{"currentVersionId":"ver_seed_20260323000000_20260323000000","generatedAt":"2026-05-04T00:15:42.175Z","latestDraftVersionId":null,"report":{"publishedAt":"2026-03-23T00:00:00.000Z","slug":"agent-approvals-and-human-leashes-2026","summary":"A category report on how human approval, delegation windows, renewal, and runtime leash enforcement should work in serious agent systems.","title":"Agent Approvals and Human Leashes, 2026","updatedAt":"2026-03-23T00:00:00.000Z"},"versionCount":1,"versions":[{"actor":{"method":"system","name":"System snapshot","role":"system","userId":null},"artifactCount":8,"artifactFormats":["markdown","json","charts","definition","evidence","methodology","sources","bundle"],"artifacts":[{"apiPath":"/api/reports/agent-approvals-and-human-leashes-2026/markdown","byteLength":20852,"format":"markdown","priceUsdc":0,"sha256":"bf165c450c4e5f0fcfe0f4e68cb15e5272f1ac0ad9ab31faa53d785a3af8eec8","status":"live"},{"apiPath":"/api/reports/agent-approvals-and-human-leashes-2026/json","byteLength":null,"format":"json","priceUsdc":0,"sha256":null,"status":"live"},{"apiPath":"/api/reports/agent-approvals-and-human-leashes-2026/charts","byteLength":1653,"format":"charts","priceUsdc":0,"sha256":"6d04befd682d34358353c018838412815e37ed9acd96fe68c1dfd01809b095d3","status":"live"},{"apiPath":"/api/reports/agent-approvals-and-human-leashes-2026/definition","byteLength":2992,"format":"definition","priceUsdc":0,"sha256":"86847137a64617f7aa89347ed932971a301fc6be4f664a2495724817325610e6","status":"live"},{"apiPath":"/api/reports/agent-approvals-and-human-leashes-2026/evidence","byteLength":6211,"format":"evidence","priceUsdc":0,"sha256":"a478dc1b7b089cbdbd9c069a65044c4b582fb72a98038732840f852712e8c75d","status":"live"},{"apiPath":"/api/reports/agent-approvals-and-human-leashes-2026/methodology","byteLength":1137,"format":"methodology","priceUsdc":0,"sha256":"f7cac3e51bd21bc6a92b7ff2b9ffa6637e5affa7306000042486d6e9b7f7c00c","status":"live"},{"apiPath":"/api/reports/agent-approvals-and-human-leashes-2026/sources","byteLength":3057,"format":"sources","priceUsdc":0,"sha256":"c1cd33ea348cd2b08f52f223bcf05e0817337cc8c2dbedeb685594835ef255fc","status":"live"},{"apiPath":"/api/reports/agent-approvals-and-human-leashes-2026/bundle","byteLength":null,"format":"bundle","priceUsdc":0,"sha256":null,"status":"live"}],"chartCount":1,"createdAt":"2026-03-23T00:00:00.000Z","evidenceClaimCount":6,"definitionEntryCount":15,"hashes":{"bundleSha256":null,"chartsSha256":"6d04befd682d34358353c018838412815e37ed9acd96fe68c1dfd01809b095d3","definitionSha256":"86847137a64617f7aa89347ed932971a301fc6be4f664a2495724817325610e6","evidenceSha256":"a478dc1b7b089cbdbd9c069a65044c4b582fb72a98038732840f852712e8c75d","jsonSha256":null,"markdownSha256":"bf165c450c4e5f0fcfe0f4e68cb15e5272f1ac0ad9ab31faa53d785a3af8eec8","methodologySha256":"f7cac3e51bd21bc6a92b7ff2b9ffa6637e5affa7306000042486d6e9b7f7c00c","sourcesSha256":"c1cd33ea348cd2b08f52f223bcf05e0817337cc8c2dbedeb685594835ef255fc"},"id":"ver_seed_20260323000000_20260323000000","liveArtifactCount":8,"methodologyStepCount":4,"note":"Seeded from the currently published deep report state.","publishedAt":"2026-03-23T00:00:00.000Z","reportCharts":[{"chartType":"bar","pointCount":5,"series":["active leash","approval or review","fresh step-up"],"title":"Which control surface should dominate each workflow stage","unit":"relative control weight"}],"reportClaims":[{"chartTitles":["Which control surface should dominate each workflow stage"],"confidence":"high","id":"approval-versus-leash","kind":"comparison","section":"The stage model","sourceLabels":["Cerbos authorization in workflows","Microsoft AG-UI human-in-the-loop","Oracle delegate versus reassign"],"statement":"Approval and continuing delegated authority solve different problems, so serious agent systems should model them separately instead of treating them as one toggle."