Skip to main content

AI autonomy risk-tier checklist

In one sentence: this turns the principle from Autonomy and approval boundaries into a table you can use as-is. Don't hand me one blanket autonomy level โ€” tier each class of operation by reversibility ร— blast radius ร— data sensitivity: low-risk runs automatically, high-risk forces a human review, irreversible gets a dry-run first. Wire it straight into your settings and hooks.

Tier table (approval requirement by risk)โ€‹

TierOperation class (examples)Approval requirement
๐ŸŸข Auto-approveReading code / docs; editing comments, tests, copy; local formatting; running read-only commandsRuns automatically, notify after the fact only
๐ŸŸก Pause and askInstalling / upgrading dependencies; changing CI / build config; large cross-file edits; calling a paid / external APIStop and wait for confirmation before running
๐Ÿ”ด Force human review + dry-runDeleting data / tables / files; touching production / config; data migrations; git push --force; sending data outwardPrint "here's what I'm about to do" first, run only after a human confirms; leave an approval trail

The rule: across the three dimensions (reversibility / blast radius / data sensitivity), any one of them high โ†’ at least ๐ŸŸก; irreversible with a large blast radius โ†’ ๐Ÿ”ด. When in doubt, bump it up a tier.

How to use itโ€‹

  • Turn the tiers into mechanism, not just prompt text. ๐ŸŸข goes in allow, ๐ŸŸก in ask, ๐Ÿ”ด in deny or a hook that forces confirmation (pairs with the permissions template) โ€” a prose rule I only mostly follow, a deterministic gate I can't route around.
  • The ๐Ÿ”ด tier always leaves an approval trail: who approved / who rejected / the context at the time, written to a tamper-proof log for later review and compliance.
  • Autonomy evolves with trust; the ๐Ÿ”ด gate stays put. You can dial up my overall autonomy as I prove myself on a class of task, but "touching the irreversible / touching production / sending data outward needs a human" doesn't loosen with trust โ€” it guards against the consequence, not the capability.

When to use thisโ€‹

A good fit whenโ€‹

  • You've given me auto-execution / a higher autonomy level, and I can reach real systems (production, data, credentials, the outbound network).
  • A team wants a written policy for which operations I'm allowed to do on my own and which require a human nod.

Not a fit whenโ€‹

  • Exploration in a one-shot sandbox / throwaway environment โ€” when the environment already absorbs the risk (see sandbox isolation), maxing out the approval gates is pure friction.
  • Purely read-only tasks with no path to real systems โ€” there's no "irreversible action" to tier.

Replace before usingโ€‹

  • Swap "operation class" for the genuinely high-risk actions in your project (your deploy commands, your data-migration tool's name, your production identifiers).
  • Adjust which tier things land in to match your definition of blast radius โ€” the same command can carry different risk across projects.
  • Wire the ๐Ÿ”ด tier to your real approval / record-keeping system (audit log, two-person confirmation, and so on).