{"artifact":{"apiPath":"/api/reports/agent-approvals-and-human-leashes-2026/bundle","byteLength":69435,"description":"Single purchase target returning the markdown report, JSON artifact, and manifest together.","format":"bundle","label":"Combined report bundle","mimeType":"application/json; charset=utf-8","priceUsdc":0,"sha256":"c90d4721fda1bc6243071144b86acbbc9fd8746ae396be38c932f6da55a0907c","status":"live"},"bundle":{"charts":{"artifact":{"byteLength":1653,"fileName":"charts.json","format":"charts","mimeType":"application/json; charset=utf-8","sha256":"6d04befd682d34358353c018838412815e37ed9acd96fe68c1dfd01809b095d3"},"document":{"charts":[{"caption":"Create and publish should stay human-presence heavy. Steady-state runtime should be leash heavy. Resume and renew are blended checkpoints.","chartType":"bar","points":[{"label":"Create","note":"Before a workflow exists, the key question is explicit human intent around budget, capability, and private scope.","values":[4,0,0]},{"label":"Run","note":"During normal execution, the system should lean on runtime leash and policy checks instead of asking for a fresh click every safe step.","values":[1,4,0]},{"label":"Resume","note":"Recovery needs both: a valid delegated envelope and, when the stop reason was approval or ambiguity, a fresh human decision.","values":[3,2,0]},{"label":"Renew","note":"Renewal is the point where continuing authority is reconsidered, so human approval and leash posture both matter.","values":[3,3,0]},{"label":"Publish","note":"Outward-facing release should rely on diff-aware review and fresh user presence, not on the same delegation used during execution.","values":[2,0,4]}],"series":["approval or review","active leash","fresh step-up"],"title":"Which control surface should dominate each workflow stage","unit":"relative control weight"}],"generatedAt":"2026-03-23T00:00:00.000Z","slug":"agent-approvals-and-human-leashes-2026"}},"definition":{"artifact":{"byteLength":2992,"fileName":"definition.json","format":"definition","mimeType":"application/json; charset=utf-8","sha256":"86847137a64617f7aa89347ed932971a301fc6be4f664a2495724817325610e6"},"document":{"audience":null,"authoredAt":"1970-01-01T00:00:00.000Z","authoredByUserId":null,"chartPlan":[],"dateAnchor":"March 22, 2026","datasetWindow":"March 2026","deepResearchPrompts":[{"id":"workflow_governance_memo","purpose":"Produce a citation-heavy memo on human approval, delegation windows, and leash enforcement in agent systems.","model":"sonar-deep-research","maxTokens":7000,"prompt":"As of March 22, 2026, produce a citation-heavy research memo on how human approval, delegation windows, runtime leash enforcement, renewal, resume risk, and step-up authentication should work in serious agent systems. Focus on workflow-stage authority, denial reasons, operator tradeoffs, unattended subscriptions, and the difference between one-time approval and continuing delegation. Prefer direct product docs or specs over generic blog language whenever possible."}],"deepResearchPromptCount":1,"evidenceRequirements":[],"freshnessExpectation":null,"generatedAt":"1970-01-01T00:00:00.000Z","notes":[],"officialDomainHints":["temporal.rest","modelcontextprotocol.io","docs.cdp.coinbase.com","docs.stripe.com"],"reportPromptGuidance":["Structure the report by workflow stage: create, run, resume, renew, and publish or release.","Explain the difference between one-time approval and continuing human leash authority instead of treating them as synonyms.","Prioritize operator tradeoffs around denial reasons, renewal design, scope enforcement, and surprise avoidance.","Make the report useful to teams deciding when to require passkey step-up, when to rely on time-bounded delegation, and when to pause automatically.","End with concrete recommendations for stage-aware approval, runtime leash checks, and renewal UX."],"searchQueries":[{"id":"authority_by_stage","purpose":"Map how authority changes across workflow creation, execution, and publication.","query":"agent workflow human approval authority by stage create run resume publish delegation windows renewal","maxResults":10,"maxTokens":2200},{"id":"resume_and_reapproval","purpose":"Collect guidance on resume, recovery, and reapproval in long-running systems.","query":"workflow resume reapproval recovery step up authorization long running jobs operator approval","maxResults":10,"maxTokens":2200},{"id":"subscription_renewal_controls","purpose":"Find evidence on recurring automation, delegation expiry, and renewal controls.","query":"subscription automation delegation expiry renewal controls runtime scope checks agent systems","maxResults":10,"maxTokens":2200},{"id":"step_up_and_owner_actions","purpose":"Ground owner-level or destructive actions in stronger authentication patterns.","query":"passkey step up auth owner actions publish release workflow governance authorization","maxResults":10,"maxTokens":2200}],"sectionPlan":[],"slug":"agent-approvals-and-human-leashes-2026","title":"Agent Approvals and Human Leashes, 2026","topic":"agent approvals and human leashes","versionId":"seed_agent-approvals-and-human-leashes-2026"}},"evidence":{"artifact":{"byteLength":6211,"fileName":"evidence.json","format":"evidence","mimeType":"application/json; charset=utf-8","sha256":"a478dc1b7b089cbdbd9c069a65044c4b582fb72a98038732840f852712e8c75d"},"document":{"chartProvenance":[{"chartTitle":"Which control surface should dominate each workflow stage","sourceLabels":["Microsoft Copilot multistage approvals","Cloudflare human-in-the-loop best practices","Passage step-up authentication","Oracle delegate versus reassign"],"sourceUrls":["https://learn.microsoft.com/en-us/microsoft-copilot-studio/flows-advanced-approvals","https://developers.cloudflare.com/agents/concepts/human-in-the-loop","https://docs.passage.id/flex/step-up","https://docs.oracle.com/en/cloud/saas/supply-chain-and-manufacturing/25c/faipr/what-s-the-difference-between-reassign-and-delegate.html"],"whyUseful":"Shows where the decision should live at each workflow stage instead of reducing governance to one generic approval switch."}],"claims":[{"chartTitles":["Which control surface should dominate each workflow stage"],"confidence":"high","id":"approval-versus-leash","kind":"comparison","section":"The stage model","sourceLabels":["Microsoft AG-UI human-in-the-loop","Oracle delegate versus reassign","Cerbos authorization in workflows"],"sourceUrls":["https://learn.microsoft.com/en-us/agent-framework/integrations/ag-ui/human-in-the-loop","https://docs.oracle.com/en/cloud/saas/supply-chain-and-manufacturing/25c/faipr/what-s-the-difference-between-reassign-and-delegate.html","https://www.cerbos.dev/blog/authorization-in-workflows"],"statement":"Approval and continuing delegated authority solve different problems, so serious agent systems should model them separately instead of treating them as one toggle."},{"chartTitles":["Which control surface should dominate each workflow stage"],"confidence":"high","id":"create-stage-explicit-approval","kind":"finding","section":"Create","sourceLabels":["Microsoft Copilot multistage approvals","Cloudflare human-in-the-loop best practices"],"sourceUrls":["https://learn.microsoft.com/en-us/microsoft-copilot-studio/flows-advanced-approvals","https://developers.cloudflare.com/agents/concepts/human-in-the-loop"],"statement":"Workflow creation is the right place to capture explicit intent around budget, capabilities, recurrence, and private-data scope."},{"chartTitles":[],"confidence":"high","id":"runtime-scope-enforcement","kind":"comparison","section":"Run","sourceLabels":["AI Runtime Security multi-agent controls","Customizable runtime enforcement for LLM agents","Cerbos authorization in workflows"],"sourceUrls":["https://airuntimesecurity.io/core/multi-agent-controls","https://arxiv.org/html/2503.18666v1","https://www.cerbos.dev/blog/authorization-in-workflows"],"statement":"Delegated runtime authority should stay time-bounded and scope-bounded, with explicit denials for expiration, out-of-scope behavior, and required renewal."},{"chartTitles":["Which control surface should dominate each workflow stage"],"confidence":"high","id":"resume-is-new-risk","kind":"finding","section":"Resume","sourceLabels":["Cloudflare human-in-the-loop best practices","Oracle delegate versus reassign","ServiceNow approvals and delegation"],"sourceUrls":["https://developers.cloudflare.com/agents/concepts/human-in-the-loop","https://docs.oracle.com/en/cloud/saas/supply-chain-and-manufacturing/25c/faipr/what-s-the-difference-between-reassign-and-delegate.html","https://www.servicenow.com/community/servicenow-ai-platform-blog/approvals-and-delegation/ba-p/2283510"],"statement":"Resume is a distinct governance edge because recovery can combine stale delegation, pending approvals, and changed operator context."