Definition
Agent broker (propose/approve broker)
An agent broker is the runtime component that sits between an AI agent and the actions it wants to take, deciding per call whether to execute inline, require human approval, or refuse. It is where propose/approve governance is actually enforced — the gate is code in the request path, not a guideline in a prompt — so an agent literally cannot run a destructive tool without passing through it.
Key takeaways
- An agent broker intercepts every agent tool call and decides: run inline, require approval, or refuse.
- It makes governance structural — the gate is in the request path, so a prompt can't talk its way around it.
- As the single chokepoint, the broker is where provenance is recorded to the audit trail.
- Planoda routes both its MCP and runtime agent paths through one broker driven by the central tool registry.
Governance written into a system prompt is advisory; an agent can be talked around it. A broker makes the rule structural. Every tool call the agent issues is intercepted: the broker looks up whether the tool is marked destructive, checks the session's capabilities and budget, and then either lets the call run, packages it as a proposal awaiting sign-off, or returns a structured 'approval required' result. The model never gets to skip this step, because it is in the only path to the outside world.
Because the broker is the single chokepoint, it is also the natural place to record provenance. Whether an action runs inline, is auto-approved within policy bounds, or is held for a human, the broker writes the decision to the audit trail — so the record of what an agent tried and what was sanctioned is a byproduct of enforcement, not a separate logging effort.
Planoda's MCP and runtime agent paths both flow through one broker (`mcp-guardrail`) that reads the destructive flag from the central tool registry, denies capability-lacking sessions a structured approval-required result, and writes an `agent.proposal.*` audit row even for auto-approved operations — so the same gate governs internal and external agents alike.
Related terms
- Propose / Approve (AI Governance)Propose/approve is a governance pattern for autonomous software: instead of executing a consequential action directly, an AI agent emits it as a proposal that a human or policy must approve before it runs. It keeps fast, read-only work autonomous while gating destructive or irreversible operations — the practical way to give agents real power without surrendering control.
- Agent governanceAgent governance is the set of controls that make an AI agent's actions safe, attributable, and reviewable: human approval gates on consequential actions, an immutable audit trail of who approved what, role-based capability limits, and spend controls. It is the difference between an agent that suggests and one you can trust to act.
- Tool registryA tool registry is the single, authoritative catalog of the actions an AI agent may call, with each tool's name, typed arguments, and risk classification declared in one place. It is the source of truth a governance broker consults to decide whether a call is safe to run or must be gated — so capability and destructiveness are properties of the registry, not scattered per-caller decisions.
- Destructive action gatingDestructive action gating is the practice of classifying agent actions by reversibility and requiring explicit approval for the irreversible ones — delete, bulk-archive, bulk-update, external sends — while letting safe, read-mostly actions run freely. It is the operational core of agent governance: the boundary is drawn around the action, so no amount of clever prompting lets an agent quietly do something it can't undo.
- Agent audit logAn agent audit log is an immutable, append-only record of everything an AI agent did and proposed — each action, who or what approved it, when, and against which records — written to the same trail as human actions. It turns 'the agent did something' into an accountable, replayable history, and is what makes governed autonomy verifiable rather than merely promised.