Agentic AI · Safe Autonomy

Not less autonomy.
Better handoffs.

Human-in-the-loop isn't a safety blanket bolted onto the end of a workflow — it's the design layer that decides exactly when an agent should keep going and when it should stop and ask. Teams have invested heavily in evals, tracing, and prompting. Almost nobody engineers this layer on purpose, and it's one of the practical reasons agent projects stall at the pilot stage.

overview SLIDE 01 — HUMAN IN THE LOOP Cover slide: Human in the Loop for AI Agents
Quick answer

Human-in-the-loop (HITL) is a design pattern where an AI agent works autonomously through most of a task but pauses, escalates, or requests confirmation at defined decision points, rather than running fully unsupervised or requiring approval for everything. It works through three approval patterns — pre-action (approve before anything external happens), post-action (review after execution), and confidence-based (escalate only when uncertainty or risk crosses a threshold) — layered with a risk classification that reserves mandatory human approval for actions where a mistake would actually cost more than the automation saves. The industry isn't moving toward full unsupervised autonomy; it's moving toward selective autonomy — agents that handle the repeatable, high-context work reliably, and reliably surface the moments where human judgment still matters.

definitions SLIDE 02 — IN-THE-LOOP, ON-THE-LOOP, IN-COMMAND Three human oversight models: in-the-loop, on-the-loop, in-command
Three oversight models, often in the same workflow

Oversight is a property of the decision, not a global setting

Picture an airline rebooking agent that reroutes most disrupted passengers automatically. It hits a first-class passenger on an international itinerary with a loyalty-tier override and a fare class requiring manual reissuance — recognizes the policy boundary, pauses, and routes an approval request to a senior agent. That's human-in-the-loop.

Meanwhile a supervisor watches the overall rebooking flow for anomalies — unusually high costs, a pattern of picking expensive alternatives — without reviewing every individual case. That's human-on-the-loop. A senior operator who can override the whole system's policy is human-in-command. All three routinely coexist in one system; the level applied to any given decision is determined dynamically by its risk, context, and policy — not fixed for the whole agent.

the gap SLIDE 03 — THE LAYER MOST TEAMS SKIP Human-in-the-loop as the missing layer in the production agent stack
Not a capability problem

Well-evaluated agents still stall without this

Evaluation harnesses, tracing, and prompt engineering are all reasonably well covered in a modern agent stack. The layer that decides when an agent should stop and ask a person is, for most teams, not — and that omission isn't cosmetic. It's one of the practical reasons agent projects work fine in a demo and never make it past the pilot.

A lot of teams implement approval as a vague safety blanket: one manual review step tacked onto the end of a workflow, labeled governance, and then wonder why users abandon the feature. A better pattern reviews the specific decision that needs judgment, not the entire run.

The core mechanics

Three approval patterns cover almost every case

Each answers a different question about timing: before the action, after it, or only when something crosses a threshold.

mechanics SLIDE 04 — PRE-ACTION, POST-ACTION, CONFIDENCE-BASED Three approval patterns: pre-action, post-action, and confidence-based
Match the pattern to the cost of being wrong

Approve before, review after, or escalate on trigger

Pre-action holds the agent's proposed action for approval before anything external happens — right for irreversible or high-blast-radius actions. Post-action lets the agent execute and surfaces the result for review afterward — right when speed matters more than a pre-check and mistakes are cheaply reversible. Confidence-based runs the agent normally until it hits genuine uncertainty, a policy boundary, or missing information, then routes only that moment to a human — the pattern that scales best once volume grows past what constant pre-approval can sustain.

classification SLIDE 05 — CLASSIFY BY RISK, NOT CONFIDENCE ALONE Four-tier risk classification for agent actions
The cost of a mistake, not the model's own certainty

Reserve mandatory approval for where it earns its cost

Classifying actions by their actual risk — rather than by how confident the model claims to be — reserves mandatory human approval for the cases where the cost of a mistake genuinely exceeds the value the automation provides. A read-only lookup and an irreversible external transaction shouldn't sit behind the same gate.

TIER A
Read-only

No side effects; automate freely with basic logging only.

TIER B
Reversible

Can be undone cheaply; post-action review is usually sufficient.

TIER C
External

Affects a system or person outside the org; pre-action review recommended.

TIER D
High-risk / irreversible

Cannot be undone; mandatory human approval before execution, no exceptions.

calibration risk SLIDE 06 — WHY VERBAL CONFIDENCE ISN'T ENOUGH Why an agent's stated confidence is not a reliable escalation signal
The math that justifies mandatory gates

Miscalibration compounds across a chain

An agent stating "90% confident" is not the same thing as being right 90% of the time — verbal confidence alone is not a safe signal to escalate on. The problem compounds badly across multi-step agent chains: if each step in a three-step chain is miscalibrated by around fifteen percentage points, a claimed ninety percent per-step confidence can imply the probability all three steps were actually correct is closer to forty percent.

That's the quantitative case for hard gates on consequential actions — not a soft best-practice suggestion, but a direct consequence of how confidence errors stack across a chain of dependent decisions.