},{"chartTitles":[],"confidence":"high","id":"runtime-scope-enforcement","kind":"comparison","section":"Run","sourceLabels":["AI Runtime Security multi-agent controls","Cerbos authorization in workflows","Customizable runtime enforcement for LLM agents"],"statement":"Delegated runtime authority should stay time-bounded and scope-bounded, with explicit denials for expiration, out-of-scope behavior, and required renewal."},{"chartTitles":[],"confidence":"high","id":"publish-step-up","kind":"comparison","section":"Publish","sourceLabels":["F5 step-up authentication","LoginRadius separation of duties","Passage step-up authentication"],"statement":"Publish or release actions should require fresh step-up presence and diff-aware review instead of relying on the same delegated authority used for routine runtime work."},{"chartTitles":[],"confidence":"high","id":"renewal-is-first-class","kind":"comparison","section":"Renew","sourceLabels":["AI Runtime Security multi-agent controls","Cloudflare human-in-the-loop best practices","ServiceNow approvals and delegation"],"statement":"Recurring unattended systems need a dedicated renewal ceremony with expiring-soon visibility, revocation, and explicit scope renewal rather than silent standing authority."},{"chartTitles":["Which control surface should dominate each workflow stage"],"confidence":"high","id":"resume-is-new-risk","kind":"finding","section":"Resume","sourceLabels":["Cloudflare human-in-the-loop best practices","Oracle delegate versus reassign","ServiceNow approvals and delegation"],"statement":"Resume is a distinct governance edge because recovery can combine stale delegation, pending approvals, and changed operator context."},{"chartTitles":["Which control surface should dominate each workflow stage"],"confidence":"high","id":"create-stage-explicit-approval","kind":"finding","section":"Create","sourceLabels":["Cloudflare human-in-the-loop best practices","Microsoft Copilot multistage approvals"],"statement":"Workflow creation is the right place to capture explicit intent around budget, capabilities, recurrence, and private-data scope."}],"reportDefinitionEntries":[{"category":"dataset_window","label":"March 2026"},{"category":"domain_hint","label":"docs.cdp.coinbase.com"},{"category":"domain_hint","label":"docs.stripe.com"},{"category":"domain_hint","label":"modelcontextprotocol.io"},{"category":"domain_hint","label":"temporal.rest"},{"category":"prompt_guidance","label":"End with concrete recommendations for stage-aware approval, runtime leash checks, and renewal UX."},{"category":"prompt_guidance","label":"Explain the difference between one-time approval and continuing human leash authority instead of treating them as synonyms."},{"category":"prompt_guidance","label":"Make the report useful to teams deciding when to require passkey step-up, when to rely on time-bounded delegation, and when to pause automatically."},{"category":"prompt_guidance","label":"Prioritize operator tradeoffs around denial reasons, renewal design, scope enforcement, and surprise avoidance."},{"category":"prompt_guidance","label":"Structure the report by workflow stage: create, run, resume, renew, and publish or release."},{"category":"research_prompt","label":"Produce a citation-heavy memo on human approval, delegation windows, and leash enforcement in agent systems. :: sonar-deep-research"},{"category":"search_query","label":"Collect guidance on resume, recovery, and reapproval in long-running systems. :: workflow resume reapproval recovery step up authorization long running jobs operator approval"},{"category":"search_query","label":"Find evidence on recurring automation, delegation expiry, and renewal controls. :: subscription automation delegation expiry renewal controls runtime scope checks agent systems"},{"category":"search_query","label":"Ground owner-level or destructive actions in stronger authentication patterns. :: passkey step up auth