Waveguide

Blog  ·  June 21, 2026  ·  2 min read

Approvals by construction: how T0–T3 risk tiers work

security product

“The AI asks before doing anything risky” is a promise every agent product makes. The question that separates them: what happens if the AI doesn’t ask?

If the answer is “it would be violating its instructions,” you have a policy. If the answer is “it can’t — the action physically fails without a human-signed token,” you have an architecture. Waveguide is the second kind.

The four tiers

Every action the agent can take — every provider path in the egress proxy, every tool from an MCP server — is classified into a risk tier before the agent can ever use it:

  • T0 — Reads. Campaign insights, email search, calendar free/busy, ledger queries. These run freely. An agent that can’t read without asking is useless.
  • T1 — Low-risk writes. Drafting an email, storing a lead, saving a creative asset. These run and are logged. Reversible, internal, low blast radius.
  • T2 — External actions. Sending an email, posting to social, changing an ad budget. These are gated: they require either your one-tap approval or a standing policy you explicitly wrote (“always allow budget increases under $50/day”).
  • T3 — Irreversible or financial. Spending money, deleting data, anything you can’t take back. These always require a human. There is no policy override, no autonomy level, no configuration that removes this gate.

Where the enforcement lives

The tier check happens in the egress proxy — the single network door out of the agent’s sandbox — not in the model’s instructions. When a T2 or T3 request arrives, the proxy demands a signed, single-use approval token. Only the control plane can mint one, and it only does so when a human clicks Approve — in Slack, Telegram, email, or the dashboard.

The token is single-use and expires in 15 minutes. An unanswered approval lapses safely: the default is always “nothing happens.”

Respecting your attention

An approval system that pings you forty times a day trains you to click Approve without reading — which defeats the whole point. So Waveguide budgets its interruptions:

  • Standing policies let you stop being asked about categories of action you’ve decided to trust.
  • An interrupt budget (a handful of pings per day) forces the agent to batch non-urgent decisions into your daily brief instead of interrupting.
  • One card, one decision. Every approval states what, why, and the projected effect — readable in five seconds.

Tainted input forces the gate

One more wrinkle: untrusted content. Email bodies, webpages, and webhook payloads are quarantined and typed before they can influence anything. If tainted data flows into a risky action, that action is forced through approval with a visible warning — even if a standing policy would normally allow it. A malicious email can’t talk the agent into a quiet budget change; the worst it can do is generate a question for you.

The complete model is in the approvals docs and on the security page.