Which actions should require human approval?

The four high-priority categories are: (1) Financial transactions, especially large amounts; (2) Data deletion — which is irreversible; (3) External communication — emails, messages to external parties; and (4) Infrastructure changes. SupraWall lets you define REQUIRE_APPROVAL policies for each category with different TTLs and approver channels.

Can approval requests be routed to different channels?

Yes. SupraWall supports three approval channels: the dashboard for centralized AI operations teams, Slack for engineering teams who live in Slack, and email for executive approvers. Different policies can route to different channels based on action category and risk level, ensuring approvals reach the right people.

Knowledge Hub • Human Oversight

Human-in-the-Loop
AI Agents.

Human-in-the-loop (HITL) for AI agents is the mechanism that pauses autonomous execution and routes high-stakes actions to a human reviewer before proceeding. SupraWall implements HITL via a policy-driven approval workflow that integrates with Slack, email, and the dashboard — satisfying EU AI Act Article 14 with under 200ms added latency on non-approval paths.

TL;DR

HITL is required under EU AI Act Article 14 for high-risk AI systems — technical oversight controls must be demonstrable, not just documented.
Not all actions need human review — use risk-based policies to target approvals at high-stakes categories only, keeping agents fast on routine tasks.
Approval requests should expire automatically to prevent stale decisions — a 15-minute-old approval may be irrelevant to the current agent context.
SupraWall HITL adds under 200ms to the decision path on non-approval paths, meaning routine tool calls are not penalized by the oversight layer.

Why Agents Need Human Oversight

The failure mode that keeps AI safety researchers awake at night is not the dramatic science-fiction scenario — it is the mundane one. A production agent given broad permissions and a high-level objective will, on a long enough timeline, encounter an ambiguous situation where its best interpretation of the task leads to a catastrophically bad outcome.

Consider a real scenario that multiple organizations have experienced in 2025-2026: an email agent tasked with “clearing the backlog” sends 10,000 automated messages to customers without any human review because no one explicitly told it that “backlog” meant the internal support queue rather than the entire unread inbox. There was no malice, no prompt injection, no security failure — just an LLM interpreting an instruction differently than the human intended, with no checkpoint to catch the divergence before execution.

The categories of failure are consistent across incidents: irreversibility (deleted records, sent emails, executed payments cannot be undone), scale amplification (an agent can make 10,000 API calls before a human notices, where a human would have noticed after 3), and context loss(the agent's understanding of the task may drift from human intent over a long-running session). HITL controls are the circuit breaker for all three.

The goal is not to require human approval for everything — that defeats the purpose of autonomous agents. The goal is to identify the specific action categories where the cost of an error is high enough that human judgment is worth the latency, and enforce approval exactly there. Everything else runs at full autonomous speed.

When to Require Approval

The four categories below represent the near-universal consensus across security frameworks, EU AI Act guidance, and real-world incident analysis. Any agent action that falls into one of these categories should have a REQUIRE_APPROVAL policy as the safe default.

Financial Transactions

Any tool call that initiates a payment, refund, credit, subscription change, or budget allocation. Dollar thresholds can be used to allow small transactions autonomously (e.g., under $50) while requiring approval for larger amounts.

Data Deletion

Deletion of database records, files, accounts, or configurations. The irreversibility of deletion makes it the highest-priority category for HITL controls. Soft-delete patterns can reduce urgency but don't eliminate it.

External Communication

Sending emails, Slack messages, SMS, or API calls to external parties. The reputational and legal risk of an agent communicating incorrectly on behalf of your organization requires human review on all external communications.

Infrastructure Changes

Scaling resources, deploying code, modifying IAM policies, changing DNS records, or any cloud operation that affects production system availability. Infrastructure mistakes have cascading effects that can be expensive and slow to reverse.