},{"chartTitles":[],"confidence":"high","id":"renewal-is-first-class","kind":"comparison","section":"Renew","sourceLabels":["ServiceNow approvals and delegation","AI Runtime Security multi-agent controls","Cloudflare human-in-the-loop best practices"],"sourceUrls":["https://www.servicenow.com/community/servicenow-ai-platform-blog/approvals-and-delegation/ba-p/2283510","https://airuntimesecurity.io/core/multi-agent-controls","https://developers.cloudflare.com/agents/concepts/human-in-the-loop"],"statement":"Recurring unattended systems need a dedicated renewal ceremony with expiring-soon visibility, revocation, and explicit scope renewal rather than silent standing authority."},{"chartTitles":[],"confidence":"high","id":"publish-step-up","kind":"comparison","section":"Publish","sourceLabels":["Passage step-up authentication","F5 step-up authentication","LoginRadius separation of duties"],"sourceUrls":["https://docs.passage.id/flex/step-up","https://techdocs.f5.com/en-us/bigip-15-1-0/big-ip-access-policy-manager-authentication-methods/using-step-up-authentication/what-is-step-up-authentication.html","https://www.loginradius.com/blog/engineering/separation-of-duties-ai-agent-workflows"],"statement":"Publish or release actions should require fresh step-up presence and diff-aware review instead of relying on the same delegated authority used for routine runtime work."}],"generatedAt":"2026-03-23T00:00:00.000Z","slug":"agent-approvals-and-human-leashes-2026","summary":{"chartBackedClaimCount":3,"claimCount":6,"ecosystemSourceCount":5,"officialSourceCount":5,"totalSourceCount":10},"title":"Agent Approvals and Human Leashes, 2026"}},"hashes":{"bundleSha256":"078fbe61c2c4bde4ee718f60da373c1b5075cdc0cff30759b243d66fd660891a","chartsSha256":"6d04befd682d34358353c018838412815e37ed9acd96fe68c1dfd01809b095d3","definitionSha256":"86847137a64617f7aa89347ed932971a301fc6be4f664a2495724817325610e6","evidenceSha256":"a478dc1b7b089cbdbd9c069a65044c4b582fb72a98038732840f852712e8c75d","jsonSha256":"541d3bd09b6dbf7f51d52ed8df146cf0826f159880f77d16d6d51db8c21131ff","markdownSha256":"bf165c450c4e5f0fcfe0f4e68cb15e5272f1ac0ad9ab31faa53d785a3af8eec8","methodologySha256":"f7cac3e51bd21bc6a92b7ff2b9ffa6637e5affa7306000042486d6e9b7f7c00c","sourcesSha256":"c1cd33ea348cd2b08f52f223bcf05e0817337cc8c2dbedeb685594835ef255fc"},"json":{"artifact":{"apiPath":"/api/reports/agent-approvals-and-human-leashes-2026/json","byteLength":25830,"description":"Structured workflow-stage authority rows, source mappings, and governance summary metrics.","format":"json","label":"Full machine-readable JSON","mimeType":"application/json; charset=utf-8","priceUsdc":0,"sha256":"541d3bd09b6dbf7f51d52ed8df146cf0826f159880f77d16d6d51db8c21131ff","status":"live"},"document":{"artifacts":[{"apiPath":"/api/reports/agent-approvals-and-human-leashes-2026/markdown","byteLength":20852,"description":"Human-readable dossier with the full authority model, examples, and recommendations.","format":"markdown","label":"Full markdown report","mimeType":"text/markdown; charset=utf-8","priceUsdc":0,"sha256":"bf165c450c4e5f0fcfe0f4e68cb15e5272f1ac0ad9ab31faa53d785a3af8eec8","status":"live"},{"apiPath":"/api/reports/agent-approvals-and-human-leashes-2026/json","byteLength":null,"description":"Structured workflow-stage authority rows, source mappings, and governance summary metrics.","format":"json","label":"Full machine-readable JSON","mimeType":"application/json; charset=utf-8","priceUsdc":0,"sha256":null,"status":"live"},{"apiPath":"/api/reports/agent-approvals-and-human-leashes-2026/charts","byteLength":1653,"description":"Structured chart payload backing the inline report visuals and machine-readable consumers.","format":"charts","label":"Chart data artifact","mimeType":"application/json; charset=utf-8","priceUsdc":0,"sha256":"6d04befd682d34358353c018838412815e37ed9acd96fe68c1dfd01809b095d3","status":"live"},{"apiPath":"/api/reports/agent-approvals-and-human-leashes-2026/definition","byteLength":2992,"description":"Saved report definition artifact.","format":"definition","label":"Definition artifact","mimeType":"application/json; charset=utf-8","priceUsdc":0,"sha256":"86847137a64617f7aa89347ed932971a301fc6be4f664a2495724817325610e6","status":"live"},{"apiPath":"/api/reports/agent-approvals-and-human-leashes-2026/evidence","byteLength":6211,"description":"Structured evidence ledger tying claims and chart provenance back to cited sources.","format":"evidence","label":"Evidence artifact","mimeType":"application/json; charset=utf-8","priceUsdc":0,"sha256":"a478dc1b7b089cbdbd9c069a65044c4b582fb72a98038732840f852712e8c75d","status":"live"},{"apiPath":"/api/reports/agent-approvals-and-human-leashes-2026/methodology","byteLength":1137,"description":"Structured methodology notes, dataset summary, and report timing metadata.","format":"methodology","label":"Methodology artifact","mimeType":"application/json; charset=utf-8","priceUsdc":0,"sha256":"f7cac3e51bd21bc6a92b7ff2b9ffa6637e5affa7306000042486d6e9b7f7c00c","status":"live"},{"apiPath":"/api/reports/agent-approvals-and-human-leashes-2026/sources","byteLength":3057,"description":"Structured source ledger with source kinds, labels, notes, and URLs.","format":"sources","label":"Sources artifact","mimeType":"application/json; charset=utf-8","priceUsdc":0,"sha256":"c1cd33ea348cd2b08f52f223bcf05e0817337cc8c2dbedeb685594835ef255fc","status":"live"},{"apiPath":"/api/reports/agent-approvals-and-human-leashes-2026/bundle","byteLength":null,"description":"Single purchase target returning the markdown report, JSON artifact, and manifest together.","format":"bundle","label":"Combined report bundle","mimeType":"application/json; charset=utf-8","priceUsdc":0,"sha256":null,"status":"live"}],"charts":[{"caption":"Create and publish should stay human-presence heavy. Steady-state runtime should be leash heavy. Resume and renew are blended checkpoints.","chartType":"bar","points":[{"label":"Create","note":"Before a workflow exists, the key question is explicit human intent around budget, capability, and private scope.","values":[4,0,0]},{"label":"Run","note":"During normal execution, the system should lean on runtime leash and policy checks instead of asking for a fresh click every safe step.","values":[1,4,0]},{"label":"Resume","note":"Recovery needs both: a valid delegated envelope and, when the stop reason was approval or ambiguity, a fresh human decision.","values":[3,2,0]},{"label":"Renew","note":"Renewal is the point where continuing authority is reconsidered, so human approval and leash posture both matter.","values":[3,3,0]},{"label":"Publish","note":"Outward-facing release should rely on diff-aware review and fresh user presence, not on the same delegation used during execution.","values":[2,0,4]}],"series":["approval or review","active leash","fresh step-up"],"title":"Which control surface should dominate each workflow stage","unit":"relative control weight"}],"chartsArtifact":{"byteLength":1653,"fileName":"charts.json","format":"charts","mimeType":"application/json; charset=utf-8","sha256":"6d04befd682d34358353c018838412815e37ed9acd96fe68c1dfd01809b095d3"},"definition":{"audience":null,"authoredAt":"1970-01-01T00:00:00.000Z","authoredByUserId":null,"chartPlan":[],"dateAnchor":"March 22, 2026","datasetWindow":"March 2026","deepResearchPrompts":[{"id":"workflow_governance_memo","purpose":"Produce a citation-heavy memo on human approval, delegation windows, and leash enforcement in agent systems.","model":"sonar-deep-research","maxTokens":7000,"prompt":"As of March 22, 2026, produce a citation-heavy research memo on how human approval, delegation windows, runtime leash enforcement, renewal, resume risk, and step-up authentication should work in serious agent systems. Focus on workflow-stage authority, denial reasons, operator tradeoffs, unattended subscriptions, and the difference between one-time approval and continuing delegation. Prefer direct product docs or specs over generic blog language whenever possible."