Approval Systems for Coding Agents and Human Sign-Off
What matters first
Section titled “What matters first”Coding agents need approval systems because “can edit code” is not one risk class. Reading a repo, proposing a diff, updating tests, changing CI config, and touching production infrastructure are different actions and should not share the same approval path.
The right approval system is risk-based, not tool-based.
The simplest healthy model
Section titled “The simplest healthy model”Split actions into at least four classes:
- read-only exploration,
- bounded code changes,
- workflow or infrastructure changes,
- production-impacting or security-sensitive changes.
Each class should have a different approval expectation.
Approval matrix
Section titled “Approval matrix”Use a matrix instead of one global permission toggle:
| Agent action | Default approval posture | Required evidence |
|---|---|---|
| Read files, search code, summarize issues | Auto-allow in approved repositories | Activity log and source references |
| Propose a patch in a bounded scope | Allow draft, require review before merge | Diff, tests run, files touched, known risks |
| Modify tests or docs only | Allow draft, review can be lighter | Clear scope and proof that production code was not changed |
| Change dependencies, build scripts, or CI | Require explicit approval before change and before merge | Reason, blast radius, rollback path |
| Touch auth, payments, secrets, infra, or deployment | Require strong approval and senior review | Security review, test evidence, rollback plan |
| Execute external tools or network actions | Require policy-based allowlist | Tool purpose, data exposure, logs |
The matrix should be visible to engineers. If reviewers cannot explain why an action needed approval, the policy will be ignored or over-applied.
What should usually be auto-allowed
Section titled “What should usually be auto-allowed”Low-risk actions can often proceed without per-step human approval:
- repo search,
- file reading,
- test discovery,
- diff analysis,
- and local reasoning over code.
These actions create context, not change.
What should usually require review before merge
Section titled “What should usually require review before merge”Most code-writing activity belongs here:
- bounded implementation,
- test updates,
- documentation edits,
- refactors in a known scope.
The agent can draft the work, but a human should still own the merge decision.
The merge decision matters because coding agents can be locally convincing and globally wrong. A patch may pass the narrow test it added while breaking product assumptions, security boundaries, or operational conventions that are not encoded in tests.
What should require stronger approval
Section titled “What should require stronger approval”These usually need stricter gates:
- dependency changes,
- CI/CD modifications,
- secrets or credentials handling,
- infra or deployment changes,
- or edits to security-sensitive code paths.
This is where coding-agent leverage can quickly turn into operational risk.
Strong approval should not mean “ask a human every time and hope.” It should define:
- who can approve the action;
- what evidence must be attached;
- whether the agent can continue after approval or must stop for review;
- how the action is logged;
- what rollback or cleanup path exists.
That makes approval auditable instead of performative.
The wrong approval model
Section titled “The wrong approval model”The wrong model is one binary rule:
- either “the agent is trusted” or
- “the agent is never trusted.”
Both are weak. One removes discipline; the other removes leverage. A graded approval model is the healthier operating system.
Implementation checklist
Section titled “Implementation checklist”Your coding-agent approval system is probably healthy when:
- action classes are defined by risk;
- read, write, merge, and deploy boundaries are separated;
- the human reviewer remains accountable for consequential changes;
- verification requirements scale with risk class;
- and the team can explain why a given agent action did or did not need approval.
Failure modes to test
Section titled “Failure modes to test”Before standardizing the approval model, test it against realistic failures:
- the agent wants to edit files outside the assigned scope;
- the agent adds or upgrades a dependency;
- the agent changes a CI workflow to make tests pass;
- the agent encounters a secret or
.envfile; - the agent needs network access to fetch docs or packages;
- the agent proposes a migration or irreversible data operation;
- the agent produces a large diff that reviewers cannot inspect quickly.
If the approval system does not define what happens in those cases, it is not ready for high-agency coding work.
What to log for governance
Section titled “What to log for governance”A useful audit trail should include:
- task request and repository scope;
- files read and files changed;
- tools invoked;
- approvals requested and granted;
- tests or checks run;
- unresolved risks named by the agent or reviewer;
- final merge decision.
The purpose is not bureaucracy. The purpose is to make coding-agent work inspectable when something breaks later.