Every agent product eventually has the same conversation: who is allowed to click "yes"?
The simplest answer is a single per-action prompt. The user gets a popup, the popup says "the agent wants to do X", the user clicks yes or no, the run continues. That model breaks down fast in real operations. Three reasons come up over and over:
The user cannot evaluate every action. A long-running research or coding agent can produce hundreds of low-risk actions and a handful of side effects. Either the user approves everything in bulk (no real safety) or they get fatigued and rubber-stamp the rest.
The same action has different blast radius in different contexts. "Send a message" might be safe in a sandbox and dangerous against a real customer. The runtime usually knows which; the user usually does not.
The interesting failures are not at the prompt boundary. They are at the edges: retries, recoveries, fallbacks, escalations. A single confirm button has no opinion about what happens between the prompt and the side effect.