}],"deepResearchPromptCount":1,"evidenceRequirements":[],"freshnessExpectation":null,"generatedAt":"1970-01-01T00:00:00.000Z","notes":[],"officialDomainHints":["temporal.rest","modelcontextprotocol.io","docs.cdp.coinbase.com","docs.stripe.com"],"reportPromptGuidance":["Structure the report by workflow stage: create, run, resume, renew, and publish or release.","Explain the difference between one-time approval and continuing human leash authority instead of treating them as synonyms.","Prioritize operator tradeoffs around denial reasons, renewal design, scope enforcement, and surprise avoidance.","Make the report useful to teams deciding when to require passkey step-up, when to rely on time-bounded delegation, and when to pause automatically.","End with concrete recommendations for stage-aware approval, runtime leash checks, and renewal UX."],"searchQueries":[{"id":"authority_by_stage","purpose":"Map how authority changes across workflow creation, execution, and publication.","query":"agent workflow human approval authority by stage create run resume publish delegation windows renewal","maxResults":10,"maxTokens":2200},{"id":"resume_and_reapproval","purpose":"Collect guidance on resume, recovery, and reapproval in long-running systems.","query":"workflow resume reapproval recovery step up authorization long running jobs operator approval","maxResults":10,"maxTokens":2200},{"id":"subscription_renewal_controls","purpose":"Find evidence on recurring automation, delegation expiry, and renewal controls.","query":"subscription automation delegation expiry renewal controls runtime scope checks agent systems","maxResults":10,"maxTokens":2200},{"id":"step_up_and_owner_actions","purpose":"Ground owner-level or destructive actions in stronger authentication patterns.","query":"passkey step up auth owner actions publish release workflow governance authorization","maxResults":10,"maxTokens":2200}],"sectionPlan":[],"slug":"agent-approvals-and-human-leashes-2026","title":"Agent Approvals and Human Leashes, 2026","topic":"agent approvals and human leashes","versionId":"seed_agent-approvals-and-human-leashes-2026"},"definitionArtifact":{"byteLength":2992,"fileName":"definition.json","format":"definition","mimeType":"application/json; charset=utf-8","sha256":"86847137a64617f7aa89347ed932971a301fc6be4f664a2495724817325610e6"},"dataset":{"sampleRows":[{"stage":"Job creation","riskSurface":"Submit and preflight","recommendedModel":"Budget threshold plus policy approval","whyItMatters":"Creation is where cost, capability, and private-route intent first become explicit."},{"stage":"Steady runtime","riskSurface":"Delegated execution inside a live run","recommendedModel":"Time-bounded human leash with runtime scope checks","whyItMatters":"Low-risk steps should proceed without a fresh human click while the delegated envelope remains valid."},{"stage":"Resume after block","riskSurface":"Recovery and re-entry","recommendedModel":"Fresh approval plus valid leash","whyItMatters":"Resume can bypass the original human checkpoint if treated too casually."},{"stage":"Publish or release","riskSurface":"Final high-impact mutation","recommendedModel":"Fresh owner step-up auth plus diff-aware review","whyItMatters":"A final outward-facing action deserves stronger ceremony than a normal run step."}],"summary":{"deepResearchRuns":1,"normalizedSources":88,"publicSources":10,"sampleRows":4,"searchQueries":4,"window":"March 2026"}},"evidence":{"chartProvenance":[{"chartTitle":"Which control surface should dominate each workflow stage","sourceLabels":["Microsoft Copilot multistage approvals","Cloudflare human-in-the-loop best practices","Passage step-up authentication","Oracle delegate versus reassign"],"sourceUrls":["https://learn.microsoft.com/en-us/microsoft-copilot-studio/flows-advanced-approvals","https://developers.cloudflare.com/agents/concepts/human-in-the-loop","https://docs.passage.id/flex/step-up","https://docs.oracle.com/en/cloud/saas/supply-chain-and-manufacturing/25c/faipr/what-s-the-difference-between-reassign-and-delegate.html"],"whyUseful":"Shows where the decision should live at each workflow stage instead of reducing governance to one generic approval switch."}],"claims":[{"chartTitles":["Which control surface should dominate each workflow stage"],"confidence":"high","id":"approval-versus-leash","kind":"comparison","section":"The stage model","sourceLabels":["Microsoft AG-UI human-in-the-loop","Oracle delegate versus reassign","Cerbos authorization in workflows"],"sourceUrls":["https://learn.microsoft.com/en-us/agent-framework/integrations/ag-ui/human-in-the-loop","https://docs.oracle.com/en/cloud/saas/supply-chain-and-manufacturing/25c/faipr/what-s-the-difference-between-reassign-and-delegate.html","https://www.cerbos.dev/blog/authorization-in-workflows"],"statement":"Approval and continuing delegated authority solve different problems, so serious agent systems should model them separately instead of treating them as one toggle."},{"chartTitles":["Which control surface should dominate each workflow stage"],"confidence":"high","id":"create-stage-explicit-approval","kind":"finding","section":"Create","sourceLabels":["Microsoft Copilot multistage approvals","Cloudflare human-in-the-loop best practices"],"sourceUrls":["https://learn.microsoft.com/en-us/microsoft-copilot-studio/flows-advanced-approvals","https://developers.cloudflare.com/agents/concepts/human-in-the-loop"],"statement":"Workflow creation is the right place to capture explicit intent around budget, capabilities, recurrence, and private-data scope."},{"chartTitles":[],"confidence":"high","id":"runtime-scope-enforcement","kind":"comparison","section":"Run","sourceLabels":["AI Runtime Security multi-agent controls","Customizable runtime enforcement for LLM agents","Cerbos authorization in workflows"],"sourceUrls":["https://airuntimesecurity.io/core/multi-agent-controls","https://arxiv.org/html/2503.18666v1","https://www.cerbos.dev/blog/authorization-in-workflows"],"statement":"Delegated runtime authority should stay time-bounded and scope-bounded, with explicit denials for expiration, out-of-scope behavior, and required renewal."},{"chartTitles":["Which control surface should dominate each workflow stage"],"confidence":"high","id":"resume-is-new-risk","kind":"finding","section":"Resume","sourceLabels":["Cloudflare human-in-the-loop best practices","Oracle delegate versus reassign","ServiceNow approvals and delegation"],"sourceUrls":["https://developers.cloudflare.com/agents/concepts/human-in-the-loop","https://docs.oracle.com/en/cloud/saas/supply-chain-and-manufacturing/25c/faipr/what-s-the-difference-between-reassign-and-delegate.html","https://www.servicenow.com/community/servicenow-ai-platform-blog/approvals-and-delegation/ba-p/2283510"],"statement":"Resume is a distinct governance edge because recovery can combine stale delegation, pending approvals, and changed operator context."},{"chartTitles":[],"confidence":"high","id":"renewal-is-first-class","kind":"comparison","section":"Renew","sourceLabels":["ServiceNow approvals and delegation","AI Runtime Security multi-agent controls","Cloudflare human-in-the-loop best practices"],"sourceUrls":["https://www.servicenow.com/community/servicenow-ai-platform-blog/approvals-and-delegation/ba-p/2283510","https://airuntimesecurity.io/core/multi-agent-controls","https://developers.cloudflare.com/agents/concepts/human-in-the-loop"],"statement":"Recurring unattended systems need a dedicated renewal ceremony with expiring-soon visibility, revocation, and explicit scope renewal rather than silent standing authority."},{"chartTitles":[],"confidence":"high","id":"publish-step-up","kind":"comparison","section":"Publish","sourceLabels":["Passage step-up authentication","F5 step-up authentication","LoginRadius separation of duties"],"sourceUrls":["https://docs.passage.id/flex/step-up","https://techdocs.f5.com/en-us/bigip-15-1-0/big-ip-access-policy-manager-authentication-methods/using-step-up-authentication/what-is-step-up-authentication.html","https://www.loginradius.com/blog/engineering/separation-of-duties-ai-agent-workflows"],"statement":"Publish or release actions should require fresh step-up presence and diff-aware review instead of relying on the same delegated authority used for routine runtime work."