The Approval Workflow

When an agent attempts a tool call covered by a REQUIRE_APPROVAL policy, SupraWall pauses execution, creates an approval request, routes it to the configured reviewer channel, and holds the agent in a suspended state until a decision is made. The agent receives either a resumption signal (approved) or a deny response that it can handle in its error logic.

Policy Configuration

import suprawall

sw = suprawall.Client(api_key="sw_live_...")

# Define HITL policies by action category
policies = [
    # All Stripe charges require approval
    {
        "agent_id": "billing-agent",
        "tool": "stripe.charge",
        "action": "REQUIRE_APPROVAL",
        "approver_channel": "slack",
        "approver_slack": "#billing-approvals",
        "ttl_seconds": 900,  # 15 minutes or auto-deny
        "context_fields": ["amount", "customer_id", "description"],
    },
    # Bulk email requires approval; single replies are allowed
    {
        "agent_id": "support-agent",
        "tool": "email.send_bulk",
        "action": "REQUIRE_APPROVAL",
        "approver_channel": "email",
        "approver_email": "comms-review@company.com",
        "ttl_seconds": 3600,  # 1 hour
        "context_fields": ["recipient_count", "subject", "preview"],
    },
    # Infrastructure mutations require approval from infra team
    {
        "agent_id": "infra-agent",
        "tool": "aws.*",
        "condition": "action_type in ['create', 'delete', 'modify']",
        "action": "REQUIRE_APPROVAL",
        "approver_channel": "dashboard",
        "approver_group": "infra-team",
        "ttl_seconds": 1800,
    },
]

sw.apply_policies(policies)

Agent Behavior When HITL Triggers

from suprawall.exceptions import ApprovalRequired, ApprovalDenied, ApprovalExpired

try:
    # This triggers the REQUIRE_APPROVAL policy
    result = await agent.execute("charge customer $2,400 for annual plan renewal")

except ApprovalRequired as e:
    # Approval request has been sent — agent is suspended
    print(f"Approval pending: {e.request_id}")
    print(f"Routed to: {e.channel} ({e.approver})")
    print(f"Expires in: {e.ttl_seconds}s")
    # Agent state is preserved — execution resumes automatically if approved

except ApprovalDenied as e:
    # Human reviewer denied the action
    print(f"Action denied by {e.reviewer}: {e.reason}")
    # Handle gracefully — log, escalate, or inform user

except ApprovalExpired as e:
    # TTL expired before reviewer responded — auto-denied
    print(f"Approval request expired after {e.ttl_seconds}s")
    # Safe default: treat as denial

Approval Channels

Where approvals are routed determines whether HITL controls actually work in practice. A system that emails approvals to an inbox that reviewers check weekly is not a real oversight mechanism. SupraWall supports three channels, each designed for different organizational workflows and response time requirements.

Dashboard

Real-time approval queue in the SupraWall dashboard. Reviewers see the full action context, agent state, and policy match. One-click approve or deny with optional comment. Best for teams with a dedicated AI operations function.

Slack

Approval requests are posted to a designated Slack channel with action details and approve/deny buttons. Responses are processed in under 2 seconds. Best for engineering and ops teams who live in Slack. Supports thread-based discussion before decision.

Approval requests sent via email with a one-click approval/deny link that expires with the TTL. Best for executive approvers who need context-rich notifications. Supports mobile response. Not recommended as the sole channel for time-sensitive actions.

EU AI Act Article 14: Human Oversight

EU AI Act Article 14 — Human Oversight Requirement

Article 14 of the EU AI Act requires that high-risk AI systems be designed and developed in such a way that they can be effectively overseen by natural persons during the period of use. This means the oversight capability must be built into the system, not bolted on as a post-hoc monitoring dashboard.

Article 14(4) specifies that the oversight measures must enable persons to "decide not to use the AI system in a specific situation," to "override the output of the AI system," and to "intervene in the operation of the AI system." A HITL approval workflow directly implements all three requirements: the reviewer can deny an action (decide not to use), can modify the action parameters before approval (override output), and can pause the agent (intervene in operation).

