Skip to main content
This guide helps you identify when an agent carries meaningful risk — financial, regulatory, reputational, or irreversibility — and apply the right guardrails before letting it run autonomously.

Risk Classification

Before configuring guardrails, score your agent against the five risk dimensions below. The highest single dimension determines the overall risk tier.

Risk dimensions

Tier definitions and required guardrails

Guardrail Patterns

HITL approval on high-risk branches

Add a Human-in-the-Loop approval step before any action that scores Medium or above. The approval request should give the reviewer enough context to decide without opening another system.
See Designing Human-in-the-Loop Workflows for choosing the right approval shape and setting escalation chains.

Hard caps

Limit the blast radius of a runaway run by setting explicit caps in your AOP.
Use the Runs list to verify cap behavior during testing before removing gates.

Allow and deny lists

Restrict write operations to approved targets. Any action outside the list requires a HITL approval step. Email domain allowlist:
Account allowlist for financial actions:

Idempotency checks

Prevent duplicate actions when a run retries or runs more than once.
Idempotency checks are especially important for financial writes, external API calls, and email sends where duplicates cause downstream problems.

Shadow mode before enabling writes

For new high-risk agents, run the agent in read-only mode first. Observe what it would have done, then enable write access once the outputs look correct.
After reviewing a week of shadow-mode outputs with no surprises, remove the SHADOW MODE instruction and enable the write connections.

Two-person AOP review for Critical agents

For Critical-tier agents, require a second team member to review the AOP before any change goes live. In practice this means:

Builder drafts the revision

The Builder drafts and saves the updated AOP revision.

Reviewer inspects and tests

A Manager or Administrator opens the agent, reviews the diff, and runs a test run.

Reviewer promotes the change

Only after the reviewer is satisfied does the Manager update the live revision.
Team roles and permissions defines who can create revisions versus who can promote changes on agents owned by others.

Time-window restrictions

Limit autonomous write operations to business hours to ensure a human can respond quickly to anomalies.

Detection and Response

Anomaly signals to monitor

Review run outputs regularly for these patterns, especially in the first two weeks after a new agent goes live: The Runs list and Team Insights show duration, action counts, and run history. Use these to spot unusual patterns.

Kill switch: pausing an agent

If something is going wrong, you can stop an agent immediately:
Revoking the connection is the fastest way to stop a write-heavy agent when you are not sure whether an active Run has already done damage.
Disable a schedule:

Open the agent

Open the agent.

Go to the Schedule settings

Go to Agent Settings > Schedule.

Toggle the schedule off

Toggle the schedule off. The agent stops running automatically. Runs already running continue to completion.
Disable a trigger:

Open the agent

Open the agent.

Go to the Triggers settings

Go to Agent Settings > Triggers.

Disable the trigger

Disable the trigger. No new runs start from that trigger.
Revoke a connection:

Open the Connections page

Go to the Connections page.

Find the connection

Find the connection used by the agent.

Disconnect it

Disconnect it. The agent will fail immediately if it tries to use this connection, which prevents further writes to that system.

Rollback via Agent Versions

If an AOP change caused the problem, revert to the previous working version:

Open the agent

Open the agent.

Open the revision selector

Click the revision selector in the builder toolbar.

Select the last known-good revision

Select the last known-good revision.

Resume running the reverted AOP

The agent now runs the reverted AOP on the next trigger or manual start.
See Agent Versions for details on how versioning works.

Communication template

When you pause a high-risk agent, notify stakeholders immediately. Waiting for a full post-mortem before communicating increases risk.

Worked Example: Purchase Order Processing

The Purchase Order Processing tutorial covers the basic flow. Here is how to apply the full risk classification and guardrail set before enabling it in production.

Risk classification

Overall tier: Critical (highest single dimension score)

Guardrails applied

HITL gates:
Hard cap:
Vendor allowlist:
Idempotency check:
Shadow mode (first two weeks): Enable the agent with all connections in read-only mode. Add the SHADOW MODE instruction to the AOP. Review the weekly run outputs with the procurement lead before enabling write access. Time window:
Two-person review: A Manager reviewed and approved the AOP before the agent was promoted to live.

Designing Human-in-the-Loop Workflows

Risk tiers, approval shapes, escalation chains, and ramping toward autonomy

Agent Versions

How to review and revert to a previous AOP version

Roles and Permissions

Who can create, edit, and promote agent revisions

Security & Privacy

Platform-level security controls, SOC 2, and data handling

Purchase Order Processing

Full tutorial showing threshold-based approval routing

Expense Report Approval

Full tutorial showing HITL approval with dollar thresholds