Common Guardrail Mistakes That Undermine Human Oversight
This page lists recurring mistakes that make human-in-the-loop controls look present while failing under real traffic.
Use it in design reviews and incident retros when an "approved" agent still caused damage.
How to Use This List
- Read by theme when debugging a SEV; read top to bottom when adding HITL to a new agent.
- For each incident, tag the nearest mistake number and link a fix from Human-in-the-Loop Best Practices.
- Treat these as systems failures, not individual operator blame.
- Revisit when approval volume spikes or people start auto-clicking.
Approval Theater (1–5)
-
Rubber-stamp approvals - humans click approve without reading args because volume is impossible.
- Why it happens: Too many low-risk items hit a hard gate; rings are wrong.
- Fix: Raise auto-run for true R0-R1; show final args and risk tags; throttle queues (Privilege Rings).
-
Approve the title, not the payload - UI shows "Send email" while body/recipient differ from the draft the human skimmed earlier.
- Why it happens: Packet omits final args or shows a stale summary.
- Fix: Decision packet binds the exact args (or hash) that will execute (Approval Gate).
-
Timeout equals approve - silence ships the irreversible action.
- Why it happens: Product wants "no blockers."
- Fix: Fail closed or escalate; never auto-approve high-blast tools on timeout.
-
Self-approval for high risk - the requester alone approves refunds or prod deploys.
- Why it happens: Small team speed culture.
- Fix: Separation of duties for R3; dual control above thresholds.
-
Emoji / free-text as the only decision record - "lgtm" in Slack with no
pending_id.- Why it happens: Fast chatops without binding.
- Fix: Authenticated decision API tied to pending ids and audit events.
Scope and Ring Failures (6–10)
-
Prompt-only safety - "never send email without asking" lives only in the system prompt.
- Why it happens: Fast demo path.
- Fix: Enforce in the tool dispatcher before side effects.
-
Kitchen-sink tools at R0 - one mega-tool can read and refund.
- Why it happens: Convenience wrappers.
- Fix: Split capabilities; ring the write path separately.
-
Staging uses prod credentials without prod gates - "it's only staging" still wires live Stripe.
- Why it happens: Shared secrets, rushed tests.
- Fix: Separate keys and the same R2-R3 gates whenever credentials are real.
-
MCP / plugin auto-import as trusted - new servers inherit auto-run.
- Why it happens: Ecosystem enthusiasm.
- Fix: Assign rings before exposure; default deny new tools.
-
Handoffs expand privilege - specialist inherits admin tools through a shared toolkit.
- Why it happens: Multi-agent graphs share one tool registry.
- Fix: Per-role allowlists; never widen rings on handoff silently.
Runtime and Kill Gaps (11–15)
-
No kill switch - only max turns, which a thrashing agent burns completely.
- Why it happens: Stops confused with emergencies.
- Fix: Shared kill flag + operator control (Kill Switches).
-
Kill flag checked too late - boolean flips after the send already started.
- Why it happens: Checks only between model calls, not before tools.
- Fix: Assert alive at tool boundary; cancel in-flight work where possible.
-
In-memory kill on multi-instance deploys - one replica never sees the trip.
- Why it happens: Single-process demo hardened into "prod."
- Fix: Redis/DB/feature-flag backed state.
-
Infinite retries instead of escalation - agent guesses through 404s and policy edges.
- Why it happens: Resilience cargo cult.
- Fix: Stuck detectors and escalation briefs (Escalation Paths).
-
Soft notify used for hard risk - "we'll undo the refund if wrong" when undo does not exist.
- Why it happens: UX prefers speed.
- Fix: Hard gate when undo is false or partial.
Evidence and Ops Failures (16–20)
-
No audit of decisions - cannot prove who approved what args.
- Why it happens: Logging added only for model traces.
- Fix: Structured approval and execute events (Audit Trails).
-
Secrets in approval UIs and logs - tokens pasted into Slack packets.
- Why it happens: Raw arg dumps.
- Fix: Redaction layer; show destinations and amounts, not credentials.
-
Bypass paths around the gate - notebooks, cron, or admin scripts call providers directly.
- Why it happens: Emergency fixes that never expire.
- Fix: One dispatcher; alert on direct credential use outside it.
-
Missing idempotency - double approve or resume sends twice.
- Why it happens: UI retries and webhook at-least-once delivery.
- Fix: Idempotency keys on execute; store completed fingerprints.
-
No ownership of HITL policy - rings and queues drift per squad.
- Why it happens: Agents treated as feature code only.
- Fix: Named owner, review cadence, checklist in Best Practices.
Product and Metrics Failures (21–24)
-
Optimizing only for autonomy rate - success = fewer human touches, even when risk rises.
- Why it happens: Autonomy as a vanity KPI.
- Fix: Track incident rate, approval quality samples, and time-to-kill too.
-
Hiding uncertainty from users - spinner forever instead of escalate/ask.
- Why it happens: Fear of looking incapable.
- Fix: Honest statuses and questions when stuck.
-
Training humans to ignore alerts - pages for every draft.
- Why it happens: Bad ring calibration.
- Fix: Alert on R2-R3 and anomalies only; review false positives weekly.
-
Shipping gates without drills - first kill or dual-control attempt is during an outage.
- Why it happens: Controls untested.
- Fix: Staging game days for approve, reject, kill, and escalate paths.
FAQs
Is this list ordered by severity?
By theme, not strict severity. Rubber stamps, missing dispatcher enforcement, and absent kills usually hurt first in production.
Can demos skip these controls?
Demos can use fake tools. The mistake is promoting demo wiring with real credentials and no gates.
How do we detect rubber-stamping?
Measure median time-on-packet, approve rate near 100%, and sample reviews where args were wrong but approved. Pair with volume per operator.
Are framework human-nodes enough to avoid these mistakes?
No. Frameworks provide pause primitives. Policy, rings, packets, audit, and kill still need product design.
Which mistake correlates most with surprise external damage?
Bypass paths (18), prompt-only safety (6), and timeout-as-approve (3).
How should we use this in a retro?
Pick a mistake number, link the fix page, add a best-practices checkbox owner, and set a verification test.
Do consumer chatbots need the full list?
They need honest escalation, kill/cancel, and gates on any side effects (send, pay, delete). Full dual control may be overkill for personal notes.
What is the fastest high-impact fix?
Put irreversible tools behind a hard gate in one dispatcher and fail closed on timeout.
Related
- Human-in-the-Loop Best Practices - positive checklist
- Privilege Rings: Scoping What an Agent Can Do Without Asking - tier model
- Building an Approval Gate Before Irreversible Actions - gate recipe
- Kill Switches: Stopping a Runaway Agent Mid-Execution - emergency stop
- Audit Trails: Logging Every Agent Action for Later Review - evidence
- Human-in-the-Loop Basics - first patterns
Stack versions: Pins from the category manifest (verify at build): OpenRouter (~315+ models, July 2026 pricing/fees); LangGraph 1.0+; CrewAI 1.14+; Microsoft Agent Framework 1.0; Vercel AI SDK 6; Pydantic AI (latest); LlamaIndex (latest); OpenAI Agents SDK (latest + MCP); MCP (Linux Foundation governance); A2A (HTTP+SSE+JSON-RPC 2.0); Solana
@solana/web3.js+@solana/spl-token.