A practical framework for decision rights, escalation policy, kill switches, and autonomy creep prevention
When teams say “let the agent decide,” they usually mean something narrower than it sounds.
In production, the real questions are: what may the agent decide on its own, what must it escalate, what must be blocked, what does “stop” actually disable, and which scope changes require re-approval before the agent keeps operating. That is a governance problem, not a prompt-writing problem. [evidence:ev_001] [evidence:ev_003]
For a concrete example: if an agent can draft a change but not apply it, the policy is different from an agent that can apply low-risk changes automatically but must escalate anything irreversible. Those are separate decision rights, not one “autonomy” setting. [evidence:ev_003]
If you are responsible for production AI governance, you need a boundary model, not a binary autonomy setting. The rest of this post is a practical way to define that boundary model. [evidence:ev_002] [evidence:ev_003]
[link:link_2cab8a64ab]
[link:link_c504c278ab]
The phrase “more autonomous” sounds useful until you have to turn it into controls.
A staff engineer needs to answer different questions for different actions: can the agent read this data, propose a change, execute the change, or only prepare a recommendation for approval? Can it make a low-risk decision independently but escalate anything irreversible? Can it keep running if the user stops watching the chat surface? These are not the same decision. [evidence:ev_003]
That is why a single autonomy slider is too coarse to govern. It collapses permissions, escalation thresholds, stop conditions, and review requirements into one vague label. In practice, that invites confusion between convenience and authorization. [evidence:ev_001] [evidence:ev_004]
Diagram description: A four-part boundary model showing how agent behavior should be separated into four control actions: decide, escalate, stop, and review. The diagram is meant to make clear that autonomy is not a single knob.
[link:link_297da303f8]
[link:link_6d95429574]
A binary model answers the wrong question.
“Is the agent autonomous?” is less useful than:
Those are distinct controls, and they should not be merged into one policy field. [evidence:ev_003]
[table:coarse-vs-boundary-model]
Table description: Compare a coarse autonomy framing against a boundary-model framing. Suggested columns: policy question, coarse framing answer, boundary-model answer, operational consequence.
| Policy question | Coarse framing | Boundary-model framing |
|---|---|---|
| Can the agent act? | “Yes” or “no” | “On which actions, under which permissions, with which limits?” |
| When must it ask? | “When risky” | “When a threshold, novelty rule, sensitivity rule, or reversibility rule is hit” |
| How do we stop it? | “Disable the UI” | “Revoke tool access, cancel jobs, remove scoped permissions” |
| When do we review? | “Occasionally” | “On tool changes, scope expansion, and policy changes” |
The point is not that every system needs the same policy. The point is that governance gets tractable only when the policy is explicit. That is a proposed framework, not an industry-standard taxonomy. [evidence:ev_004]
Treat autonomy like a permission boundary:
This is the memorable unit. If a policy cannot be described in those four terms, it is probably too vague to operate safely. That is a recommendation, not a universal rule. [evidence:ev_001] [evidence:ev_003]
This is the agent’s independent decision right set.
A good policy does not say “the agent is low autonomy.” It says, concretely, which actions are allowed, under what constraints, and what gets logged when those actions occur. The distinction between read, propose, and execute matters because each one has a different risk profile and different reversibility characteristics. [evidence:ev_003]
For example, a reasonable boundary model might separate:
That separation makes the boundary readable to both engineers and operators, which matters when you are trying to audit behavior later. This is an operational recommendation, not a proven standard. [evidence:ev_001]
[link:link_c504c278ab]
Practical check: if a policy only says “allowed” or “not allowed,” it is probably not specific enough to support production governance.
Escalation is where a lot of “agent autonomy” programs quietly fail.
If you do not define escalation as policy, you will end up with exceptions. And once exceptions become routine, they become the real system. [evidence:ev_003]
Escalation rules usually need to be explicit about:
Those choices are context-specific; there is no universal threshold. Treat any “one size fits all” escalation rule as a warning sign. [evidence:ev_003] [evidence:ev_004]
Diagram description: The same boundary model can also be read as an escalation policy map: threshold exceeded, high-risk or irreversible action, and novel or out-of-scope request all route into escalation rather than execution.
A useful policy question: if no human responds, does the agent continue, retry, or stop? Leaving that undefined creates ambiguity at exactly the point where the system needs deterministic behavior.
A kill switch that only closes the chat window is not a kill switch if the agent still has tool access, background jobs, or scoped credentials. [evidence:ev_003]
That distinction matters because a control that only affects the visible surface can create a false sense of safety. The agent may still be able to act through an execution path that is no longer obvious to the operator. This is a risk-based inference from the boundary model, not a claim about any specific implementation. [evidence:ev_001] [evidence:ev_005]
A real stop mechanism should be able to revoke or disable, depending on system design:
It is also useful to separate pause from revocation. Those are different states operationally. Pause suggests temporary suspension; revocation means the agent should not keep acting until re-approved. [evidence:ev_003]
[link:link_6d95429574]
Policy check: if your incident response playbook only says “disable the bot,” ask what that means in terms of permissions, queues, and background work.
Boundary models drift unless review triggers are explicit.
