Agents propose, humans approve
An AI teammate you can't see is a liability. One that proposes, waits for a yes, and writes down what it did is leverage. The line is governance.
Key takeaways
- An autonomous agent that acts without asking is indistinguishable from a bug with initiative: the failure mode of software is a wrong value in one row, but the failure mode of an unsupervised agent is a wrong value in a thousand rows before anyone notices, so the right default is propose-and-wait, not act-and-apologize.
- Propose/approve is not a speed bump but a contract — the agent does the expensive thinking (read the backlog, draft the re-triage, write the changelog) and the human keeps the one cheap, irreversible decision (yes), so you get the agent's throughput without ceding the judgment that throughput is worthless without.
- Every action an agent takes — proposed, approved, or auto-run under a granted scope — must land in the same audit trail as a human's, because an AI teammate you cannot reconstruct after the fact is one you cannot trust before it, and 'what did the AI do' should be answered by a query, not a shrug.
- Scope the authority, not the intelligence: let the model be as smart as it can be, but bound what it's allowed to touch through a capability registry and a propose/approve broker, so a security review answers 'what can your AI do' with a finite list instead of a leap of faith.
The default is the whole argument
Every AI feature ships with a default, and the default is the entire ethical and practical content of the feature. An agent that acts first and reports later has decided, on your behalf, that its judgment is good enough to skip the part where a human looks. An agent that proposes first and waits has decided the opposite. Everything else — the model, the prompt, the tool list — is implementation detail next to that one choice.
We picked the second default and built the whole platform around it: agents propose, humans approve. Not because the model is dumb — it is often startlingly good — but because the cost of being wrong is asymmetric. A good proposal you approve in two seconds costs you almost nothing. A bad action you discover in two days can cost you the trust of everyone whose work it touched. When the downside dwarfs the upside, you make the upside ask permission.
A bug with initiative
Ordinary software fails in a bounded way: a wrong value lands in one row, a function returns the wrong number, and a human eventually notices and files an issue. An autonomous agent fails differently. Given a tool and a goal and no checkpoint, it will pursue the goal with perfect, tireless confidence straight through the misunderstanding — and re-triage four hundred issues, reassign a team, or close a quarter's worth of work before anyone is in the room to say wait.
This is not a reason to distrust AI. It is a reason to put a human at the exact point where the action becomes irreversible. The agent can read everything, reason about everything, and draft anything — that is where its leverage lives, and we want all of it. What it should not do is be the last signature on a change that can't be taken back. Propose-and-wait turns 'a bug with initiative' back into 'a draft someone reviewed,' which is a category of problem teams already know how to handle.
Approval is a contract, not a speed bump
The objection writes itself: if a human has to approve everything, haven't you thrown away the speed that made the agent worth having? No — because you have not split the work down the middle, you have split it along the seam where the value actually is. The expensive part of most operations is the thinking: reading the whole backlog, noticing the duplicate cluster, drafting the re-triage, composing the changelog in the team's voice. The agent does all of that. What's left for the human is the one cheap, irreversible bit: yes.
That is a good trade, not a grudging one. You get the agent's throughput on the laborious 95% and keep the judgment on the decisive 5%, and the approval step is fast precisely because the proposal is good — a clear diff, a stated rationale, a bounded blast radius. Done right, propose/approve doesn't feel like supervising a junior. It feels like a teammate who does the homework and hands you a one-line decision, which is the most leveraged thing software has ever offered a manager.
If it isn't in the log, it didn't happen
Trust in an AI teammate is built the same way trust in a human one is: by being able to reconstruct what they did and why. So every action an agent takes flows through the same audit trail a person's would — the proposal, who approved it, when, and the exact change it made. A proposal that's auto-approved under a scope you granted earlier writes a row too. There is no privileged path where the AI acts and the record stays silent.
This is the unglamorous half of governance and the half that actually matters. Anyone can demo an agent doing something impressive. The question that decides whether it gets turned on in a real company is 'can you show me everything it has ever done,' and the only acceptable answer is a query that returns rows. An audit trail you can't produce after the fact is an agent you can't justify before it. We treat the log as a first-class product surface, not a debugging afterthought, because it is the thing that lets a cautious team say yes.
Scope the authority, not the intelligence
The instinct when an agent scares you is to make it dumber — restrict the model, narrow the prompt, clip its reasoning. That's backwards. You want the model as capable as it can be; what you want to bound is not how well it thinks but what it is allowed to touch. Those are different dials, and conflating them gives you an agent that's both timid and unaccountable — the worst of both.
So capability lives in a registry — a finite, inspectable list of tools, each flagged for whether it's destructive — and authority lives in a broker that enforces propose/approve on anything that can't be undone. A session without the destructive capability doesn't get a refusal buried in prose; it gets a structured 'approval required' it can route to a human. The upshot is an answer to the question every security review eventually asks: what can your AI actually do? Not 'trust us, it's careful' — a list, a boundary, and a log. Make the intelligence unbounded and the authority bounded, and you get an agent that is genuinely useful and genuinely safe to switch on, which is the only kind worth shipping.