“The AI asks before doing anything risky” is a promise every agent product makes. The question that separates them: what happens if the AI doesn’t ask?
If the answer is “it would be violating its instructions,” you have a policy. If the answer is “it can’t — the action physically fails without a human-signed token,” you have an architecture. Waveguide is the second kind.
The four tiers
Every action the agent can take — every provider path in the egress proxy, every tool from an MCP server — is classified into a risk tier before the agent can ever use it:
- T0 — Reads. Campaign insights, email search, calendar free/busy, ledger queries. These run freely. An agent that can’t read without asking is useless.
- T1 — Low-risk writes. Drafting an email, storing a lead, saving a creative asset. These run and are logged. Reversible, internal, low blast radius.
- T2 — External actions. Sending an email, posting to social, changing an ad budget. These are gated: they require either your one-tap approval or a standing policy you explicitly wrote (“always allow budget increases under $50/day”).
- T3 — Irreversible or financial. Spending money, deleting data, anything you can’t take back. These always require a human. There is no policy override, no autonomy level, no configuration that removes this gate.
Where the enforcement lives
The tier check happens in the egress proxy — the single network door out of the agent’s sandbox — not in the model’s instructions. When a T2 or T3 request arrives, the proxy demands a signed, single-use approval token. Only the control plane can mint one, and it only does so when a human clicks Approve — in Slack, Telegram, email, or the dashboard.
The token is single-use and expires in 15 minutes. An unanswered approval lapses safely: the default is always “nothing happens.”
Respecting your attention
An approval system that pings you forty times a day trains you to click Approve without reading — which defeats the whole point. So Waveguide budgets its interruptions:
- Standing policies let you stop being asked about categories of action you’ve decided to trust.
- An interrupt budget (a handful of pings per day) forces the agent to batch non-urgent decisions into your daily brief instead of interrupting.
- One card, one decision. Every approval states what, why, and the projected effect — readable in five seconds.
Tainted input forces the gate
One more wrinkle: untrusted content. Email bodies, webpages, and webhook payloads are quarantined and typed before they can influence anything. If tainted data flows into a risky action, that action is forced through approval with a visible warning — even if a standing policy would normally allow it. A malicious email can’t talk the agent into a quiet budget change; the worst it can do is generate a question for you.
The complete model is in the approvals docs and on the security page.