The promise of AI agents is automation—letting machines handle tasks that used to require human attention. But full autonomy isn't always desirable or safe. Human-in-the-loop (HITL) patterns let you capture the benefits of AI automation while maintaining appropriate human oversight.
This guide explores different HITL patterns, when to use each one, and how to implement them effectively in production AI agent systems.
1. Why Human-in-the-Loop?
AI agents are powerful but imperfect. They can misunderstand context, make confident mistakes, or take actions that are technically correct but wrong for the situation. Human oversight addresses these risks.
The Case for Human Oversight
- Accountability — Someone is responsible when things go wrong
- Context — Humans understand nuances AI might miss
- Trust building — Oversight helps organizations gain confidence in AI systems
- Compliance — Many regulations require human review for certain decisions
- Error correction — Catch mistakes before they cause damage
The Cost of Too Much Oversight
But oversight has costs. Every approval gate slows things down and requires human attention. Too much oversight defeats the purpose of automation:
- Bottlenecks — Approvers become overwhelmed, creating delays
- Alert fatigue — Too many approvals leads to rubber-stamping
- Lost value — If humans review everything, why use AI?
The Right Balance
The goal is surgical human involvement—oversight where it matters most, autonomy everywhere else. This requires thoughtful design of when and how humans get involved.
2. Core HITL Patterns
There are four fundamental patterns for human involvement in AI workflows. Each serves different risk profiles and operational needs.
Pre-execution Approval
Human reviews and approves before the AI takes action
Best for: High-risk operations like deployments or financial transactions
Post-execution Review
AI acts autonomously, human reviews outcomes afterward
Best for: Lower-risk operations where speed matters
Exception-based Escalation
AI operates autonomously until it encounters uncertainty
Best for: Routine tasks with occasional edge cases
Graduated Autonomy
AI earns more autonomy based on track record
Best for: Building trust over time with new AI systems
Pattern 1: Pre-execution Approval
The AI proposes an action, then waits for human approval before executing. This is the most conservative pattern and appropriate for high-stakes operations.
Flow:
1. AI analyzes situation and proposes action
2. Proposal sent to approval queue
3. Human reviews context + proposed action
4. Human approves, denies, or requests changes
5. If approved, AI executes the action
Example: Production deployment
- AI: "Ready to deploy v2.3.1 to production.
Changes: 3 bug fixes, 1 new feature.
Risk: Low. Tests passing."
- Human: [Reviews diff, approves]
- AI: [Deploys to production]Pattern 2: Post-execution Review
The AI acts autonomously, but all actions are logged for human review. Humans can reverse problematic actions or flag issues for investigation.
Flow: 1. AI analyzes situation and takes action 2. Action logged with full context 3. Human periodically reviews action log 4. Human can reverse actions or flag for review Example: Auto-scaling - AI: [Scales web tier from 3 to 5 replicas] - AI: [Logs: "Traffic spike detected, added capacity"] - Human: [Reviews daily, sees reasonable decision]
Pattern 3: Exception-based Escalation
The AI operates autonomously within defined boundaries. When it encounters uncertainty or edge cases, it escalates to humans rather than guessing.
Flow: 1. AI evaluates whether action is within its confidence bounds 2. If confident: execute autonomously 3. If uncertain: escalate to human with context Example: Customer support - Customer: "I want a refund for my order" - AI: [Checks: Order < 30 days, no prior refunds] - AI: [Confident, processes refund automatically] - Customer: "I want a refund but I've had 5 refunds this year" - AI: [Uncertain, escalates to human] - AI: "Unusual refund pattern detected. Please review."
Pattern 4: Graduated Autonomy
The AI starts with heavy oversight, earning more autonomy as it demonstrates competence. This builds trust over time and catches issues early.
Autonomy Levels: Level 0: All actions require approval Level 1: Low-risk actions autonomous, high-risk need approval Level 2: Most actions autonomous, only critical need approval Level 3: Full autonomy with post-hoc review Progression Rules: - Advance after N successful actions without issues - Demote after any significant error - Regular human audits at all levels
3. When to Require Human Review
Deciding when to require human approval is both art and science. Here's a framework for making these decisions systematically.
