PERMISSION/PROTOCOL

Engineering · June 15, 2026

Human-in-the-Loop Approval for AI Agents: A Practical Guide

To add human-in-the-loop (HITL) approval to AI agent actions, route every consequential action through a single enforcement point that decides cleared, approval-required, or denied. When the decision is approval-required, the action pauses for a named human signer who approves it before it runs, producing an immutable receipt of who approved what. Below is how to wire it up.

Definition: what human-in-the-loop approval for AI agents is

Human-in-the-loop approval for AI agents is a control where consequential agent actions are routed through a single enforcement point that classifies each action as cleared, approval-required, or denied: and, when approval is required, pauses the action until a named human signer explicitly approves it before it runs. It turns “the agent decided it was fine” into “this specific person approved this specific action at this time, and here is the receipt.”

Why a confirmation prompt is not enough

The naïve way to add a human to the loop is a confirmation dialog: “Are you sure? [Yes] [No].” For an autonomous agent this is theater. The agent's own loop is the thing answering the prompt: there is no separation between the actor and the approver, so the agent can satisfy its own check. You need the decision to live at a point the agent does not control, with a real human at the other end of the consequential calls.

Simple confirmation prompt vs. policy-routed HITL approval

PropertySimple confirmation promptPolicy-routed HITL approval
Decides per-action riskNo, prompts the same way every time Yes, engine classifies each action
Names who approvedNo, just a click Yes, a named human signer
Agent can self-satisfyYes, the agent's loop clicks through No, decision is external to the agent
Produces an audit recordNo durable artifactYes, immutable receipt
Scales to many actionsPoorly, every action interrupts Yes, most auto-clear, only the risky slice escalates

Set it up in four steps

These steps use Permission Protocol's Permission Router, but the pattern is general: one enforcement choke point, a per-action decision, a named human on the escalations, and a durable record.

  1. Wrap the agent's tool calls behind one enforcement call. Instead of calling tools directly, route every consequential action through a single choke point, Permission Protocol's Permission Router (POST /api/v1/execute). It is receipt-first: a receipt is created before any tool executes.
  2. Let the engine classify. The Consequence Engine predicts a decision for each action: cleared auto-runs with no human in the path, approval_required pauses the action, and denied stops it outright.
  3. A named human signs. When an action is approval-required, it routes to a specific human signer who reviews it and approves, the action proceeds only then. The agent cannot stand in for the signer.
  4. The receipt records it. Each approval is captured as an immutable receipt (signer, action, decision, timestamp) that you can export to your evidence vault.

Two properties make this trustworthy: the decision lives at a point the agent does not control, and the receipt exists before any tool runs, so authorization is never reconstructed after the fact.

Common mistakes

  • Confirmation dialogs the agent can click through. If the same loop that proposes the action also answers the prompt, you have no human in the loop. The decision must be external to the agent.
  • Approving by role, not by named person. “An approver approved it” is not an answer an auditor accepts. Route to a named human signer and record who they are.
  • Gating everything. Pausing on every action kills throughput and trains people to rubber-stamp. Only escalate the slice that actually needs it, let the rest auto-clear.
  • No durable record. An approval that leaves no exportable artifact will not satisfy an auditor. Keep the receipt.

For the pull-request-specific version of this pattern, see how to require human approval before an AI agent's PR merges. And to see how a deterministic policy engine and named-human signoff fit together, read Microsoft AGT vs Permission Protocol.

Frequently asked questions

What is human-in-the-loop approval for AI agents?

It is a control where consequential agent actions are routed through a single enforcement point that classifies each action as cleared, approval-required, or denied: and, when approval is required, pauses the action until a named human signer explicitly approves it before it runs. The decision is recorded as an immutable receipt, so you always know who authorized what and when.

How is HITL approval different from a confirmation prompt?

A confirmation prompt is a dialog the calling code presents, and an autonomous agent's own loop can simply click through it: there is no separation between the actor and the approver. Policy-routed HITL approval moves the decision to an external enforcement point the agent does not control: the engine decides per-action risk, escalation goes to a named human, and every approval produces a durable record.

Does requiring human approval slow agents down?

No. Most actions auto-clear and run with no human in the path. Only the consequential slice, the actions classified as approval-required, pauses for a named signer. Because the enforcement point gates the few actions that matter instead of every call, throughput stays high while the risky actions still get an explicit human decision.


Last updated: June 15, 2026. Permission Protocol is the external authorization layer for AI agent actions, per-action human approval and tamper-evident receipts. See the OWASP Agentic Top 10 mapping for the full control coverage.