Agent Operations Design Notes (7/9) — How to Design an Approval Loop

The more work you delegate to agents, the less sufficient raw permissions become. It is not enough to say that some actions are allowed and others are blocked. There is a third layer in between: when should a human step in, what exactly should be reviewed, and with what information should that decision be made? That middle layer is the approval loop.

ํ•ต์‹ฌ ์š”์•ฝ

  • An approval loop is not anti-automation. It is a structure that moves hard-to-reverse actions in front of human judgment earlier.
  • Approval targets are better grouped by blast radius, reversal cost, external trace, and privilege change than by technology category.
  • Putting a human into every step is not good design. If ask is overused, important approval signals disappear.
  • Even if Managed Agents absorb more of the execution layer, approval criteria still remain a local operating policy.

1. Why approval loops matter again

Older assistant systems mostly suggested answers or drafts. Humans read the result and then acted themselves.

Agents are different. They can edit files, run commands, operate browsers, and send things outward. From that point on, we can review it later stops being enough.

Some actions should be inspected before execution. Some actions are fine with logs after the fact. Some actions should never proceed at all.

That is what approval loop design is really about.

If permission design cuts the system into allow / ask / deny, the approval loop is what turns ask into a real operating procedure.

2. Approval targets should be grouped by reversal cost, not by tool type

Teams often start with tool categories:

  • shell is risky
  • browser is risky
  • file editing is risky

That looks tidy, but it breaks quickly.

The same surface category can carry very different consequences.

Action Surface appearance Reversal cost
editing a draft file write low
editing a publish helper write high
updating internal notes write low to medium
publishing externally transmission / publication very high
touching credentials read very high

So approval loops are usually better designed around:

  1. is it easy to undo
  2. does it create an external trace
  3. does it touch protected assets
  4. does human judgment actually add value
  5. can logs alone provide enough safety

3. Read, edit, execute, and externally send are not the same permission class

A good approval loop starts by splitting actions more carefully.

At minimum, it is usually worth separating:

  • read
  • narrow local edit
  • code or command execution
  • external network transmission
  • publication or deployment
  • privilege escalation or protected asset access

This matters because approval frequency and approval quality are shaped here.

If reading internal documents and publishing externally sit inside the same approval logic, the system usually ends up either too noisy or too weak.

Permissions answer what is possible. Approval loops answer when human review is required even if an action is technically possible.

4. Good approval loops do not put humans everywhere

Many teams respond to risk by inserting human approval into every meaningful step. That usually creates two failures:

  1. humans become the throughput bottleneck
  2. approval quality falls because the review becomes routine

If approvals arrive too often, people stop reading them carefully. At that point, the system still has a formal approval step, but the real value is gone.

A strong approval loop reduces:

  • meaningless asks
  • repeated asks of the same low-value kind
  • approval on actions that are easy to recover after the fact

And it strengthens:

  • approval on irreversible actions
  • approval on external sends
  • approval on wide-scope modifications
  • approval on privilege escalation

The goal is not use more humans. It is use human judgment only where it matters most.

5. What information should an approval request include

Approval quality is determined less by whether a popup appears and more by what the reviewer can actually see.

A useful approval request should usually include:

Field Why it matters
what is being attempted confirms purpose
why it is needed now checks whether the step is really necessary
what will change shows impact scope
how it can be reversed shows recovery path
what the alternative is if rejected prevents approval from becoming the lazy default

If the human sees only an approve button, the loop is close to meaningless.

6. The bigger problem is not approval delay, but missing approval criteria

Approval delay is real, but the larger problem is often the absence of clear criteria.

Without criteria:

  • different reviewers make different decisions
  • similar actions are approved one day and rejected the next
  • the agent cannot learn a stable operating boundary
  • post-incident review cannot explain why approval happened

That is why an approval loop usually needs policy before it needs UI.

For example:

  • some actions are default allow
  • some are always approval-gated
  • some are default deny
  • some are conditionally allowed under narrow rules

7. Why Managed Agents cannot solve approval design for you

Managed Agents can help with long-running execution, common tool access, and some observability. They do not decide your approval philosophy.

The reason is simple: approval rules are organizational judgment.

  • one team may require approval for any external send
  • another may care far more about modifying operational scripts
  • another may treat publication as the highest-risk event

So approval loops may be offered as platform features, but approval policy itself remains local.

