Human oversight

Dial agent autonomy — with a risk floor it can never cross.

Set how far each agent can act on its own, from suggest-only to autonomous. The action's own risk policy is always a floor: oversight can only make a decision stricter, never weaker — and every override is an audited break-glass.

oversight ▸ agent → tenant default → platform default (execute_low_risk)

Oversight Modes
risk floorsuggest_onlydraftexecute_low_riskexecute_with_reviewautonomous
oversight ▸ risk gate is a floor — autonomy can only tighten it
The problem

“Autonomous” and “hands-off” are not the same setting.

Most teams treat agent autonomy as a single on/off switch — either a human approves everything (and the agent is useless) or the agent acts freely (and nobody is accountable). Cortex makes autonomy an explicit, per-agent, auditable dial, resolved agent → tenant default → platform default, with the action's risk policy as a hard floor underneath it.

decideApproval(action, mode) pure, tested decision matrix
The five oversight modes

One dial, five stops — from propose-only to fully autonomous.

Each mode is set per agent (or as a tenant / platform default). The agent run it governs is the machine actor; the human approval queue it routes to is the app/human surface.

suggest_only
  • Agent may only propose actions
  • Every action pends for a human
  • Zero autonomous execution
draft
  • Agent drafts the action and its evidence
  • All proposals still pend
  • Reviewer approves the prepared work
execute_low_risk
  • Low-risk actions auto-execute
  • Medium and high risk pend
  • Platform default if nothing is set
execute_with_review
  • Low + medium execute (flagged reviewRequired)
  • High risk still pends
  • After-the-fact review, not a blocker
autonomous
  • Executes anything within policy
  • Only the action's own floor pends
  • Never overrides requiresApproval
Resolution order
  • Agent-specific mode wins first
  • Else the tenant default applies
  • Else platform default: execute_low_risk
The risk gate is a floor

Oversight can tighten a decision — it can never loosen one.

Every action carries its own risk tier and a requiresApproval gate. That gate is the floor. No matter how far the autonomy dial is turned, a high-risk or approval-required action always lands in the human approval inbox. Setting an agent to autonomous removes the optional human checks — it never removes the mandatory one.

  • The action's requiresApproval gate always pends, in every mode
  • Oversight is applied at propose() time inside the Action Fabric
  • Decisions emit a reviewRequired flag for after-the-fact review
Action Fabric
Dry-run
Refund $240
risk: low · evidence
Proposed
Close case #4471
risk: med · evidence
Pending approval
Payout $5,000
risk: high · evidence
Executed
Email customer
risk: low · evidence
actions ▸ dry-run → propose → approve → execute → compensate
How a proposal is decided

From a proposed action to executed — or held.

When an agent proposes an action, Cortex resolves the proposing agent's oversight mode and applies the pure decideApproval(action, mode) function, on top of the action's own risk floor.

  1. 01

    Agent proposes

    A machine actor proposes an action through the Action Fabric, carrying its risk tier and requiresApproval flag.

  2. 02

    Resolve the mode

    Cortex resolves the agent's oversight mode: agent-specific → tenant default → platform default (execute_low_risk).

  3. 03

    Decide

    decideApproval applies the mode against the floor — auto-execute, execute-with-reviewRequired, or pending_approval.

  4. 04

    Route & record

    Held actions go to the human approval inbox; every decision (and decidedBy) is recorded in the audit ledger.

Audited break-glass

An emergency override that leaves a permanent record.

Sometimes a pending action must execute now — an incident, a deadline, a stuck case. Break-glass force-executes a pending_approval invocation, but only for a platform admin, and only with a mandatory written reason that becomes part of the audit trail.

Admin-only
  • POST /v1/actions/:id/break-glass
  • Requires a platform-admin session (AdminGuard)
  • Setting modes is admin-only too; reads stay tenant-scoped
Mandatory reason
  • A written reason is required — no silent overrides
  • Records decisionReason="break-glass: …"
  • Records decidedBy — who pulled the handle
Provable
  • Emits an ActionBreakGlass event
  • Flows into the tamper-evident Trust Ledger
  • Every override is replayable for an auditor
pending_approvalbreak-glass · executed
Security & compliance

Oversight your auditors can sign off on.

Admin-gated mode changes, mandatory break-glass reasons, and an immutable record of every decision — aligned with the human-oversight expectations in the frameworks your reviewers already use.

EU AI ActNIST AI RMFISO 42001SOC 2FINRAGDPR

Give every agent exactly as much rope as you intend.

Set the dial per agent, keep the floor non-negotiable, and prove every override — without slowing your team down.