Skip to content
C
Agentic flows

The approval checkpoint

A pause-for-human-signoff, named and scoped.

8 min

The blast radius of an agent action is usually invisible until it happens. Emails go out. Calendars update. Files move. Most products ask for a single "approve all" or "cancel all" on a plan that may contain both a read and an irreversible send. Approval checkpoints break that apart: every action is its own decision, with its own risk tag.

"Don't approve the agent. Approve each action, with its blast radius visible."
The pattern

Action-level toggles with risk tags.

The plan renders as a list of actions, each with verb + target + risk chip (low / review / high risk). A checkbox beside each. Defaults are on for low-risk, off for anything irreversible. A single "run approved" button executes only the checked set.

Anything marked "irreversible" or "visible to many" is forced to off by default. Users have to explicitly opt in. Friction here is the feature.

Plan with granular approvals
High-risk actions default off; reversible ones default on
Agent proposes · 2 of 4 approved
ReadQ2 memo + 3 sources
Low
Writedraft-v1.md (new)
Low
Emaillaunch-team@ (12 recipients)
irreversible
High risk
Post#design-review
visible to 40 people
Review

Don't approve the agent. Approve each action, with its blast radius visible.

The why

All-or-nothing approval collapses to yes.

If the only options are "approve everything" or "cancel everything," users default to approve. The friction of canceling a long plan is too high. That's how products end up sending the wrong email to the wrong list. The checkpoint pattern restores consent by making each risk its own decision.

Three moves

Details that make approval legible.

  • Name the blast radius. Not "Post to channel." Say "Post to #design-review · visible to 40 people." Scale is context users need.
  • Risk chips. Three tiers. Low (default on), review (default on but visible), high (default off). Three tiers carry most cases cleanly.
  • Running count. "Run approved (2)" — the button reflects the current state so the user can't approve blindly.
The trap

Checkpoint fatigue.

If every tiny read action gets a checkbox, users stop reading them. The defense dissolves into click-through theater. The solution isn't to drop checkpoints — it's to calibrate: default cheap things on, save the real friction for actions that deserve it.

Failure modes

What this pattern gets wrong when it gets wrong.

Runaway agent
An agent that loops, spends, or edits past the user's intent with no visible cap.
Confidence theater
Language or typography that performs certainty beyond what the model actually has.
Seen in the wild

Three shipping variants worth copying.

  • A named checkpoint card: 'about to spend $12'
  • A 'remember this answer for the rest of the run' toggle
  • A configurable rule: auto-approve when cost is under $X