Definition
Propose / Approve (AI Governance)
Propose/approve is a governance pattern for autonomous software: instead of executing a consequential action directly, an AI agent emits it as a proposal that a human or policy must approve before it runs. It keeps fast, read-only work autonomous while gating destructive or irreversible operations — the practical way to give agents real power without surrendering control.
Key takeaways
- Propose/approve is a governance pattern: an AI agent emits a consequential action as a proposal a human or policy must approve before it runs.
- It keeps fast, reversible, read-only work autonomous while gating destructive or irreversible operations behind a checkpoint.
- The gate is a property of the action (a registry marks each tool destructive or safe), so it can't be talked around with clever prompting.
- Far from a brake, it's an enabler — safely containing dangerous actions lets operators grant agents much broader reach.
As AI agents gain the ability to change data, the question stops being 'can the model do this' and becomes 'should it, unsupervised.' Propose/approve answers that by splitting an agent's capabilities in two. Low-stakes, reversible, read-mostly actions execute immediately, because blocking them would make the agent useless. High-stakes actions — deleting, bulk-editing, sending something external — are instead packaged as a proposal: a described, reviewable intent that waits for a yes.
The pattern's power is that the gate is a property of the action, not the prompt. Whether an operation needs approval is decided by a registry that marks each tool destructive or safe, so the boundary can't be talked around by clever phrasing — the model literally cannot run a gated tool without the approval step. Approvals can be granted by a person in the moment or by a policy that auto-approves within set bounds, and either way the decision is recorded.
Done well, propose/approve turns governance from a brake into an enabler. Because the dangerous actions are safely contained, operators can grant agents far broader reach than they otherwise would, knowing the irreversible steps always pass through a checkpoint. The audit trail of proposals and approvals then doubles as a record of exactly what the agent tried and what a human sanctioned.
In Planoda, destructive agent tools (delete, bulk-archive, bulk-update) are routed through a propose/approve guardrail driven by the tool registry's destructive flag, and every proposal and approval is written to the audit trail alongside human actions — so agent power scales without ever bypassing oversight.
Related terms
- AI AgentAn AI agent is a software system that uses a large language model to pursue a goal across multiple steps — reading context, choosing tools, and taking actions — rather than answering a single prompt. In a work platform, agents triage issues, draft updates, and execute multi-step tasks as autonomous teammates, bounded by the permissions and approvals their operators set.
- Audit TrailAn audit trail is an append-only, time-ordered record of who did what, when, and to which object across a system. Every create, edit, delete, and approval is logged immutably, so any state can be traced back to the actions that produced it. Audit trails underpin accountability, debugging, compliance, and — increasingly — oversight of what AI agents do.
- MCP ServerAn MCP server implements the Model Context Protocol, an open standard that lets AI assistants connect to external tools and data through a uniform interface. Rather than building a bespoke integration per assistant, a tool exposes one MCP server describing its available actions and resources, and any MCP-capable AI can discover and use them safely.
- Row-Level Security (RLS)Row-level security (RLS) is a database feature that restricts which rows a query can read or modify based on the current user or context. Instead of relying solely on application code to filter data, the database itself enforces access policies on every query — a strong defense for multi-tenant systems where one workspace's data must never leak to another.