How to Require Human Approval Before an AI Agent's Pull Request Merges

Definition: what an AI PR approval gate is

An AI PR approval gate is a required CI check that blocks a pull request from merging until a named human explicitly authorizes it, and that records the authorization as a durable, tamper-evident receipt. It turns “a human probably looked at this” into “this specific person approved this action at this time, and here is the proof.”

Why code review alone is not enough

When the author of a PR is an autonomous agent, the usual safeguards leak:

• A review approval can be dismissed or bypassed by an admin merge, and on many repos agents hold write access.
• One agent can approve another agent's PR if review rules only count approvals, not who gave them.
• A green review is not an exportable record. When an auditor asks “who authorized this change?”, a dismissed review thread is not an answer.

An approval gate fixes all three: the human decision becomes a fail-closed merge condition, the signer is named, and the decision is recorded as a receipt.

Approval gate vs. plain code review

Set it up in four steps

These steps use Permission Protocol's Deploy Gate, but the pattern is general: any gate that posts a required, fail-closed status check works.

1. Add the gate to your CI. Drop the Deploy Gate GitHub Action into your workflow. On every PR it calls the approval service and posts a commit status named “Permission Protocol.”
2. Make the check required. In branch protection for your default branch, mark “Permission Protocol” as a required status check and enable “Require status checks to pass before merging.”
3. A human signs. When an agent opens a PR, the status goes yellow/pending and the merge button is blocked. A named signer reviews the diff and approves. The status turns green only then.
4. Keep the receipt. Each approval emits an immutable receipt — signer, diff, policy applied, timestamp to the millisecond — that you can export to your evidence vault.

Two properties make this trustworthy: it is fail-closed (any error keeps the status blocking, never falsely green), and the status is posted by a GitHub App identity that the agent cannot impersonate.

Common mistakes

• Fail-open gates. If the check passes when the service errors, you have a checkbox, not a guarantee.
• Counting approvals, not approvers. Require a human signer specifically, or an agent with review rights satisfies the gate.
• Admin bypass left on. If admins can merge past a pending check, the gate is advisory. Include administrators in branch protection.
• No durable record. A green check that leaves no exportable artifact will not satisfy an auditor. Keep the receipt.

Frequently asked questions

How do you require human approval before an AI agent's pull request merges?

Add a required status check that stays pending until a named human signer approves, and turn on branch protection so the PR cannot merge while the check is pending. A fail-closed approval gate posts the pending status when the PR opens, blocks the merge, and flips the check green only after a specific person records an approval — producing a signed receipt of who approved it.

Why isn't a normal code review enough for AI-generated PRs?

A review approval can be dismissed, admin-bypassed, or satisfied by another agent, and it is not a durable record. An approval gate makes the human decision a required, fail-closed merge condition and emits a tamper-evident receipt naming the signer, the action, and the time.

What does fail-closed mean for a CI approval gate?

Fail-closed means that on any error — gate unreachable, approval expired, request malformed — the merge status stays red or pending and never falsely turns green. The safe default is to block.

Last updated: June 15, 2026. Permission Protocol is the external authorization layer for AI agent actions — per-action human approval and tamper-evident receipts. See the OWASP Agentic Top 10 mapping for the full control coverage.