}],"generatedAt":"2026-03-23T00:00:00.000Z","slug":"agent-approvals-and-human-leashes-2026","summary":{"chartBackedClaimCount":3,"claimCount":6,"ecosystemSourceCount":5,"officialSourceCount":5,"totalSourceCount":10},"title":"Agent Approvals and Human Leashes, 2026"},"evidenceArtifact":{"byteLength":6211,"fileName":"evidence.json","format":"evidence","mimeType":"application/json; charset=utf-8","sha256":"a478dc1b7b089cbdbd9c069a65044c4b582fb72a98038732840f852712e8c75d"},"findings":["Approval and leash mechanisms solve different problems and should be shown separately in both policy and UI.","Resume is a distinct risk surface because it combines recovery with renewed authority.","Recurring subscriptions need explicit renewal UX, runtime denial reasons, and delivery visibility.","The strongest pattern is stage-aware approval paired with runtime leash scope enforcement and fresh step-up for publish or release."],"markdownArtifact":{"apiPath":"/api/reports/agent-approvals-and-human-leashes-2026/markdown","byteLength":20852,"description":"Human-readable dossier with the full authority model, examples, and recommendations.","format":"markdown","label":"Full markdown report","mimeType":"text/markdown; charset=utf-8","priceUsdc":0,"sha256":"bf165c450c4e5f0fcfe0f4e68cb15e5272f1ac0ad9ab31faa53d785a3af8eec8","status":"live"},"markdownAvailable":true,"methodologyArtifact":{"byteLength":1137,"fileName":"methodology.json","format":"methodology","mimeType":"application/json; charset=utf-8","sha256":"f7cac3e51bd21bc6a92b7ff2b9ffa6637e5affa7306000042486d6e9b7f7c00c"},"methodology":["Anchored the report in official workflow and identity documentation from Microsoft, Cloudflare, Oracle, and Passage, with dates stated as of March 22, 2026.","Used one Perplexity deep-research run plus four focused search queries to map approval stages, resume behavior, renewal controls, and step-up authentication patterns.","Separated approval, delegated runtime authority, resume, renewal, and publish into distinct operator decisions instead of collapsing them into one generic authorization model.","Preferred explicit denial reasons, operator tradeoffs, and unattended-subscription controls over abstract governance language."],"outline":[{"id":"agent-approvals-and-human-leashes-2026","level":1,"text":"Agent Approvals and Human Leashes, 2026"},{"id":"the-stage-model","level":2,"text":"The Stage Model"},{"id":"create-approval-is-about-intent","level":2,"text":"Create: Approval Is About Intent"},{"id":"run-a-leash-is-about-continuing-authority","level":2,"text":"Run: A Leash Is About Continuing Authority"},{"id":"resume-recovery-is-a-new-risk-surface","level":2,"text":"Resume: Recovery Is a New Risk Surface"},{"id":"renew-recurring-automation-needs-its-own-ceremony","level":2,"text":"Renew: Recurring Automation Needs Its Own Ceremony"},{"id":"publish-or-release-require-fresh-presence","level":2,"text":"Publish or Release: Require Fresh Presence"},{"id":"comparison-table","level":2,"text":"Comparison Table"},{"id":"recommendations-for-operators","level":2,"text":"Recommendations for Operators"},{"id":"bottom-line","level":2,"text":"Bottom Line"}],"previewMarkdown":"# Agent Approvals and Human Leashes, 2026\n\n## Thesis\n\n- Approval should be modeled by workflow stage, not treated as one global yes or no.\n- Human leashes should be time-bounded, scope-bounded, and checked at runtime, not just at creation time.\n- The real design tradeoff is preserving human authority without forcing operators to re-approve every harmless step.\n\n## Buyer takeaway\n\n- Separate approval from continuing delegation.\n- Give resume and publish their own authority model.\n- Make renewal understandable before it becomes a production surprise.\n\nThe full report maps approval stages, delegation windows, denial reasons, and renewal patterns into a practical governance model for agent systems.\n","report":{"category":"Workflow governance","datasetSummary":{"deepResearchRuns":1,"normalizedSources":88,"publicSources":10,"sampleRows":4,"searchQueries":4,"window":"March 2026"},"featureKey":"deep_reports_agent_approvals_and_human_leashes_2026","findings":["Approval and leash mechanisms solve different problems and should be shown separately in both policy and UI.","Resume is a distinct risk surface because it combines recovery with renewed authority.","Recurring subscriptions need explicit renewal UX, runtime denial reasons, and delivery visibility.","The strongest pattern is stage-aware approval paired with runtime leash scope enforcement and fresh step-up for publish or release."],"methodology":["Anchored the report in official workflow and identity documentation from Microsoft, Cloudflare, Oracle, and Passage, with dates stated as of March 22, 2026.","Used one Perplexity deep-research run plus four focused search queries to map approval stages, resume behavior, renewal controls, and step-up authentication patterns.","Separated approval, delegated runtime authority, resume, renewal, and publish into distinct operator decisions instead of collapsing them into one generic authorization model.","Preferred explicit denial reasons, operator tradeoffs, and unattended-subscription controls over abstract governance language."],"previewBullets":["Approval should be modeled by workflow stage, not treated as one global yes or no.","Human leashes should be time-bounded, scope-bounded, and checked at runtime, not just at creation time.","The real design tradeoff is preserving human authority without forcing operators to re-approve every harmless step."],"publishedAt":"2026-03-23T00:00:00.000Z","sampleRows":[{"stage":"Job creation","riskSurface":"Submit and preflight","recommendedModel":"Budget threshold plus policy approval","whyItMatters":"Creation is where cost, capability, and private-route intent first become explicit."},{"stage":"Steady runtime","riskSurface":"Delegated execution inside a live run","recommendedModel":"Time-bounded human leash with runtime scope checks","whyItMatters":"Low-risk steps should proceed without a fresh human click while the delegated envelope remains valid."},{"stage":"Resume after block","riskSurface":"Recovery and re-entry","recommendedModel":"Fresh approval plus valid leash","whyItMatters":"Resume can bypass the original human checkpoint if treated too casually."},{"stage":"Publish or release","riskSurface":"Final high-impact mutation","recommendedModel":"Fresh owner step-up auth plus diff-aware review","whyItMatters":"A final outward-facing action deserves stronger ceremony than a normal run step."}],"slug":"agent-approvals-and-human-leashes-2026","sources":[{"kind":"official","label":"Microsoft AG-UI human-in-the-loop","note":"Official guide for human approval checkpoints inside agent workflows.","url":"https://learn.microsoft.com/en-us/agent-framework/integrations/ag-ui/human-in-the-loop"},{"kind":"official","label":"Microsoft Copilot multistage approvals","note":"Official multistage and AI approval documentation useful for stage-aware creation controls.","url":"https://learn.microsoft.com/en-us/microsoft-copilot-studio/flows-advanced-approvals"},{"kind":"official","label":"Cloudflare human-in-the-loop best practices","note":"Workflow pause, approval, timeout, and escalation model for long-running agent systems.","url":"https://developers.cloudflare.com/agents/concepts/human-in-the-loop"},{"kind":"official","label":"Oracle delegate versus reassign","note":"Useful distinction between temporary delegation and true ownership transfer.","url":"https://docs.oracle.com/en/cloud/saas/supply-chain-and-manufacturing/25c/faipr/what-s-the-difference-between-reassign-and-delegate.html"},{"kind":"official","label":"Passage step-up authentication","note":"Reference for requiring fresh user presence on sensitive actions even inside an active session.","url":"https://docs.passage.id/flex/step-up"},{"kind":"ecosystem","label":"Cerbos authorization in workflows","note":"Application-level view of why authorization needs to persist across workflow state transitions.","url":"https://www.cerbos.dev/blog/authorization-in-workflows"},{"kind":"ecosystem","label":"AI Runtime Security multi-agent controls","note":"Useful guardrail framing for no-privilege-escalation, scope inheritance, and delegation depth.","url":"https://airuntimesecurity.io/core/multi-agent-controls"},{"kind":"ecosystem","label":"LoginRadius separation of duties","note":"Workflow-stage identity and separation-of-duties framing for governed agent execution.","url":"https://www.loginradius.com/blog/engineering/separation-of-duties-ai-agent-workflows"},{"kind":"ecosystem","label":"ServiceNow approvals and delegation","note":"Operational discussion of delegated approval behavior and managed approval state.","url":"https://www.servicenow.com/community/servicenow-ai-platform-blog/approvals-and-delegation/ba-p/2283510"},{"kind":"ecosystem","label":"Customizable runtime enforcement for LLM agents","note":"Research framing for hard and soft runtime constraints in long-running agent execution.","url":"https://arxiv.org/html/2503.18666v1"}],"subtitle":"Built for operators deciding when to require fresh approval, when to allow bounded delegation, and how to explain authority clearly.","summary":"A category report on how human approval, delegation windows, renewal, and runtime leash enforcement should work in serious agent systems.","tags":["workflows","approvals","leashes","delegation","governance"],"title":"Agent Approvals and Human Leashes, 2026","updatedAt":"2026-03-23T00:00:00.000Z"},"sourcesArtifact":{"byteLength":3057,"fileName":"sources.json","format":"sources","mimeType":"application/json; charset=utf-8","sha256":"c1cd33ea348cd2b08f52f223bcf05e0817337cc8c2dbedeb685594835ef255fc"},"sources":[{"kind":"official","label":"Microsoft