8. Five questions to answer before rolling an approval loop out

  1. Which actions are the most irreversible?
  2. Which actions are safe enough for post-hoc logging only?
  3. Which actions are not improved by human review anyway?
  4. Which asks become dangerous if they appear too often?
  5. If approval is rejected, what fallback should the agent take?

Without answers to those questions, approval loops usually degenerate into a pile of popups.

9. A quick health check for approval-loop fatigue

  • approval prompts appear so often that humans nearly auto-approve them
  • approval requests do not explain purpose or scope
  • there is no fallback path when approval is denied
  • similar actions are handled inconsistently
  • post-review cannot explain why something was approved

If several of these are true, the system is probably over-asking and under-designing.

10. Conclusion: approval loops are not about late human intervention, but about timely human intervention

Approval loops can look like anti-automation if they are designed badly. In strong systems, the opposite is true.

A good approval loop:

  • removes low-value asks
  • sharpens the truly important asks
  • catches irreversible actions earlier

So the deeper question is not where do we put a human. It is which part of the operating boundary the organization is willing to let automation own by itself.

Related Internal Links

References

Series overview: Series index

๋Œ“๊ธ€

๋Œ“๊ธ€ ์“ฐ๊ธฐ

์ด ๋ธ”๋กœ๊ทธ์˜ ์ธ๊ธฐ ๊ฒŒ์‹œ๋ฌผ

Agent Memory Engine (2/10) — Building an AI Agent Memory System with SQLite Alone

← 1/10 SQLite Memory Engine f… ๐Ÿ“š Series Index 3/10 memcore Completed → A memory engine that runs without daemons, without dependencies, anywhere ํ•ต์‹ฌ ์š”์•ฝ This post covers how to design an AI agent memory engine (memcore) on a single-file SQLite backend. - Structure: 25 modules, ~6,464 lines, 22 DB tables - Principles: no daemon, single-file portability, no required external dependencies, host-agnostic - Core techniques: 4-layer hybrid search (topic · vector · FTS5 · LIKE), U-tag dialectic-based confidence evolution, ingestion-layer bias rejection rules What This Post Covers One approach to building AI agent memory without a server or cloud vector DB. Specifically: (1) the limitations of text-file-based memory, (2) vector DB alternatives compared and selection criteria, (3) how to layer search tiers, (4) how to evolve confidence scores over time, and (5) how to block biased memory accumulation at the ingestion stage. Design Principles: Why Single-File SQLite Text-file-based ...
Read more »

"ML Foundations (9/9) — PyTorch vs TensorFlow, and the Road to Local LLMs"

์ด๋ฏธ์ง€
← 8/9 Deep Learning Architec… ๐Ÿ“š Series Index (series end) The final part. So far we've focused on models. Now we focus on the tools that actually run them . We'll lay out the philosophical difference between PyTorch and TensorFlow, and trace how Hugging Face transformers , llama.cpp , MLX , and Ollama built the bridge to running large language models on your own machine. By the end you should have the full mental model of "download a pretrained LLM and serve it locally." 0. Learning Objectives Explain the eager-vs-graph difference between PyTorch and TensorFlow. Explain, in graph terms, how autograd automates the backward pass. Use Hugging Face transformers ' AutoModel , AutoTokenizer , and pipeline abstractions. Describe llama.cpp's GGUF quantization, INT4 inference, and CPU-first flow. Describe Apple MLX's use of unified memory and how it differs from PyTorch. Run a local LLM with Ollama and call it through an OpenAI-compatible API. ...
Read more »

"RAG Core Study (14/26) — Evaluation Sets with RAGAS & DeepEval"

์ด๋ฏธ์ง€
Series overview: Series index ๐Ÿ“š Series Index Without an evaluation set, every RAG improvement is a story, not evidence. RAG systems fail in more than one place: retrieval, context selection, answer generation, and grounding. That means "looks better" is not a metric. Part 14 explains how to build a golden dataset , how RAGAS and DeepEval fit into the workflow, and why teams must separate retrieval quality from answer quality if they want tuning decisions to hold up. 0. Prerequisites Part 13 reranking — system quality now depends on multi-stage ranking. Part 1 grounding — a correct-looking answer is not enough. Part 12 Hybrid — multiple retrieval settings need comparison on fixed data. 1. Learning Objectives Build a small but useful golden dataset for RAG. Distinguish retrieval metrics from answer metrics . Use RAGAS and DeepEval in the right roles. Avoid the common traps in judge-model-based evaluation. 2. ํ•ต์‹ฌ ์š”์•ฝ An evaluation set for RAG is ...
Read more »

