Human-in-the-Loop AI

Approval workflows, step-up authentication, and escalation policies that keep humans in control of high-stakes AI agent actions.

The Case for Human Oversight

Full autonomy is not always desirable. An AI agent that can spend money, send legal documents, or interact with government systems should not operate without oversight. Human-in-the-loop (HITL) is the principle that certain actions require explicit human approval before execution — not as a bottleneck, but as a safety mechanism.

The challenge is calibration: too much human oversight defeats the purpose of automation, while too little exposes owners to unacceptable risk. Effective HITL systems make the threshold configurable — owners define which actions auto-approve and which require their sign-off.

How Approval Workflows Work

In OpenLeash, the approval workflow follows a predictable sequence:

  1. Agent requests authorization — The agent calls POST /v1/authorize with the action details.
  2. Policy evaluates to REQUIRE_APPROVAL — The authorization engine determines this action needs human sign-off.
  3. Approval request created — OpenLeash creates an approval request record with the full action context.
  4. Owner is notified — Via the web portal, push notifications, webhooks, or the agent polls for status.
  5. Owner reviews and decides — The owner sees the action details and approves or denies.
  6. Agent receives the decision — If approved, OpenLeash issues a time-limited approval token. If denied, the agent is informed and should not proceed.

The entire flow is asynchronous. The agent can continue other work while waiting for approval, and owners can review requests on their own schedule.

Step-Up Authentication

Some actions go beyond simple approval. Regulated filings, large financial transactions, or actions with legal consequences may require the owner to verify their identity before the agent can proceed. This is step-up authentication — a higher bar than a simple "approve" button.

OpenLeash supports step-up through the REQUIRE_STEP_UP decision type. When a policy triggers this decision, the owner must complete an identity verification flow (such as Swedish BankID, SMS OTP, or email verification) before the action is authorized. The verification result is recorded as a cryptographic attestation token.

This creates a strong audit trail: not just "the owner approved" but "the owner verified their identity via BankID at this timestamp, and here is the cryptographic proof."

Configuring Escalation Policies

The boundary between "auto-approve" and "require approval" is defined in YAML policies. A typical escalation pattern uses cost thresholds:

  • Actions under $50 from trusted vendors — auto-approve
  • Actions between $50 and $500 — require human approval
  • Actions over $500 — require step-up authentication
  • Actions with untrusted counterparties — always require approval

These thresholds are fully configurable per agent, per action type, and per counterparty. Organizations can define org-wide policies that apply to all agents, while individual owners can add agent-specific overrides.

Real-Time Notifications

Approval workflows are only effective if owners are notified promptly. OpenLeash supports multiple notification channels:

  • Web portal — The owner GUI shows pending approval requests with full action context.
  • Push notifications — Mobile push via FCM for immediate alerts (available in OpenLeash Pro).
  • Webhooks — HTTP callbacks to external systems for integration with Slack, email, or custom dashboards.
  • Polling — The agent SDK can poll for approval status at configurable intervals.

Audit Trail and Compliance

Every approval decision is recorded in the append-only audit log. The log captures who approved, when, from what device, and through which verification method. This is critical for regulated industries where proof of human oversight is a compliance requirement.

Combined with PASETO proof tokens, the audit trail creates end-to-end accountability: from the agent's request, through the owner's approval, to the counterparty's verification. Every step is cryptographically linked and independently verifiable.

Learn more about AI agent guardrails, or read about how PASETO proof tokens work.