There is a temptation, when an agent can take a dangerous action, to reach for one of two blunt instruments. Either you block the action entirely and lose the value of automation, or you allow it and hope nothing goes wrong. Both are bad, and the choice between them is a false one. For a whole class of agent actions, the right control is neither allow nor block. It is approve: pause, ask a human, and proceed only with a yes.
The skill is in knowing which actions deserve a human in the loop, and in designing the approval so it adds safety without grinding the workflow to a halt.
Which actions need an approval
Most agent actions do not need a human. Retrieving a document, drafting text, summarizing a thread: these are reversible, low-stakes, and high-volume, and routing them through a person would defeat the point of having an agent at all. The actions that warrant approval share a few traits.
They are irreversible or hard to undo, like deleting records, issuing a refund, or sending an external communication. They are high-impact, touching money, customers, or production systems. They are sensitive in their data or their consequences, where a mistake is expensive or public. And they are out of the ordinary, falling outside the agent's normal, well-understood pattern of behavior. When an action has one or more of these traits, a human approval in the path is cheap insurance against a costly autonomous mistake.
Designing the approval so it actually helps
A badly designed approval is worse than none, because people learn to click through it without thinking. A few principles keep approvals meaningful.
Give the approver the context to decide. The approval request should carry what the agent intends to do, why, on whose behalf, and what data and tools are involved. An approver staring at "Agent wants to run action X, approve yes or no" with no context will either rubber-stamp it or block it out of caution, and neither is a real decision.
Scope the approval to the action, not the agent. Approving one high-impact action should not hand the agent a blank cheque for all future actions. Each high-impact action gets its own decision, so authority does not silently accumulate.
Route to the right approver. The person who should approve a financial action is not necessarily the person who should approve a data export. Approval workflows need to send each request to someone with the standing to judge it.
And record the decision. Who approved, when, with what context, and what happened next. An approval that leaves no trace is an approval you cannot learn from or defend later. This is where approvals meet the audit trail, and every approval should land in the AI audit trail as part of the action's record.
Approvals are a tool-call control as much as an agent control
Many of the high-impact actions an agent takes are tool calls, because tools are how agents reach out and change the world. That makes approval workflows tightly bound to tool governance. The decision to require a human before a sensitive, irreversible tool call runs is enforced at the same layer that decides which tools an agent may call at all. We cover that layer in the complete guide to MCP and tool governance and MCP and tool governance, and the connection is worth keeping in mind: approvals and tool controls are two halves of governing what an agent can actually do.
The balance approvals strike
Done well, human-in-the-loop approval is how you get the speed of autonomy without surrendering control over the moments that matter. The agent handles the high-volume, low-risk work on its own, and a human steps in precisely at the points where a wrong move would be expensive or irreversible. You are not choosing between a fast agent and a safe one. You are letting the agent be fast where speed is harmless and careful where care is warranted.
That balance is the whole goal of agent governance: consistent control that bends to the shape of the risk rather than applying the same blunt rule to everything. The full picture is in the complete guide to agent governance, and the hand-off and memory risks that approvals work alongside are covered in the hand-off problem.