Abstract network of human and machine nodes

Thinking

Human in the Loop Is Not Optional

Confirmation dialogs, knowledge proposal review, admin approval flows. HITL isn't a feature you add. It's the default behavior.

Amodal Team7 min read

The autonomy fantasy

The AI industry sells a vision of fully autonomous agents. "Set it and forget it." "End-to-end automation." "Zero-touch operations." The pitch is seductive: deploy an agent, walk away, let it handle everything. The reality is less glamorous.

Every enterprise deployment that went fully autonomous has a horror story. The Slack bot that messaged 500 people at 3am because a threshold was miscalibrated. The agent that updated the wrong Jira tickets because it mismatched entity IDs across systems. The automation that closed "resolved" tickets that weren't actually resolved, because the model inferred resolution from a comment that was actually a question.

These aren't edge cases. They're the inevitable result of removing humans from critical decision points. Full autonomy without oversight is a demo, not a product. Demos don't have consequences. Products do.

The pattern

Autonomous agent does something wrong at scale. Team scrambles to undo the damage. Leadership adds a manual approval step. The "fully autonomous" agent becomes a human-in-the-loop agent, but only after the incident. Build it that way from the start.

Three types of human involvement

Not all HITL is the same. There are three distinct patterns, each serving a different purpose. Knowing which one to apply where is the design challenge.

1. Confirmation

Agent proposes an action. Human approves or rejects. This is the minimum viable HITL for any write operation.

Agent: "Mark CASE-4521 as blocked?"

→

Human: Yes

→

Action executed

2. Review

Agent produces output. Human reviews before it reaches the end user or becomes permanent. Knowledge base proposals work this way: the agent discovers a pattern and proposes a KB update. Admin reviews, approves, or edits before it becomes part of the agent's knowledge.

Agent: proposes KB update

→

Admin: reviews & edits

→

KB updated

3. Escalation

Agent recognizes it's out of its depth and hands off to a human. This requires the agent to know its own limitations, which is harder than it sounds.

Agent: "3 conflicting signals"

→

Pages senior analyst

→

Human makes judgment call

Most agent frameworks only think about confirmation. Review and escalation are equally important, and harder to get right.

Confirmation by default

In the Amodal model, every write operation requires confirmation. Not because you opted in. Because that's the default. You have to explicitly remove confirmation for a write endpoint to be auto-approved. The safe path is the default path.

access.json — default behavior

// Default: any POST/PATCH/DELETE endpoint requires confirmation
{
  "endpoints": {
    "POST /api/cases/*/status": {
      "confirm": true     // ← this is the default, you don't even need to set it
    }
  }
}

access.json — explicit opt-out (logged)

// Opt-out: requires explicit admin decision, logged in audit trail
{
  "endpoints": {
    "POST /api/cases/*/comments": {
      "confirm": false    // ← admin deliberately chose this, and it's logged
    }
  }
}

Bulk operations get extra scrutiny. More than 5 writes in a single action require itemized confirmation. The agent can't batch 50 updates into a single "approve all" prompt. Each one is listed. The human sees exactly what will happen.

Design principle

The safe default is confirmed. The unsafe behavior (auto-approve) requires a deliberate, logged configuration change.

Knowledge proposals

The learning flywheel depends on HITL. Here's how it works: an agent discovers a new pattern during a session. Maybe it finds that a specific vendor always submits invoices late in Q4. Maybe it notices that a particular alert fires every Tuesday at 2am and is always a false positive. The agent doesn't silently update the knowledge base. It proposes an update.

Admin reviews the proposal. Is this a real pattern or a one-time anomaly? Is the wording accurate? Should it be scoped to a specific tenant or shared across all tenants? If approved, the KB gets smarter for the next session. If rejected, no harm done. The agent learned nothing wrong.

Agent explores

→

Discovers pattern

→

propose_knowledge()

→

Admin reviews

→

Approved

→

Next session starts smarter

This is how organizational knowledge grows safely. Not through autonomous KB modification, but through a propose-review-approve cycle that keeps humans in control of what the agent believes to be true.

Non-negotiable

The agent never auto-approves KB updates. Every proposal goes through admin review. Or through an auto-approve policy that the admin explicitly configured per category.

Automations and HITL

Automations (scheduled agent runs) are the highest-risk surface for HITL failures. They run without a human in the session. There's no one watching when the 2am anomaly scanner kicks off. No one reviewing results in real time when the daily digest agent queries six systems.

The guardrail: automations cannot write by default. An automation can read, analyze, and report. It can send a summary to Slack. It can create a draft for review. But it cannot update a Jira ticket, close a case, or modify a record unless the admin explicitly enables write access for that specific automation in config.

automation config

{
  "name": "daily-anomaly-scan",
  "schedule": "0 6 * * *",
  "writes_enabled": false,    // ← default: read-only
  "output_channel": "slack:#security-alerts"
}

When writes are enabled, the same confirmation rules apply. The automation still can't bulk-update 50 records without itemized logging. The difference is that confirmation happens against policy rather than against a human in real time. The admin defined the policy. The platform enforces it.

The trust ladder

HITL isn't permanent friction. It's a trust-building mechanism. New agent, new skill, new connection: everything confirmed. As the team gains confidence in the agent's behavior, they relax confirmation on low-risk operations. High-risk operations stay confirmed forever. This is deliberate, gradual, and logged at every step.

Week 1: Everything confirmed

Every read, every write, every action. The team is learning what the agent does and how it behaves. Trust is zero.

Month 1: Read operations trusted, writes still confirmed

The team has seen hundreds of reads. The agent queries the right systems, interprets data correctly. Reads are safe. Writes still need eyes.

Month 3: Low-risk writes auto-approved, high-risk still confirmed

Adding a comment to a Jira ticket? Auto-approved. Changing a ticket's status? Still confirmed. The team draws the line based on observed behavior.

∞

Forever: Bulk writes, cross-system writes, and data deletions always confirmed

Some operations never graduate. Deleting records, updating multiple systems in one action, anything that affects more than 5 items. These stay confirmed permanently.

The ladder isn't a feature. It emerges from sensible defaults and granular configuration. The admin relaxes constraints as trust grows, and the audit trail shows exactly when and why each change was made.

The goal isn't to remove humans from the loop. It's to put them at the right point in the loop. Confirming actions they should see. Reviewing knowledge that shapes future behavior. Escalating decisions that need judgment.

The human isn't the bottleneck. The human is the quality control.

Amodal is an open-source agent runtime where write confirmation, knowledge review, and escalation are default behaviors, not afterthoughts.

GitHub →Agent guardrails →Configuration beats intelligence →