AG-UI human-in-the-loop","note":"Official guide for human approval checkpoints inside agent workflows.","url":"https://learn.microsoft.com/en-us/agent-framework/integrations/ag-ui/human-in-the-loop"},{"kind":"official","label":"Microsoft Copilot multistage approvals","note":"Official multistage and AI approval documentation useful for stage-aware creation controls.","url":"https://learn.microsoft.com/en-us/microsoft-copilot-studio/flows-advanced-approvals"},{"kind":"official","label":"Cloudflare human-in-the-loop best practices","note":"Workflow pause, approval, timeout, and escalation model for long-running agent systems.","url":"https://developers.cloudflare.com/agents/concepts/human-in-the-loop"},{"kind":"official","label":"Oracle delegate versus reassign","note":"Useful distinction between temporary delegation and true ownership transfer.","url":"https://docs.oracle.com/en/cloud/saas/supply-chain-and-manufacturing/25c/faipr/what-s-the-difference-between-reassign-and-delegate.html"},{"kind":"official","label":"Passage step-up authentication","note":"Reference for requiring fresh user presence on sensitive actions even inside an active session.","url":"https://docs.passage.id/flex/step-up"},{"kind":"ecosystem","label":"Cerbos authorization in workflows","note":"Application-level view of why authorization needs to persist across workflow state transitions.","url":"https://www.cerbos.dev/blog/authorization-in-workflows"},{"kind":"ecosystem","label":"AI Runtime Security multi-agent controls","note":"Useful guardrail framing for no-privilege-escalation, scope inheritance, and delegation depth.","url":"https://airuntimesecurity.io/core/multi-agent-controls"},{"kind":"ecosystem","label":"LoginRadius separation of duties","note":"Workflow-stage identity and separation-of-duties framing for governed agent execution.","url":"https://www.loginradius.com/blog/engineering/separation-of-duties-ai-agent-workflows"},{"kind":"ecosystem","label":"ServiceNow approvals and delegation","note":"Operational discussion of delegated approval behavior and managed approval state.","url":"https://www.servicenow.com/community/servicenow-ai-platform-blog/approvals-and-delegation/ba-p/2283510"},{"kind":"ecosystem","label":"Customizable runtime enforcement for LLM agents","note":"Research framing for hard and soft runtime constraints in long-running agent execution.","url":"https://arxiv.org/html/2503.18666v1"}]},"generatedAt":"2026-05-04T01:18:21.579Z","kind":"deep_report_json"},"methodology":{"artifact":{"byteLength":1137,"fileName":"methodology.json","format":"methodology","mimeType":"application/json; charset=utf-8","sha256":"f7cac3e51bd21bc6a92b7ff2b9ffa6637e5affa7306000042486d6e9b7f7c00c"},"document":{"category":"Workflow governance","datasetSummary":{"deepResearchRuns":1,"normalizedSources":88,"publicSources":10,"sampleRows":4,"searchQueries":4,"window":"March 2026"},"generatedAt":"2026-03-23T00:00:00.000Z","methodology":["Anchored the report in official workflow and identity documentation from Microsoft, Cloudflare, Oracle, and Passage, with dates stated as of March 22, 2026.","Used one Perplexity deep-research run plus four focused search queries to map approval stages, resume behavior, renewal controls, and step-up authentication patterns.","Separated approval, delegated runtime authority, resume, renewal, and publish into distinct operator decisions instead of collapsing them into one generic authorization model.","Preferred explicit denial reasons, operator tradeoffs, and unattended-subscription controls over abstract governance language."],"publishedAt":"2026-03-23T00:00:00.000Z","slug":"agent-approvals-and-human-leashes-2026","title":"Agent Approvals and Human Leashes, 2026","updatedAt":"2026-03-23T00:00:00.000Z"}},"manifest":{"artifactCount":8,"generatedAt":"2026-05-04T01:18:21.579Z","hashAlgorithm":"sha256","includedFormats":["bundle","json","markdown","charts","definition","evidence","methodology","sources"],"slug":"agent-approvals-and-human-leashes-2026"},"markdown":{"artifact":{"apiPath":"/api/reports/agent-approvals-and-human-leashes-2026/markdown","byteLength":20852,"description":"Human-readable dossier with the full authority model, examples, and recommendations.","format":"markdown","label":"Full markdown report","mimeType":"text/markdown; charset=utf-8","priceUsdc":0,"sha256":"bf165c450c4e5f0fcfe0f4e68cb15e5272f1ac0ad9ab31faa53d785a3af8eec8","status":"live"},"content":"# Agent Approvals and Human Leashes, 2026\n\n*Why one-time approval is not the same thing as continuing authority, and why long-running agents need both.*\n\n---\n\nAs of March 22, 2026, the biggest governance mistake in agent systems is still conceptual, not technical: teams keep collapsing **approval** and **delegation** into one control. A human approval answers a narrow question such as \"may this workflow begin?\" or \"may it cross this checkpoint?\" A human leash answers a different one: \"while delegated authority remains active, what can this system continue doing without asking again?\" Those are related controls, but they are not interchangeable.\n\nThat distinction matters because long-running agents do not stay inside one moment of risk. A workflow can be created safely, drift into a higher-risk action later, pause for human review, resume after context has changed, keep running on a recurring schedule, and finally publish or release something irreversible. Treating all of that as one blanket consent creates opposite failure modes at once. Either the system nags humans for every harmless step until operators disable the controls, or it quietly converts one-time approval into standing authority.\n\nThe better model is **stage-aware authority**. [Microsoft's AG-UI human-in-the-loop guidance](https://learn.microsoft.com/en-us/agent-framework/integrations/ag-ui/human-in-the-loop) and [Cloudflare's workflow approval model](https://developers.cloudflare.com/agents/concepts/human-in-the-loop) both treat approval as a workflow event with a clear pause, response, and continuation. [Oracle's delegate-versus-reassign distinction](https://docs.oracle.com/en/cloud/saas/supply-chain-and-manufacturing/25c/faipr/what-s-the-difference-between-reassign-and-delegate.html) shows why temporary delegation is not the same as permanent ownership transfer. [Passage's step-up docs](https://docs.passage.id/flex/step-up) and [F5's step-up authentication overview](https://techdocs.f5.com/en-us/bigip-15-1-0/big-ip-access-policy-manager-authentication-methods/using-step-up-authentication/what-is-step-up-authentication.html) show why some actions deserve fresh user presence even when the session is otherwise valid. And the runtime-policy work captured by [Cerbos](https://www.cerbos.dev/blog/authorization-in-workflows), [AI Runtime Security](https://airuntimesecurity.io/core/multi-agent-controls), and the arXiv paper on [customizable runtime enforcement for LLM agents](https://arxiv.org/html/2503.18666v1) makes the other half explicit: once authority is delegated, it still needs to be constrained continuously.\n\nThis report argues for a practical split:\n\n- approval should be modeled by workflow stage\n- human leashes should be time-bounded and scope-bounded\n- resume should be treated as a new risk surface, not a silent continuation\n- renewal should be a first-class ceremony for unattended systems\n- publish or release should require the strongest fresh-auth path\n\nThat sounds like more ceremony, but in practice it reduces friction. When approval and continuing authority are modeled separately, most low-risk runtime steps can proceed without surprise while the genuinely sensitive moments still force a human decision.\n\n---\n\n## The Stage Model\n\nThe cleanest way to reason about human authority is to track it alongside the workflow lifecycle:\n\n```flow\ntitle: Human authority moves with the workflow\ncaption: Approval and delegated authority should change shape as the system moves from setup to runtime to outward-facing release.\nCreate | Approve intent, budget, and capabilities before a job or subscription exists. | approval, budget, scope\nRun | Let low-risk steps proceed inside a bounded runtime envelope. | leash, spend caps, policy\nResume | Treat recovery as a fresh authority checkpoint instead of a silent continuation. | reapproval, denial reasons, lease validity\nRenew | Re-open continuing authority before unattended delegation becomes stale. | renewal, notifications, revocation\nPublish | Require the strongest ceremony for outward-facing or irreversible change. | step-up, owner action, review\n```\n\nThat framing fixes a lot of product confusion. It tells operators that \"approval\" is not one toggle and \"autonomy\" is not one mode. The question is always narrower: *what kind of human decision belongs at this stage, and what kind of continuing scope is safe afterward?