- Agent may only propose actions
- Every action pends for a human
- Zero autonomous execution
Dial agent autonomy — with a risk floor it can never cross.
Set how far each agent can act on its own, from suggest-only to autonomous. The action's own risk policy is always a floor: oversight can only make a decision stricter, never weaker — and every override is an audited break-glass.
oversight ▸ agent → tenant default → platform default (execute_low_risk)
“Autonomous” and “hands-off” are not the same setting.
Most teams treat agent autonomy as a single on/off switch — either a human approves everything (and the agent is useless) or the agent acts freely (and nobody is accountable). Cortex makes autonomy an explicit, per-agent, auditable dial, resolved agent → tenant default → platform default, with the action's risk policy as a hard floor underneath it.
One dial, five stops — from propose-only to fully autonomous.
Each mode is set per agent (or as a tenant / platform default). The agent run it governs is the machine actor; the human approval queue it routes to is the app/human surface.
- Agent drafts the action and its evidence
- All proposals still pend
- Reviewer approves the prepared work
- Low-risk actions auto-execute
- Medium and high risk pend
- Platform default if nothing is set
- Low + medium execute (flagged reviewRequired)
- High risk still pends
- After-the-fact review, not a blocker
- Executes anything within policy
- Only the action's own floor pends
- Never overrides requiresApproval
- Agent-specific mode wins first
- Else the tenant default applies
- Else platform default: execute_low_risk
Oversight can tighten a decision — it can never loosen one.
Every action carries its own risk tier and a requiresApproval gate. That gate is the floor. No matter how far the autonomy dial is turned, a high-risk or approval-required action always lands in the human approval inbox. Setting an agent to autonomous removes the optional human checks — it never removes the mandatory one.
- The action's requiresApproval gate always pends, in every mode
- Oversight is applied at propose() time inside the Action Fabric
- Decisions emit a reviewRequired flag for after-the-fact review
From a proposed action to executed — or held.
When an agent proposes an action, Cortex resolves the proposing agent's oversight mode and applies the pure decideApproval(action, mode) function, on top of the action's own risk floor.
- 01
Agent proposes
A machine actor proposes an action through the Action Fabric, carrying its risk tier and requiresApproval flag.
- 02
Resolve the mode
Cortex resolves the agent's oversight mode: agent-specific → tenant default → platform default (execute_low_risk).
- 03
Decide
decideApproval applies the mode against the floor — auto-execute, execute-with-reviewRequired, or pending_approval.
- 04
Route & record
Held actions go to the human approval inbox; every decision (and decidedBy) is recorded in the audit ledger.
An emergency override that leaves a permanent record.
Sometimes a pending action must execute now — an incident, a deadline, a stuck case. Break-glass force-executes a pending_approval invocation, but only for a platform admin, and only with a mandatory written reason that becomes part of the audit trail.
- POST /v1/actions/:id/break-glass
- Requires a platform-admin session (AdminGuard)
- Setting modes is admin-only too; reads stay tenant-scoped
- A written reason is required — no silent overrides
- Records decisionReason="break-glass: …"
- Records decidedBy — who pulled the handle
- Emits an ActionBreakGlass event
- Flows into the tamper-evident Trust Ledger
- Every override is replayable for an auditor
Oversight is one gate in a fail-closed pipeline.
The autonomy dial sits on top of identity, policy, and the action lifecycle — and everything it decides is recorded for observation and proof.
Action Fabric
Where proposals become governed actions — dry-run → propose → approve → execute → compensate. Oversight is applied at propose time.
Policy-as-Code
Author the allow / deny / require_approval rules that set each action's risk floor before the dial is ever applied.
Agent IAM
Every agent is an identity with an owner and risk tier — the subject whose oversight mode is resolved at propose time.
Trust Ledger
Every approval, denial, and break-glass override lands in a tamper-evident, hash-chained ledger you can hand an auditor.
Control Tower
Watch the live approval queue across the fleet — and pause everything from one screen when you need to.
Observability
Score, replay, and debug every run — including the reviewRequired actions that executed without a blocking approval.
Oversight your auditors can sign off on.
Admin-gated mode changes, mandatory break-glass reasons, and an immutable record of every decision — aligned with the human-oversight expectations in the frameworks your reviewers already use.
Give every agent exactly as much rope as you intend.
Set the dial per agent, keep the floor non-negotiable, and prove every override — without slowing your team down.