Turning a threshold into a workflow

Three escalation tiers, each with its own SLA

Without defined response times, approval queues grow unbounded and agents stall waiting on a human who never knew they were being waited on.

SLA design SLIDE 07 — ESCALATION TIERS AND SERVICE LEVELS Three escalation tiers with defined SLAs and reviewer authority
Allocate reviewer capacity proportionally

Not every escalation deserves the same urgency

Tiered SLAs let the business point its scarcest resource — senior reviewer attention — at what actually needs it fastest, while routine reviews still get handled within a bounded window instead of drifting indefinitely.

Tier 1 · Standard

4-hour SLA

Confidence 0.6–0.8, moderate risk. Reviewed by a team member. Most actions in this tier are approved unchanged — the value is the human check, not deep analysis.

Tier 2 · Elevated

1-hour SLA

Confidence below 0.6, or high blast radius. Reviewed by a team lead, who may request more context or modify the proposed action before approving.

Tier 3 · Executive

15-minute SLA

Compliance exposure, legal risk, or critical infrastructure. Reviewed by a designated authority, typically with an automatic page or alert.

infrastructure SLIDE 08 — ASYNC-FIRST BY DEFAULT Async-first infrastructure design for human approval gates
Real infrastructure doesn't wait politely

Synchronous approval collides with real systems

Holding a live connection open while a human decides sounds simple, but it collides with gateway timeouts, token expiry, and stale cursors the moment a review takes longer than a few seconds — which, for anything requiring real judgment, it usually does.

The pattern that survives real infrastructure is durable, state-managed interruption: the agent's work-in-progress state is persisted with an idempotency key, the approval request is queued, and execution resumes cleanly whenever the human responds — in five minutes or five hours. Roughly two-thirds of production agents already tolerate minute-plus latency on a given step, which is exactly the room async-first design needs to work.

What kills a HITL program

Three patterns derail oversight more than any technical issue

None of these are infrastructure problems. All three are design and calibration problems that show up only after real usage begins.

common pitfalls SLIDE 09 — WHY HITL PROGRAMS FAIL Common failure patterns that derail human-in-the-loop programs
Watch the queue, not just the model

The queue tells you what the model can't

  • Notification fatigue — too many low-value approvals train reviewers to rubber-stamp, which defeats the entire point of the gate
  • Feedback that doesn't feed back — approval and rejection signals that never change future agent behavior waste every correction a human makes
  • Static gates — launch conservative, but review the queue weekly; loosen a gate only once an action has accumulated a real track record of clean executions, not on a fixed schedule
scaling SLIDE 10 — OVERSIGHT THAT SCALES WITH THE FLEET Summary: scaling human oversight to thousands of agents through versioned policy
From 10 agents to 10,000

Version the policy the same way you version the code

The scaling question isn't hypothetical for long: how do you maintain real oversight once an organization is running thousands of agents at once, not a handful? The answer that holds up is treating approval rules, escalation semantics, and reviewer assignments as versioned artifacts — testable in staging, replayable against historical traces, deployable with rollback, just like application code.

Designed well, human-in-the-loop is what lets agents handle the large majority of repeatable, high-context work on their own, while a human keeps deliberate, engineered control over the smaller share of decisions that actually define the business. That trade — not full autonomy, not full manual review — is the whole point.

Frequently asked

Human-in-the-loop FAQ

Human-in-the-loop means a specific decision pauses and routes to a person for approval before it proceeds. Human-on-the-loop means a person monitors the overall system for anomalies without reviewing every individual decision. Both models can coexist in the same workflow, with the level applied determined dynamically by the risk of each decision.

Pre-action (the agent's proposed action is held for approval before anything external happens), post-action (the agent executes and the result is reviewed afterward), and confidence-based (the agent runs normally until it hits a defined uncertainty or risk threshold, then escalates only that moment).

Because verbal confidence is often poorly calibrated, and the error compounds across multi-step chains — a claimed 90% per-step confidence across three dependent steps, each miscalibrated by around 15 percentage points, can imply a true probability of all three being correct closer to 40%. Risk-based hard gates, not confidence thresholds alone, are the more reliable control.

Typically in tiers matched to urgency and authority: a standard tier for moderate-risk, moderate-confidence actions with a several-hour response window, an elevated tier for low-confidence or high-blast-radius actions with a roughly one-hour window reviewed by a team lead, and an executive tier for compliance, legal, or critical-infrastructure exposure with a near-immediate response window and an automatic alert.

Because holding a live connection open while waiting for a human decision collides with gateway timeouts, token expiry, and stale cursors once a review takes more than a few seconds — which real judgment calls usually do. Async-first design persists the agent's state with an idempotency key and resumes execution cleanly whenever the human responds, rather than keeping a fragile connection alive.

Most commonly notification fatigue from too many low-value approval requests, which trains reviewers to rubber-stamp instead of actually evaluating; approval and rejection decisions that never feed back into improving agent behavior; and gates that stay static instead of loosening only once an action has built a genuine track record of clean executions.

Get started

Ready to design your agent's approval gates?

Classify actions by risk, not confidence alone, set escalation SLAs before a queue ever backs up, and design for async from day one.