Risk-Based Triggers
- Irreversibility — Actions that can't be undone (deleting data, sending emails)
- Blast radius — Actions affecting many users or systems
- Cost — Actions with significant financial impact
- Compliance — Actions in regulated domains
- Novelty — Situations the AI hasn't seen before
Confidence-Based Triggers
- Low confidence — AI is uncertain about the right action
- Conflicting signals — Evidence points in different directions
- Missing context — AI lacks information to make good decisions
- Ambiguous instructions — User intent is unclear
Policy-Based Triggers
# safety-policy.yaml
rules:
# Production changes always need approval
- name: production-approval
match:
environment: production
action_type: [deploy, scale, delete]
decision: REQUIRE_APPROVAL
# Large transactions need review
- name: large-transactions
match:
capability: payment
amount_usd: { gt: 10000 }
decision: REQUIRE_APPROVAL
# Bulk operations need review
- name: bulk-operations
match:
affected_records: { gt: 1000 }
decision: REQUIRE_APPROVAL4. Designing Approval Workflows
An approval workflow is more than a yes/no gate. Well-designed workflows provide context, enable informed decisions, and handle edge cases gracefully.
Workflow Components
Context Package
What information does the approver need? Include relevant history, current state, and proposed action.
Routing Rules
Who should approve? Route based on expertise, availability, and separation of duties.
Timeout Handling
What happens if no one responds? Auto-deny, escalate, or retry based on risk.
Modification Support
Can approvers modify the proposed action? Enable constrained changes vs. full reject/resubmit.
Example: Multi-stage Approval
# workflow: production-deploy
steps:
- id: ai-analysis
type: worker
config:
capability: deployment-analyzer
- id: tech-review
type: approval
depends_on: [ai-analysis]
config:
approvers: [tech-lead, senior-engineer]
require: 1
timeout: 4h
on_timeout: escalate
- id: security-review
type: approval
depends_on: [ai-analysis]
config:
approvers: [security-team]
require: 1
timeout: 8h
on_timeout: deny
- id: deploy
type: worker
depends_on: [tech-review, security-review]
config:
capability: kubernetes-deploy5. Approver Experience
The approval interface dramatically affects decision quality. Poor UX leads to rubber-stamping or excessive delays. Good UX enables quick, informed decisions.
Information Hierarchy
Present information in order of importance:
- Action summary — What will happen in one sentence
- Risk assessment — Why this needs approval
- Key context — Most relevant details
- Full details — Expandable for deep investigation
Decision Support
- Diff view — Show what will change
- Simulation results — What would happen in dry-run
- Historical precedent — Similar past decisions and outcomes
- AI reasoning — Why the AI proposed this action
Quick Actions
- One-click approve — For straightforward cases
- Approve with note — Document reasoning
- Request changes — Send back with feedback
- Delegate — Route to someone else
- Deny with reason — Block and explain why
Avoid Alert Fatigue
If approvers see hundreds of requests per day, they'll start rubber-stamping. Monitor approval rates and response times. If approvers are approving >95% of requests in under 10 seconds, you probably have too many low-value approval gates.
6. Anti-Patterns to Avoid
Approval Theater
Requiring approvals that don't actually provide oversight. If no one ever denies requests or asks questions, the approval step is just friction without value.
Information Overload
Dumping raw logs or full code diffs on approvers. They need curated, relevant information—not everything the system knows.
Single Point of Failure
Routing all approvals to one person. This creates bottlenecks and means nothing happens when that person is unavailable.
No Timeout Handling
Letting approval requests sit indefinitely. Define what happens after reasonable wait times— escalate, auto-deny, or auto-approve based on risk.
Unclear Criteria
Approvers don't know what they're supposed to check. Provide clear guidance on what constitutes a valid approval or denial.
7. Implementation Strategies
Start Conservative, Loosen Over Time
Begin with more oversight than you think you need. It's easier to remove approval gates than to add them after an incident.
Measure and Iterate
Track key metrics to optimize your HITL configuration:
- Approval rate — What percentage of requests are approved?
- Time to decision — How long do approvals take?
- Reversal rate — How often are approved actions later reversed?
- Miss rate — How often do problems slip through?
Policy as Code
Define approval requirements in version-controlled configuration. This makes rules auditable, testable, and consistent across environments.
# This configuration is version controlled
# Changes require PR review before deployment
approval_policies:
production:
default: REQUIRE_APPROVAL
exceptions:
- action: read_only_query
decision: ALLOW
- action: scale_up
condition: replicas < 10
decision: ALLOW
staging:
default: ALLOW
exceptions:
- action: delete
decision: REQUIRE_APPROVALIntegrate with Existing Tools
Route approval requests to where your team already works—Slack, Teams, PagerDuty, or your existing ticketing system. Don't make people check another dashboard.
Getting Started
Implementing HITL patterns effectively requires tooling that supports policy-based approval routing, contextual approval interfaces, and comprehensive audit trails.
Cordum provides all of these capabilities out of the box. The Safety Kernel evaluates every action against your policies and automatically routes to the right approval workflow.