The failure mode is familiar: a team starts with a narrow agent, then adds a new tool, expands data access, widens the action scope, or changes policy logic. If those changes do not trigger a formal review, the agent’s effective autonomy expands silently. That is autonomy creep. [evidence:ev_003] [evidence:ev_005]
A review policy should require re-approval when any of the following changes:
Logging should make those changes visible in review, not just in incident response. [evidence:ev_005]
[table:autonomy-creep-triggers]
Table description: List common scope-change triggers and the required action. Suggested columns: trigger, why it matters, required response, owner.
| Trigger | Why it matters | Required response |
|---|---|---|
| New tool added | Expands what the agent can do | Re-approve decision rights |
| Data scope expanded | Raises sensitivity and privacy risk | Re-check escalation and logging |
| Action scope widened | Changes the agent’s authority | Reassess stop conditions |
| Policy changed | Can alter behavior without code changes | Re-review the boundary model |
| Permissions changed | Can silently increase reach | Re-approve before deployment |
Periodic boundary audits are part of governance, not a nice-to-have. I would treat cadence as a policy decision, not a universal recommendation. [evidence:ev_005] [evidence:ev_001]
If you are preparing a production rollout, the safest next step is not “add more autonomy.” It is to write the boundary policy in operational terms.
Use this checklist:
[link:link_225e10b561]
[link:link_297da303f8]
Implementation note: the schema, control plane, and logging mechanism will vary by stack. This post is intentionally vendor-neutral and does not claim a specific implementation pattern is universal. [evidence:ev_005]
If you later have operational data, validate the boundary model by inspecting behavior against policy rather than assuming that the agent “usually behaves.”
Useful signals include:
The goal is not to prove the model is “safe” in some absolute sense. The goal is to see whether the policy is actually being enforced, whether the stop path is real, and whether scope changes are visible before they become incidents. That is an inference from the governance problem described above, not a measured result. [evidence:ev_001] [evidence:ev_003]
[link:link_0926a602bc]
Validation question: when the agent does something unexpected, can you tell whether it violated decision rights, exceeded an escalation threshold, bypassed the stop path, or silently accumulated new scope?
There are simpler ways to talk about autonomy. They are attractive because they are easy to explain.
A binary toggle is easy to understand, but it is too coarse for governance. It cannot express different decision rights for different actions. It also tends to hide the real policy behind a single label. [evidence:ev_004]
Ad hoc escalation is flexible, but it becomes inconsistent quickly. If approval happens only through exceptions, the system’s real policy becomes tribal knowledge instead of design. [evidence:ev_003]
A UI-only stop button is convenient, but incomplete. If execution paths remain active, the agent has not really been stopped. [evidence:ev_003]
Letting scope expand without re-approval is operationally easy and governance-hostile. It creates autonomy creep by default. [evidence:ev_005]
[table:tradeoff-comparison]
Table description: Compare four approaches: binary toggle, ad hoc escalation, UI-only stop, and boundary-model governance. Suggested columns: what it simplifies, what it hides, and likely failure mode.
| Approach | What it simplifies | What it hides | Likely failure mode |
|---|---|---|---|
| Binary toggle | Easy yes/no framing | Different permissions by action | Coarse governance |
| Ad hoc escalation | Fast operator workaround | Real policy definition | Hidden exceptions |
| UI-only stop | Simple user interaction | Background execution paths | False sense of control |
| No-review expansion | Fast rollout | Scope drift | Autonomy creep |
The boundary model costs more up front. It requires more policy work, more review, and more coordination between product, platform, and governance. But it buys you something the simpler models do not: clearer ownership, auditable decisions, more reliable stops, and fewer surprises when behavior changes. That tradeoff is reasoned analysis, not measured evidence. [evidence:ev_001] [evidence:ev_003] [evidence:ev_004]
[link:link_6c6344e3aa]
If you need a lightweight template for a review meeting, ask these four questions for every agent:
If the team cannot answer those questions concretely, the autonomy model is not ready yet.
That is the useful mental model here: treat autonomy like a permission boundary. Decide, escalate, stop, review. [evidence:ev_001] [evidence:ev_003]
The mistake is treating agent autonomy like a toggle.
In production, autonomy should be governed as a boundary model: decide what the agent may do, escalate what it may not decide alone, stop behavior by revoking the right permissions, and review scope changes before they become silent expansion. [evidence:ev_001] [evidence:ev_003]
If you adopt one phrase from this post, make it this: treat autonomy like a permission boundary. Then make the boundary explicit enough that engineers, operators, and reviewers can all see it. [evidence:ev_001] [evidence:ev_002]
[link:link_6d95429574]
Final checklist:
Copy this:
Don’t copy this:
Founder & CEO
DevOps and platform engineering overlap, but they do not solve the same bottleneck. Use DevOps to clarify ownership and feedback loops. Use platform engineering to reduce cognitive load through self-service. The hard part is diagnosing which problem you actually have.
Human review should be a control, not a default layer. Use a simple taxonomy to decide which AI workflow steps stay automated, which escalate, and which should stop until a human with real authority takes over.
Agent workflows can look fine while the plan, tool use, or policy path regresses. This guide shows how to build an eval harness around scenarios, golden tasks, tool traces, and acceptance thresholds—and keep it current as the workflow changes.
A practical framework for bringing cloud economics into architecture review without turning it into a finance gate: name the dominant cost driver, surface hidden spend, and make reliability-vs-spend tradeoffs explicit.