Risk-Tiered Action Autonomy
also known as Maker-Checker Agent Boundary, Segregation-of-Duties Action Gate, Four-Eyes Action Release
Set an agent's permitted action class by the financial materiality of the action, letting it read and draft freely while requiring a different human principal to release material postings, payments, or filings.
Context
An agent operates inside a financial system of record — an ERP, accounting suite, treasury, or payments platform — where actions range from harmless reads to irreversible movements of money. Regulators and internal controls already require that the person who initiates a financial transaction is not the person who approves it, and that material postings leave an audit trail. The agent is fast and tireless at the low-risk end of this range and genuinely dangerous at the high-risk end, and the same model produces both kinds of action.
Problem
Treating autonomy as a single switch forces a bad choice: granted wholesale, the agent can post journals, release payments, or file returns on its own, collapsing the segregation of duties that controls depend on; withheld wholesale, every trivial reconciliation waits on a human and the agent is not worth running. A single global approval step does not help either, because it makes a human rubber-stamp thousands of low-risk drafts while giving a high-value payment the same shallow glance. Worse, if the human approver is the same identity that launched the agent, the four-eyes control exists only on paper.
Forces
- Low-risk, high-volume actions are where the agent pays for itself, and gating them all on a human destroys that value.
- High-risk, low-volume actions are where an error is expensive or irreversible, and skipping a human is unacceptable.
- Segregation of duties requires that the approver be a different principal from the initiator, which a single-operator agent setup quietly violates.
- Materiality is the dimension regulators and auditors reason about, but it is not the same as token cost or model confidence.
- Approval fatigue makes a uniform gate worse than useless: reviewers stop reading when most of what they see is trivial.
Example
A finance team runs an agent in its ERP to clear the accounts-payable backlog. The agent reads ledgers and reconciles freely; it codes and stages invoices as drafts with full logging; but any payment above a set amount, any new payee, or any cross-border transfer is held as a draft on an approval queue. A controller — signed in as a different user than the analyst who started the agent — reviews only those held items and releases them. Every release records who initiated, who approved, the tier the action landed in, and the rule that put it there, so an auditor can later confirm that no material payment moved without two distinct people.
Diagram
Solution
Therefore:
Define a small set of risk tiers over the action surface, keyed on materiality rather than on cost or model confidence: for example read and analyse freely, draft and stage with full logging, and hold-for-release for anything that moves money or alters the books above a threshold. Classify every proposed action into a tier before it executes, using deterministic rules — amount thresholds, account sensitivity, counterparty, jurisdiction — rather than the model's own judgement of its risk. Actions in the autonomous tiers run and are logged; actions in the release tier are written as drafts and placed on a queue that only a human can clear. Bind that release step to a different identity than the one that initiated the agent run, so the maker (agent plus its operator) and the checker (the approver) are structurally separate. Record initiator, approver, tier, and the rule that set the tier in an immutable trail so the control is auditable after the fact.
What this pattern forbids. The agent must not execute any action classified into the release tier without an explicit clearance from a human principal whose identity differs from the initiator of the agent run; it must not select or downgrade its own risk tier; and a material action whose tier cannot be determined must be held rather than executed.
And the patterns that stand alongside it, or against it —
- alternative-toCost-Aware Action Delegation★— Classify every agent action by risk/cost and route each tier to a different approval policy, bounding the autonomy surface per-action instead of by one global flag.
- complementsAutonomy Slider★— Expose agent autonomy as a continuous adjustable parameter so the same codebase can span scripted assistant to fully autonomous worker without re-architecting.
- complementsProgressive Delegation★— Stage the human-to-agent handoff over time: the agent starts producing drafts a human always reviews; its autonomy expands action-by-action as measured trust accrues.
- complementsApproval Queue★★— Queue agent-proposed actions for asynchronous human review while the agent continues other work.
- complementsHuman-in-the-Loop★★— Require explicit human approval at defined points before the agent performs an action.
- complementsSession-Scoped Payment Authorization·— Bound an agent's autonomous spending by having it open a payment session with a pre-approved cap, stream many micropayments inside that session, and settle once on close, instead of seeking approval for every transaction.
- complementsPolicy-as-Code Gate★— Evaluate every proposed agent action against externally-managed machine-readable policies before dispatch, so compliance authorship lives outside the prompt and outside the agent code.
- complementsCompensating Action★★— Pair every irreversible-looking agent action with a compensating action that can undo or counteract it.
- complementsTenant-Scoped Tool Binding★— Bind every tool call and retrieval to the active tenant in code at the execution layer, so a multi-tenant agent can never be talked into reading or writing another tenant's data.
- complementsCanonical-Entity Grounding★— Require the agent to resolve every business identifier it uses — SKU, account, supplier, customer — through an authoritative lookup against the system of record, rather than emitting the identifier from the model's parametric memory.
- complementsMandatory Red-Flag Escalation★★— Maintain a deterministic set of high-risk triggers so that on any match the agent immediately aborts its workflow and hands off to a human, without weighing whether to escalate.
- complementsSemantic-Layer Query Guardrail★— Route natural-language data questions through a curated semantic layer so the model selects and parameterises vetted metrics and dimensions instead of free-authoring raw SQL against production data.
- complementsReversibility-Aware Action Filter·— Insert a standing filter between the policy and the environment that estimates each proposed action's reversibility and re-samples the policy until a reversible action is chosen.
- complementsDeterminism-Tiered Replay Gate·— Classify an agent into a reproducibility tier by re-running identical inputs, require the strictest decision-determinism tier for regulated decisions, and gate deployment and validation-sample size on the measured tier.
Neighbourhood
Click any neighbour to follow the language. Scroll to zoom, drag to pan.
Used in recipes
- Autonomy Rollout Recipe
Materiality-keyed tiers with a segregation-of-duties release: a different principal must clear material actions.
- Safety Hardening
Holds material actions for a human approver distinct from the initiator.
- Sovereign / Regulated Deployment
Maker-checker release for material financial actions.
References
Provenance
- Source: patterns/risk-tiered-action-autonomy.md on GitHub · view history
- Added to catalog:
- Last updated:
- Contribute: open an issue or PR at github.com/agentpatternscatalog/patterns.