Article 14(5) adds that where fully automated monitoring is not possible, the system must enable humans to exercise oversight based on understandable information. SupraWall's approval requests include the full action context — parameters, risk score, policy match reason, and agent session history — in a human-readable format specifically designed to enable informed decisions under time pressure.

SupraWall generates a compliance evidence package that maps each HITL configuration to Article 14 requirements, with approval logs and TTL configurations documented for inclusion in technical documentation required under Article 11.

Approval Expiry and Auto-Deny

One of the most commonly overlooked aspects of HITL design is approval TTL. An approval system without expiry has a critical failure mode: a reviewer approves an action hours or days after it was requested, by which point the agent's context has changed, the business conditions have changed, or the action is no longer appropriate — but it executes anyway because the approval is technically valid.

SupraWall enforces TTLs at the policy level. When a TTL expires before a decision is made, the request is automatically denied and the agent receives an ApprovalExpired exception. The safe default is always denial — an agent waiting indefinitely for approval should not be allowed to proceed just because no one got to the queue.

TTL recommendations by action category:

Action Category	Recommended TTL	Rationale
Financial (small, <$500)	15 minutes	Context changes quickly; low TTL forces timely review
Financial (large, >$500)	60 minutes	Higher stakes warrant more review time but not indefinitely
Data Deletion	30 minutes	Irreversibility demands fast response; longer creates risk
External Communication	60 minutes	Content may still be relevant; reviewer needs context time
Infrastructure Changes	30 minutes	Infrastructure state changes rapidly; stale approvals dangerous
Bulk Operations (any)	15 minutes	Volume amplification makes staleness extremely dangerous

Implementing HITL in 4 Steps

Identify High-Risk Actions

Audit your agent's tool set and classify each tool call by risk category. Use the four categories above (financial, deletion, external communication, infrastructure) as a starting framework. Map each tool to a risk level.

Define REQUIRE_APPROVAL Policies

For each high-risk tool, create a REQUIRE_APPROVAL policy with an appropriate approver channel and TTL. Start conservative — it is easier to loosen oversight than to explain a breach to regulators.

Configure Approval Channels

Connect SupraWall to your Slack workspace, email system, or configure the dashboard queue. Assign specific reviewers or groups to each policy. Test the approval flow end-to-end before deploying to production.

Add Exception Handling

Update your agent code to handle ApprovalRequired, ApprovalDenied, and ApprovalExpired exceptions gracefully. The agent should communicate status to end users, log outcomes, and fail safely when approvals are denied.

Frequently Asked Questions

What is human-in-the-loop for AI agents?

Human-in-the-loop (HITL) for AI agents is the mechanism that pauses autonomous execution and routes high-stakes actions to a human reviewer before the agent proceeds. Rather than blocking all agent actions, a HITL system uses risk-based policies to identify which specific actions require human approval and which can execute autonomously.

Does EU AI Act Article 14 require human-in-the-loop?

Yes. Article 14 of the EU AI Act requires high-risk AI systems to allow for effective oversight by natural persons. This includes the ability to decide not to use the AI system, to override its output, and to intervene in its operation. HITL approval workflows are the primary technical implementation of this requirement for autonomous agents.

What happens if an approval request expires before a human responds?

SupraWall HITL requests have a configurable TTL (time-to-live). If the TTL expires before a reviewer approves or denies the request, the action is automatically denied and the agent receives a timeout response. The agent can then choose to retry, escalate, or fail gracefully depending on its error handling logic. This prevents stale approvals from being applied to a context that has already changed.

Related Resources

LangChain Integration →EU AI Act Article 14 Deep Dive →

Add Oversight Now.

Stop your agents from taking irreversible actions without review. Deploy HITL policies in under 30 minutes and satisfy Article 14 with a documented evidence trail.

Start Free View Docs

Human-in-the-LoopAI Agents.