Human-in-the-Loop & AI Governance
Approval gates, fail-closed permission engines, and privacy tiers that keep humans in command of agent actions.
Executive summary
Agents earn autonomy one permission at a time. Axis Bridge systems put a human decision in front of anything consequential — with approval queues that pause the agent at zero token cost, policies that fail closed when unconfigured, and privacy enforcement at the server, never at the model's discretion.
What this capability means
The question that decides whether an organization can actually deploy agents is not “how smart is the model” — it is “what happens when the model wants to do something it shouldn’t.” Axis Bridge treats that as a systems-engineering problem, not a prompting problem: permissions live in version-controlled policy, approvals are a first-class queue with an audit trail, and the default answer everywhere is no until a human or an explicit rule says yes.
The same philosophy runs from infrastructure (agent workstations that cannot type a password without a pend) to product (a messaging assistant that never sends a word without sign-off).
Maturity ladder
- 01
Basic — Review before send
● demonstratedAI drafts, a human approves, edits, or skips before anything leaves the system.
Inbound message → AI draft → Human approve / edit / skip → Send - 02
Intermediate — Policy-gated actions
● demonstratedEvery agent action is classified allow / ask / deny against version-controlled policy; asks pend in a queue until a human decides.
Agent action → Permission engine → Ask → approval queue → Human decision → Execute - 03
Advanced — Fail-closed governance
● demonstratedNo evaluable policy means every action denies. Unanswered approvals expire to deny. Privacy tiers are enforced at a guarded doorway so restricted content never reaches the model at all.
Request → Tier check at doorway → Policy match → Audit row → Allow / deny
Evidence
- Live communications loop — WhatsApp messages intercepted, AI-drafted, and approved via Telegram (Send / Edit / Skip / On-Behalf / Redraft) before any reply is sent. me-inc-os-api + me-inc-os-wa-personal (in daily use)
- Permission engine classifying every computer-use and shell action from git-tracked policy, hot-reloaded, deny-by-default for credential fields — and fail-closed when no policy evaluates. core-workstation v0.19 / docs/PERMISSION_POLICY.md
- Approval queue that pauses the agent at zero token cost; Telegram push and dashboard approvals race, first decision wins; unanswered asks remind then hard-deny at 30 minutes. core-workstation v0.20 approval queue
- Privacy tiers enforced at the knowledge doorway — content above a client's tier never leaves the database, so a cloud model never gets the chance to "be good." me-inc-os-knowledge / PLAN.md §5
- Multi-tenant group resolution that fails closed — a message from an unrecognized group maps to no client and gets no data. whatsapp-concierge / ARCHITECTURE.md
- Human review queues for conflicts the system cannot safely decide. me-inc-os-knowledge review_items; project-manager review queue