15 Research Lab -Adversarial Safety Evaluation of Frontier AI Systems

John Kearney

AI Agent Approval Workflows: When to Require Human Authorization

February 8, 202615 Research Lab

agent-safetycomplianceguardrails

The question is not whether to have approval workflows. It is where to place them. Too few approvals and agents act without oversight. Too many and reviewers become bottlenecks who rubber-stamp everything.

A Risk-Based Framework

Classify every tool and action by risk level:

Critical risk (always require approval):

Financial transactions above a defined threshold
Data deletion or modification in production systems
External communications sent on behalf of users
Access control changes (granting or revoking permissions)
Actions that are irreversible

High risk (require approval on first use or when parameters are unusual):

Writing to databases
API calls to external services
File creation or modification
Sending notifications

Medium risk (log and monitor, approve conditionally):

Read access to sensitive data
Search queries across broad datasets
Tool calls with parameters outside historical ranges

Low risk (auto-approve, log only):

Read-only operations on public data
Status checks
Informational queries

Encode this classification in your policy engine. The policy evaluates each tool call and routes it to the appropriate approval path.

Approval Gate Design

Synchronous blocking. The agent pauses until the reviewer responds. This is the safest pattern but adds latency. Use for critical-risk actions where waiting is acceptable.

Asynchronous with timeout. The agent continues other tasks while waiting for approval. If the timeout expires, the action is denied (fail closed). Use when the agent has parallel work to do.

Batch approval. Group related actions and present them to the reviewer as a set. "The agent wants to update these 5 records. Approve all / Deny all / Review individually." Reduces the number of approval interactions.

Preventing Reviewer Fatigue

Fatigue is the biggest practical threat to approval workflows. Reviewers who see 200 approval requests per day start approving everything without reading.

Reduce volume: Auto-approve genuinely low-risk actions. Every approval request should represent a real decision point.

Provide context: Show the reviewer what the agent is trying to do, why, and what the potential impact is. A request that says "delete_user(id=12345)" is less informative than "Delete user John Doe's account. This will remove 3 years of order history. This action is irreversible."

Track metrics: Monitor approval rates. If a reviewer approves 99% of requests, either the threshold is too low (too many trivial requests) or the reviewer is not actually reviewing.

Rotate reviewers: Distribute approval load across team members to prevent individual burnout.

The Compliance Connection

EU AI Act Article 14 requires human oversight for high-risk AI systems, including the ability to intervene in automated decisions. Approval workflows are the most direct implementation of this requirement. Document your approval policy, your risk classification criteria, and your reviewer selection process. Auditors will ask for all of this.