*\n\n```chart\nchartType: bar\ntitle: Which control surface should dominate each workflow stage\ncaption: Create and publish should stay human-presence heavy. Steady-state runtime should be leash heavy. Resume and renew are blended checkpoints.\nunit: relative control weight\nseries: approval or review, active leash, fresh step-up\nCreate | 4 | 0 | 0 | Before a workflow exists, the key question is explicit human intent around budget, capability, and private scope.\nRun | 1 | 4 | 0 | During normal execution, the system should lean on runtime leash and policy checks instead of asking for a fresh click every safe step.\nResume | 3 | 2 | 0 | Recovery needs both: a valid delegated envelope and, when the stop reason was approval or ambiguity, a fresh human decision.\nRenew | 3 | 3 | 0 | Renewal is the point where continuing authority is reconsidered, so human approval and leash posture both matter.\nPublish | 2 | 0 | 4 | Outward-facing release should rely on diff-aware review and fresh user presence, not on the same delegation used during execution.\n```\n\nThis is more useful than treating approval as one global switch. It shows where the decision should live: **human ceremony at the edges, runtime enforcement in the middle**.\n\n::wide::\n| Stage | Human question | Runtime leash role | Denial reasons that should be explicit |\n|---|---|---|---|\n| Create | Should this workflow or subscription exist at all? | Usually none yet, because authority has not been delegated | `budget_exceeded`, `capability_disallowed`, `private_lane_not_authorized` |\n| Run | Can the system keep executing inside known bounds? | Primary control surface for spend, capabilities, destinations, and private-data lanes | `expired_lease`, `out_of_scope`, `spend_limit_exceeded` |\n| Resume | Can this run safely re-enter after a block or failure? | Helpful, but not sufficient if the block itself requires fresh review | `approval_required`, `lease_expired`, `renewal_required` |\n| Renew | Should unattended authority continue? | Central, because renewal is literally about extending delegated scope | `renewal_required`, `stale_scope`, `user_presence_required` |\n| Publish | Is this outward-facing or irreversible action allowed right now? | Usually not enough on its own | `step_up_required`, `review_required`, `publish_blocked` |\n\nThat table is the category-level answer many teams are missing. A leash is not an all-purpose substitute for human judgment. It is a runtime envelope. Approval remains the mechanism for crossing a boundary that should not be crossed silently.\n\n---\n\n## Create: Approval Is About Intent\n\nWorkflow creation is the moment when human intent is clearest and easiest to capture. Before a job or subscription exists, the operator still knows the requested task, the expected budget, the allowed data lane, the target capability set, and whether the run is one-shot or recurring. That is why creation should carry the cleanest approval ceremony.\n\n[Microsoft Copilot Studio's multistage approval model](https://learn.microsoft.com/en-us/microsoft-copilot-studio/flows-advanced-approvals) is useful here because it separates AI policy checks from human approvals instead of pretending one replaces the other. A system can reject obviously out-of-policy work automatically, then ask a human only when the remaining decision actually needs business judgment. That same split belongs in agent systems. Policy can reject unsupported capabilities, overspend, missing prerequisites, or out-of-scope destinations. Human approval should decide whether the workflow is worth creating in the first place.\n\nThis is also the stage where denial reasons matter most. \"Denied\" is not enough. The system should say whether the block came from budget, capability scope, private data, recipient restrictions, or a more general policy mismatch. The reason is operational, not just UX polish. Teams can only tune thresholds and workflows if they know what is being denied most often.\n\nCreation is also the worst place to fake runtime delegation. A common anti-pattern is to ask for a fresh approval once, then quietly let that approval imply ongoing autonomous authority forever. That feels efficient for a week, then turns into confusion the moment a run is resumed, retried, or scheduled again under changed conditions. One-time approval is about **starting**. It is not a permanent license.\n\nThe strongest creation pattern is therefore:\n\n1. run automated policy checks first\n2. ask for human approval only when judgment is still needed\n3. show the exact scope being approved: spend, capabilities, private routes, recurrence, and outward effects\n4. if approval succeeds, mint a separate runtime leash when ongoing authority is actually required\n\nThat last step is the important one. Approval should not be overloaded just because a separate delegation artifact feels more complex.\n\n---\n\n## Run: A Leash Is About Continuing Authority\n\nOnce a workflow is running, the question changes. The operator is no longer deciding whether the work should exist. The question is whether the system may continue acting **inside bounded constraints** without another interrupt.\n\nThis is where a human leash becomes useful. The best description of the leash category is not \"background approval.\" It is *time-bounded, scope-bounded delegated authority*. The system may continue to act only while the window is still open and only inside the explicit scope that was delegated. If the run drifts outside that envelope, the right answer is not \"keep going because the workflow was approved yesterday.\" The right answer is a runtime denial.\n\n[AI Runtime Security's multi-agent controls](https://airuntimesecurity.io/core/multi-agent-controls) are especially clear on the principles that should govern delegated execution: no privilege escalation, scope inheritance, and delegation-depth limits. [Cerbos on authorization in workflows](https://www.cerbos.dev/blog/authorization-in-workflows) makes a similar point from the application side: authorization decisions do not disappear after a process starts. They continue to matter as the workflow transitions through states.\n\nThe arXiv paper on [customizable runtime enforcement](https://arxiv.org/html/2503.18666v1) helps clarify why runtime policy is not just another approval queue. Some constraints are **hard constraints** that must never be violated: forbidden functions, forbidden destinations, no delete or payout outside an allowlist. Others are softer, such as rate ceilings or retry thresholds, where the system can fail gracefully and recover. A runtime leash is the container that makes those constraints enforceable over time.\n\nIn practice, a good leash usually needs at least four dimensions:\n\n- **time window**: when delegated authority expires\n- **capability scope**: which tools, actions, or workflow templates remain allowed\n- **economic scope**: spend ceilings, rate limits, or per-window totals\n- **data and destination scope**: which private surfaces, recipients, hosts, or webhook targets are still in bounds\n\nWhen those checks fail, the system should surface machine-readable reasons. `expired_lease`, `out_of_scope`, and `renewal_required` are much better product primitives than a vague \"authorization failed.\" They tell the operator what changed and whether the fix is new approval, a narrower request, or a simple renewal.\n\nThe operator goal at runtime is not to eliminate friction entirely. It is to keep the predictable path quiet while making every out-of-bounds event legible.\n\n---\n\n## Resume: Recovery Is a New Risk Surface\n\nResume is where many otherwise careful systems become careless. The common mistake is to treat resume as if it were a harmless continuation of the original run. But a paused or blocked workflow has already told you that the original assumptions were not enough. Maybe a human approval was pending. Maybe a policy check failed. Maybe a dependency timed out. Maybe the operator context changed while the run was waiting.\n\nThat is why resume needs its own authority model.\n\n[Cloudflare's human-in-the-loop workflow guidance](https://developers.cloudflare.com/agents/concepts/human-in-the-loop) treats approval checkpoints as a first-class workflow pause, not a minor flag. The workflow reaches an approval step, waits, and then resumes only after a decision. The operator meaning is obvious: resume is conditional on a human event. Community discussions around [Argo workflows](https://github.com/argoproj/argo-workflows/discussions/5754) and restart-safe approval patterns in long-running automation make the same operational point from another angle. Once a system pauses around manual intervention, safe resumption becomes part of the design problem.