owner actions publish release workflow governance authorization"},{"category":"search_query","label":"Map how authority changes across workflow creation, execution, and publication. :: agent workflow human approval authority by stage create run resume publish delegation windows renewal"}],"reportMethodology":["Anchored the report in official workflow and identity documentation from Microsoft, Cloudflare, Oracle, and Passage, with dates stated as of March 22, 2026.","Used one Perplexity deep-research run plus four focused search queries to map approval stages, resume behavior, renewal controls, and step-up authentication patterns.","Separated approval, delegated runtime authority, resume, renewal, and publish into distinct operator decisions instead of collapsing them into one generic authorization model.","Preferred explicit denial reasons, operator tradeoffs, and unattended-subscription controls over abstract governance language."],"reportPublishedAt":"2026-03-23T00:00:00.000Z","reportSources":[{"kind":"ecosystem","label":"AI Runtime Security multi-agent controls","note":"Useful guardrail framing for no-privilege-escalation, scope inheritance, and delegation depth.","url":"https://airuntimesecurity.io/core/multi-agent-controls"},{"kind":"ecosystem","label":"Cerbos authorization in workflows","note":"Application-level view of why authorization needs to persist across workflow state transitions.","url":"https://www.cerbos.dev/blog/authorization-in-workflows"},{"kind":"official","label":"Cloudflare human-in-the-loop best practices","note":"Workflow pause, approval, timeout, and escalation model for long-running agent systems.","url":"https://developers.cloudflare.com/agents/concepts/human-in-the-loop"},{"kind":"ecosystem","label":"Customizable runtime enforcement for LLM agents","note":"Research framing for hard and soft runtime constraints in long-running agent execution.","url":"https://arxiv.org/html/2503.18666v1"},{"kind":"ecosystem","label":"LoginRadius separation of duties","note":"Workflow-stage identity and separation-of-duties framing for governed agent execution.","url":"https://www.loginradius.com/blog/engineering/separation-of-duties-ai-agent-workflows"},{"kind":"official","label":"Microsoft AG-UI human-in-the-loop","note":"Official guide for human approval checkpoints inside agent workflows.","url":"https://learn.microsoft.com/en-us/agent-framework/integrations/ag-ui/human-in-the-loop"},{"kind":"official","label":"Microsoft Copilot multistage approvals","note":"Official multistage and AI approval documentation useful for stage-aware creation controls.","url":"https://learn.microsoft.com/en-us/microsoft-copilot-studio/flows-advanced-approvals"},{"kind":"official","label":"Oracle delegate versus reassign","note":"Useful distinction between temporary delegation and true ownership transfer.","url":"https://docs.oracle.com/en/cloud/saas/supply-chain-and-manufacturing/25c/faipr/what-s-the-difference-between-reassign-and-delegate.html"},{"kind":"official","label":"Passage step-up authentication","note":"Reference for requiring fresh user presence on sensitive actions even inside an active session.","url":"https://docs.passage.id/flex/step-up"},{"kind":"ecosystem","label":"ServiceNow approvals and delegation","note":"Operational discussion of delegated approval behavior and managed approval state.","url":"https://www.servicenow.com/community/servicenow-ai-platform-blog/approvals-and-delegation/ba-p/2283510"}],"reportSummary":"A category report on how human approval, delegation windows, renewal, and runtime leash enforcement should work in serious agent systems.","reportTitle":"Agent Approvals and Human Leashes, 2026","reportUpdatedAt":"2026-03-23T00:00:00.000Z","slug":"agent-approvals-and-human-leashes-2026","source":{"jobId":null,"kind":"seed","refreshDraftId":null},"sourceCount":10,"status":"published","updatedAt":"2026-05-04T00:15:42.146Z"}]}