterday's model, which was fine yesterday and is fine today. A one-day-stale ranker is a non-event; a corrupted ranker at peak traffic is an incident. The asymmetry is total, so you do not need to be sure anything is wrong — the size anomaly alone justifies the block.

Why "AUC is fine" is a trap: a 40% smaller artifact usually means 40% of something is missing — typically a chunk of the embedding vocabulary or feature hash space, because an upstream extract silently dropped a partition (one day of data, one region, or a join that brings in long-tail IDs returned empty). If the eval set is built from the same truncated data, it cannot see the hole: the missing users and items are absent from eval too. Aggregate AUC on a self-consistent-but-incomplete dataset is exactly the metric that stays green while the model quietly loses its tail. Silent data loss is the one failure class where "metrics look fine" is expected, not reassuring.

Minutes 2–15, after blocking: diff the artifact against last week's — embedding table row counts, feature vocabulary sizes, per-feature coverage. Then diff the training data: row counts per day/partition vs the 30-day norm; you will usually find the dropped partition in minutes. Determine whether the loss is upstream (a re-run fixes it) or in your extract code. Re-run once the input is whole; only promote a model whose size and slice-level evals are back in band.

Why this is correct: this is the purest test of the chapter's theme. There is a free, instantly reversible action with unbounded downside protection, available before any diagnosis. Anyone who starts with "first I'd investigate the data pipeline" has already failed — at 07:30 the bad model ships while they investigate. Staff+ adds prevention: make artifact size, embedding cardinality, and training-row counts blocking promotion gates rather than warnings.

Cheap reversible action first: ramp the variant to 0% now. Do not wait for the owner. A guardrail is a pre-commitment — the team agreed in advance, while calm that this threshold means stop; 3am with partial information is precisely the situation pre-commitments exist for. Re-litigating the threshold mid-breach defeats its purpose. And the action is the definition of reversible: the experiment can re-ramp Monday at the click of a button, with zero lost work beyond a weekend of data.

Why "engagement is positive" does not change the call: the comparison is asymmetric. Upside of leaving it on: a weekend of slightly better experiment data. Downside: latency degradation compounding under Saturday peak, crash-rate yellow going red, and users churning — harms that are real and partially irreversible, versus an experiment delay that is fully recoverable. Also, short-horizon engagement under elevated latency is untrustworthy: latency damage shows up in return-rate days later, not in same-hour clicks.

Minutes 0–5: ramp to 0%, confirm p99 and crash rate recover in the control population (if they do NOT recover, the variant was not the cause — un-pause your assumption and treat it as an infra incident: check deploys, hosts, traffic anomalies).

Minutes 5–15: snapshot dashboards and a few traces from the breach window so the owner can do root cause Monday without the evidence aging out of retention. Leave a clear handoff note: what breached, when you ramped down, recovery confirmation, links. No 3am debugging of the variant's latency — that is the owner's daytime job.

Why this is correct: the recovery check is the subtle senior move — ramping down is both mitigation and a diagnostic test, and if metrics do not recover you have falsified your hypothesis in five minutes. Common wrong answers: paging the experiment owner and waiting (the guardrail already encodes their decision), and killing the experiment permanently/deleting it (over-rotation: 0% ramp preserves the experiment setup and the learning).

Cheap reversible action first: roll the query encoder back to v11. That is the change that correlates with the slide, the rollback takes minutes, and it restores the invariant that matters: queries and index must be embedded in the same vector space. Do not try to "fix forward" by rebuilding the index against v12 — a full index rebuild takes hours, and rollback gets users healthy now. Rebuild-then-coordinated-cutover is the daytime plan.

Why nothing crashed — and why that is the lesson: v11 and v12 produce vectors of the same dimensionality, so every API contract is satisfied: the encoder returns 768 floats, the ANN index happily computes nearest neighbors, everything is type-correct and "healthy." But two encoders trained separately — even a fine-tune of the same base — produce geometrically incompatible spaces: distances between a v12 query vector and v11 item vectors are meaningless. The system fails semantically while passing every syntactic check. This is the classic ML-systems failure: the contract that broke (same embedding space) was never written down as a contract, so no monitor owned it. Only a quality metric (recall proxy) could catch it — which is exactly why you have one.

Minutes 0–5: confirm the timeline (slide starts at the v12 deploy), then roll back the query encoder. Verify recall@100 recovers over the next minutes of traffic.

Minutes 5–15: message the embedding team — "backwards compatible" needs a precise definition for encoders, and other consumers (recs? ads retrieval?) may be skewed too. Sketch the proper rollout for v12: rebuild the index with v12 item embeddings, then cut query traffic and index over atomically (or run dual-encoding during transition). File for prevention: version-pin the encoder ID into the index metadata and have the retrieval service refuse — or alarm — on mismatch at request time.

Why this is correct: rollback dominates because it is minutes-cheap and restores a known-good invariant, while every fix-forward path is hours-long. Staff+ answers name the general principle: any system with a trained artifact on both sides of an interface (two-tower retrieval, reranker + candidate gen, encoder + index) needs compatibility versioning, not just API versioning. Common wrong answer: restarting/rebuilding the ANN service — it is behaving perfectly; the bug is in the space, not the search.