"ML Foundations (8/9) — Deep Learning Architectures: CNN, RNN, Attention"

์ด๋ฏธ์ง€
← 7/9 Deep Learning Training ๐Ÿ“š Series Index 9/9 PyTorch vs TensorFlow → What did we keep adding on top of an MLP? Vision went CNN, sequences went RNN/LSTM, and eventually both converged on Attention and the Transformer. Each architecture is easier to remember if you read it as what it gave up to gain something else . This part is the one-line summary of the decisive inflection points: LeNet → AlexNet → ResNet → LSTM → Attention → Transformer. 0. Learning Objectives Explain why CNN's convolution, pooling, and weight sharing match images so well. Trace what got unblocked from LeNet → AlexNet → VGG → ResNet as depth grew. State BPTT for RNNs and the vanishing/exploding gradient problem. Write the LSTM gate equations (forget, input, output) with intuition. Write the attention formula in query/key/value form and the scaled dot-product variant. State the precise reasons Transformers replaced RNNs (parallelism + long-range dependencies). 1. ํ•ต์‹ฌ ์š”์•ฝ CNN : weight sharin...
Read more »

"ML Foundations (7/9) — Deep Learning Training: Optimizers, Regularization, Initialization"

← 6/9 Neural Networks ๐Ÿ“š Series Index 8/9 Deep Learning Architec… → Building an MLP, as we did in Part 6, is not the same as getting it to train well . The right optimizer, regularization, initialization, and learning rate — when these line up, deep networks converge. When they don't, the network refuses to learn at all. This part is the catalog of those crafts, with formulas, paper citations, and code in one place. 0. Learning Objectives Compare and write the update rules for SGD, Momentum, Nesterov, and Adam. Explain how Dropout, BatchNorm, and LayerNorm work and where they belong in a model. Derive the variance formulas for Xavier and He initialization and match them to activations. Implement step, cosine, and warmup learning-rate schedules in PyTorch. Explain why gradient clipping is effectively required for RNNs and Transformers. Diagnose the most common training failures (NaN, plateau, overfitting) and apply first-line fixes. 1. ํ•ต์‹ฌ ์š”์•ฝ SGD : \(w \leftarro...
Read more »

OpenClaw to Hermes Migration (2/13) — What to Preserve, Partially Port, or Discard

← 1/13 Current Structure Inve… ๐Ÿ“š Series Index 3/13 What Moves to Hermes → A code review record classifying operational scripts into three tiers: preserve, partial-preserve, and discard. What This Post Covers An asset classification framework (preserve / partial-preserve / discard) for migrating a legacy agent system to a successor A concrete case applying the Strangler Fig + Subset Migration strategy to a memory pipeline Classification results evaluated across LOC, external dependencies, and replaceability axes A method for slimming down a bloated single file (1,310 LOC) using the migration as a natural entry point Problem Definition: Port Everything or Cut Deep? The OpenClaw inventory comprises multiple agents, multiple scheduler/daemon processes, and multiple operational scripts. When moving to the successor system, Hermes, the choice is not binary. A full port carries accumulated technical debt along with it; a minimal port discards hard-won domain logic. Code-revie...
Read more »

AI Agents I Built (5/7) — Building an Automated Blogger API Publishing System

← 4/7 My Life Organizer Agent ๐Ÿ“š Series Index 6/7 Dual → Designing a Markdown-Based Auto-Publish Pipeline with Blogger API v3 + OAuth 2.0 Key Summary Blogger API v3 + OAuth 2.0 enables a pipeline that converts Markdown files into publishable HTML posts blogger_publish.py handles the full flow — frontmatter parsing → body cleanup → HTML conversion → CSS injection → API post — in a single script For bulk publishing, quota management (delay, retry, TOC suppression) is the critical design concern Platform Selection Criteria API access is mandatory for AI agent-driven content publishing. A comparison of platforms: Platform API Cost AdSense Decision WordPress.com REST API Paid plan required Paid only Cost overhead Ghost REST API Self-hosted or paid Manual setup Ops overhead Blogger v3 API Free Native integration Adopted Blogger is free, exposes a REST API, and integrates natively with AdSense. For personal blog automation, this combination i...
Read more »