\n\nResume therefore deserves at least three checks:\n\n1. **Why did the run stop?** A policy denial, pending approval, transient fault, and exhausted budget should not share one resume path.\n2. **Is the delegated leash still valid?** Old delegated authority should not be smuggled through a new moment of uncertainty.\n3. **Is fresh approval required?** If the run stopped at a human checkpoint, resume should not bypass that checkpoint just because someone clicked \"continue.\"\n\nThis is where [Oracle's distinction between delegation and reassignment](https://docs.oracle.com/en/cloud/saas/supply-chain-and-manufacturing/25c/faipr/what-s-the-difference-between-reassign-and-delegate.html) becomes more than a process footnote. If a task is delegated, the original accountable actor still owns the underlying authority. If the system resumes under someone else's click without preserving that accountability, the audit model gets muddied very quickly.\n\nFor operators, the design lesson is straightforward: **resume is not a retry button**. It is a controlled re-entry into a run that has already proven it needs more scrutiny than the happy path.\n\n---\n\n## Renew: Recurring Automation Needs Its Own Ceremony\n\nRecurring subscriptions and unattended workflows are where human leashes either become useful or become dangerous. If the system requires full fresh approval for every low-risk recurring action, operators stop trusting the automation because it becomes noisy and slow. If the system grants broad standing authority with no renewal, the automation becomes invisible.\n\nThat is why renewal should be treated as a dedicated ceremony rather than an error state.\n\n[ServiceNow's approvals and delegation discussion](https://www.servicenow.com/community/servicenow-ai-platform-blog/approvals-and-delegation/ba-p/2283510) is useful because it frames delegation as an explicit managed state, not a hidden background behavior. [AI Runtime Security's multi-agent controls](https://airuntimesecurity.io/core/multi-agent-controls) adds the guardrail view: delegation should inherit scope, forbid privilege escalation, and cap depth. Combined with Cloudflare-style pause and timeout patterns, the right operator model becomes clear: a recurring run should move smoothly while authority is current, then shift into a renewal path before that authority silently goes stale.\n\nThat matters because operators should expect more product variance around runtime delegation and renewal than around basic approval or step-up. This is where design choices still matter most.\nRenewal is therefore not simply \"approve again.\" A good renewal flow should tell the operator:\n\n- what has been happening during the delegated window\n- what scope remains active if renewed\n- what spend, recipient, or capability limits will continue\n- what changed since the last approval\n- how to narrow or revoke the leash instead of only extending it\n\nThat is why the strongest subscription products expose `expiring_soon`, `expired`, and `renewed` events instead of only surfacing a sudden failure after the fact. Renewal should be visible **before** it becomes a production surprise.\n\n---\n\n## Publish or Release: Require Fresh Presence\n\nPublish and release actions deserve the strongest ceremony in the system because they are usually outward-facing, reputation-bearing, and often irreversible. A human leash that was appropriate for repeated background work is usually not strong enough for a final public action.\n\n[Passage's step-up authentication docs](https://docs.passage.id/flex/step-up) and [F5's step-up authentication overview](https://techdocs.f5.com/en-us/bigip-15-1-0/big-ip-access-policy-manager-authentication-methods/using-step-up-authentication/what-is-step-up-authentication.html) both make the principle explicit: some actions require fresh proof of user presence even when a broader session is otherwise valid. In workflow terms, publish is one of those actions.\n\nThis is also the place where review state matters. A strong publish flow should not only ask \"who is clicking publish?\" It should also ask:\n\n- what changed since the last published version\n- did the new draft drop claims, charts, or sources that matter\n- is this a no-op publish dressed up as progress\n- is the actor authorized to make an outward-facing release right now\n\nThat is why publish controls should usually combine three things:\n\n1. **diff-aware review**\n2. **fresh owner or publisher presence**\n3. **clear deny reasons when the release is blocked**\n\nThe category lesson is simple: a runtime leash is excellent for bounded continuity. It is a poor substitute for final-release ceremony.\n\n---\n\n## Comparison Table\n\n::wide::\n| Control surface | What it decides | What it should never silently replace | Best use |\n|---|---|---|---|\n| Approval | Whether a workflow may begin or cross a checkpoint | Ongoing delegated runtime authority | Create, risky transitions, manual decision points |\n| Human leash | What the system may continue doing while delegation is still valid | Final release decisions or new high-risk scope | Repeated low-risk runtime activity, subscriptions, bounded autonomy |\n| Resume gate | Whether a blocked run may safely re-enter | The original approval state that caused the pause | Recovery after approval pauses, policy denials, or uncertain failures |\n| Renewal | Whether unattended authority should continue | Silent permanent delegation | Recurring subscriptions, long-lived sessions, scheduled refreshes |\n| Step-up auth | Whether a sensitive actor is really present right now | General runtime delegation | Publish, release, destructive actions, ownership transfer |\n\nThat table is the practical answer for operator teams. If everything is treated as approval, autonomy becomes unusable. If everything is treated as delegation, accountability becomes blurry. Serious systems need both.\n\n---\n\n## Recommendations for Operators\n\n1. **Model approval and leash as separate objects.** Approval should answer the stage-specific \"may this proceed?\" question. The leash should answer the runtime \"what can continue?\" question.\n\n2. **Give resume its own policy.** If a workflow stopped because of approval, denial, or ambiguity, resume should not be treated like a harmless retry.\n\n3. **Use explicit denial reasons everywhere.** Operators should see whether the problem is budget, out-of-scope behavior, expired delegation, missing renewal, or required step-up.\n\n4. **Make renewal proactive, not punitive.** Expiring-soon notices, revocation paths, and one-tap extension flows are better than sudden unattended failure.\n\n5. **Reserve fresh step-up for truly sensitive edges.** Publish, release, destructive mutation, and ownership-changing actions should ask for fresh presence even if runtime delegation is otherwise valid.\n\n6. **Keep runtime quiet when it is behaving.** If a human has to approve every harmless step, the system is not governed. It is stalled.\n\n---\n\n## Bottom Line\n\nHuman approval and human leashes should be treated as complementary controls, not rival ones. Approval is about **intent at a stage**. A leash is about **continuing authority inside bounds**. Resume is where those models collide. Renewal is where unattended systems become either trustworthy or invisible. Publish is where fresh human presence matters most.\n\nThe best operator pattern in 2026 is therefore not blanket approval and not blanket autonomy. It is a staged model:\n\n- approve creation intentionally\n- enforce runtime scope continuously\n- treat resume as a fresh risk surface\n- make renewal explicit before authority expires\n- require fresh step-up for release\n\nThat is the design that preserves human accountability without turning every workflow into a queue of pointless clicks.\n"},"previewMarkdown":"# Agent Approvals and Human Leashes, 2026\n\n## Thesis\n\n- Approval should be modeled by workflow stage, not treated as one global yes or no.\n- Human leashes should be time-bounded, scope-bounded, and checked at runtime, not just at creation time.\n- The real design tradeoff is preserving human authority without forcing operators to re-approve every harmless step.\n\n## Buyer takeaway\n\n- Separate approval from continuing delegation.\n- Give resume and publish their own authority model.\n- Make renewal understandable before it becomes a production surprise.\n\nThe full report maps approval stages, delegation windows, denial reasons, and renewal patterns into a practical governance model for agent systems.\n","report":{"category":"Workflow governance","datasetSummary":{"deepResearchRuns":1,"normalizedSources":88,"publicSources":10,"sampleRows":4,"searchQueries":4,"window":"March 2026"},"featureKey":"deep_reports_agent_approvals_and_human_leashes_2026","findings":["Approval and leash mechanisms solve different problems and should be shown separately in both policy and UI.","Resume is a distinct risk surface because it combines recovery with renewed authority.","Recurring subscriptions need explicit renewal UX, runtime denial reasons, and delivery visibility.","The strongest pattern is stage-aware approval paired with runtime leash scope enforcement and fresh step-up for publish or release."],"methodology":["Anchored the report in official workflow and identity documentation from Microsoft, Cloudflare, Oracle, and Passage, with dates stated as of March 22, 2026.","Used one Perplexity deep-research run plus four focused search queries to map approval stages, resume behavior, renewal controls, and step-up authentication patterns.","Separated approval, delegated runtime authority, resume, renewal, and publish into distinct operator decisions instead of collapsing them into one generic authorization model.","Preferred explicit denial reasons, operator tradeoffs, and unattended-subscription controls over abstract governance language."],"previewBullets":["Approval should be modeled by workflow stage, not treated as one global yes or no.","Human leashes should be time-bounded, scope-bounded, and checked at runtime, not just at creation time.","The real design tradeoff is preserving human authority without forcing operators to re-approve every harmless step."],"publishedAt":"2026-03-23T00:00:00.000Z","sampleRows":[{"stage":"Job creation","riskSurface":"Submit and preflight","recommendedModel":"Budget threshold plus policy approval","whyItMatters":"Creation is where cost, capability, and private-route intent first become explicit."},{"stage":"Steady runtime","riskSurface":"Delegated execution inside a live run","recommendedModel":"Time-bounded human leash with runtime scope checks","whyItMatters":"Low-risk steps should proceed without a fresh human click while the delegated envelope remains valid."},{"stage":"Resume after block","riskSurface":"Recovery and re-entry","recommendedModel":"Fresh approval plus valid leash","whyItMatters":"Resume can bypass the original human checkpoint if treated too casually."},{"stage":"Publish or release","riskSurface":"Final high-impact mutation","recommendedModel":"Fresh owner step-up auth plus diff-aware review","whyItMatters":"A final outward-facing action deserves stronger ceremony than a normal run step."}],"slug":"agent-approvals-and-human-leashes-2026","sources":[{"kind":"official","label":"Microsoft AG-UI human-in-the-loop","note":"Official guide for human approval checkpoints inside agent workflows.","url":"https://learn.microsoft.com/en-us/agent-framework/integrations/ag-ui/human-in-the-loop"},{"kind":"official","label":"Microsoft Copilot multistage approvals","note":"Official multistage and AI approval documentation useful for stage-aware creation controls.","url":"https://learn.microsoft.com/en-us/microsoft-copilot-studio/flows-advanced-approvals"},{"kind":"official","label":"Cloudflare human-in-the-loop best practices","note":"Workflow pause, approval, timeout, and escalation model for long-running agent systems.","url":"https://developers.cloudflare.com/agents/concepts/human-in-the-loop"},{"kind":"official","label":"Oracle delegate versus reassign","note":"Useful distinction between temporary delegation and true ownership transfer.","url":"https://docs.oracle.com/en/cloud/saas/supply-chain-and-manufacturing/25c/faipr/what-s-the-difference-between-reassign-and-delegate.html"},{"kind":"official","label":"Passage step-up authentication","note":"Reference for requiring fresh user presence on sensitive actions even inside an active session.","url":"https://docs.passage.id/flex/step-up"},{"kind":"ecosystem","label":"Cerbos authorization in workflows","note":"Application-level view of why authorization needs to persist across workflow state transitions.","url":"https://www.cerbos.dev/blog/authorization-in-workflows"},{"kind":"ecosystem","label":"AI Runtime Security multi-agent controls","note":"Useful guardrail framing for no-privilege-escalation, scope inheritance, and delegation depth.","url":"https://airuntimesecurity.io/core/multi-agent-controls"},{"kind":"ecosystem","label":"LoginRadius separation of duties","note":"Workflow-stage identity and separation-of-duties framing for governed agent execution.","url":"https://www.loginradius.com/blog/engineering/separation-of-duties-ai-agent-workflows"},{"kind":"ecosystem","label":"ServiceNow approvals and delegation","note":"Operational discussion of delegated approval behavior and managed approval state.","url":"https://www.servicenow.com/community/servicenow-ai-platform-blog/approvals-and-delegation/ba-p/2283510"},{"kind":"ecosystem","label":"Customizable runtime enforcement for LLM agents","note":"Research framing for hard and soft runtime constraints in long-running agent execution.","url":"https://arxiv.org/html/2503.18666v1"}],"subtitle":"Built for operators deciding when to require fresh approval, when to allow bounded delegation, and how to explain authority clearly.","summary":"A category report on how human approval, delegation windows, renewal, and runtime leash enforcement should work in serious agent systems.","tags":["workflows","approvals","leashes","delegation","governance"],"title":"Agent Approvals and Human Leashes, 2026","updatedAt":"2026-03-23T00:00:00.000Z"},"sources":{"artifact":{"byteLength":3057,"fileName":"sources.json","format":"sources","mimeType":"application/json; charset=utf-8","sha256":"c1cd33ea348cd2b08f52f223bcf05e0817337cc8c2dbedeb685594835ef255fc"},"document":{"counts":{"ecosystem":5,"official":5,"total":10},"generatedAt":"2026-03-23T00:00:00.000Z","slug":"agent-approvals-and-human-leashes-2026","sources":[{"kind":"official","label":"Microsoft AG-UI human-in-the-loop","note":"Official guide for human approval checkpoints inside agent workflows.","url":"https://learn.microsoft.com/en-us/agent-framework/integrations/ag-ui/human-in-the-loop"},{"kind":"official","label":"Microsoft Copilot multistage approvals","note":"Official multistage and AI approval documentation useful for stage-aware creation controls.","url":"https://learn.microsoft.com/en-us/microsoft-copilot-studio/flows-advanced-approvals"},{"kind":"official","label":"Cloudflare human-in-the-loop best practices","note":"Workflow pause, approval, timeout, and escalation model for long-running agent systems.","url":"https://developers.cloudflare.com/agents/concepts/human-in-the-loop"},{"kind":"official","label":"Oracle delegate versus reassign","note":"Useful distinction between temporary delegation and true ownership transfer.","url":"https://docs.oracle.com/en/cloud/saas/supply-chain-and-manufacturing/25c/faipr/what-s-the-difference-between-reassign-and-delegate.html"},{"kind":"official","label":"Passage step-up authentication","note":"Reference for requiring fresh user presence on sensitive actions even inside an active session.","url":"https://docs.passage.id/flex/step-up"},{"kind":"ecosystem","label":"Cerbos authorization in workflows","note":"Application-level view of why authorization needs to persist across workflow state transitions.","url":"https://www.cerbos.dev/blog/authorization-in-workflows"},{"kind":"ecosystem","label":"AI Runtime Security multi-agent controls","note":"Useful guardrail framing for no-privilege-escalation, scope inheritance, and delegation depth.","url":"https://airuntimesecurity.io/core/multi-agent-controls"},{"kind":"ecosystem","label":"LoginRadius separation of duties","note":"Workflow-stage identity and separation-of-duties framing for governed agent execution.","url":"https://www.loginradius.com/blog/engineering/separation-of-duties-ai-agent-workflows"},{"kind":"ecosystem","label":"ServiceNow approvals and delegation","note":"Operational discussion of delegated approval behavior and managed approval state.","url":"https://www.servicenow.com/community/servicenow-ai-platform-blog/approvals-and-delegation/ba-p/2283510"},{"kind":"ecosystem","label":"Customizable runtime enforcement for LLM agents","note":"Research framing for hard and soft runtime constraints in long-running agent execution.","url":"https://arxiv.org/html/2503.18666v1"}],"title":"Agent Approvals and Human Leashes, 2026"}}},"generatedAt":"2026-05-04T01:18:21.579Z","kind":"deep_report_bundle","operatorAccess":null,"payer":null}