Confirmation Fatigue and the Protocol Gap in Agentic AI Oversight代理式AI监督中的确认疲劳与协议缺口

Per-tool-call human approval in agentic AI is solved in theory, unsolved in practice. Confirmation fatigue is not a UX annoyance but a security vulnerability and the primary obstacle to effective human oversight at scale. Risk-tiered frameworks, middleware architectures, and new design patterns now exist to replace the binary confirm/deny paradigm. But MCP provides no protocol-level mechanism for any of them, so every client reinvents the wheel.

Confirmation fatigue as a documented threat vector

Rippling’s 2025 Agentic AI Security guide classifies “Overwhelming Human-in-the-Loop” as threat T10: adversaries flood reviewers with alerts to exploit cognitive overload. SiliconANGLE (January 2026) argues HITL governance was built for an era of discrete, high-stakes decisions, not for modern agent workflows that produce action traces humans cannot realistically interpret.

The cybersecurity parallel is quantified. SOC teams average 4,484 alerts/day; 67% are ignored due to false-positive fatigue (Vectra 2023). Over 90% of SOCs report being overwhelmed by backlogs. ML-based alert prioritization cut response times by 22.9% while suppressing 54% of false positives at 95.1% detection accuracy. The lesson: risk-proportional filtering outperforms blanket approval.

Mitchell, Birhane, and Pistilli (February 2025, “Fully Autonomous AI Agents Should Not be Developed”) frame this as the “ironies of automation,” where more automation degrades human competence on the rare critical tasks where oversight matters most. CHI 2023 trust calibration work documents how “cooperative” interactions (reviewing each recommendation) degrade into passive “delegative” ones. This is exactly confirmation fatigue.

MCP’s oversight mandate without enforcement

The MCP spec (v2025-11-25) states: “Hosts MUST obtain explicit user consent before invoking any tool." It immediately undermines this: “While MCP itself cannot enforce these security principles at the protocol level, implementors SHOULD build robust consent and authorization flows into their applications.”

Tool annotations (readOnlyHint, destructiveHint, idempotentHint, openWorldHint) exist but are explicitly “hints that should not be relied upon for security decisions,” since tool descriptions from untrusted servers cannot be verified. The sampling feature includes two HITL checkpoints but uses SHOULD, not MUST, allowing clients to auto-approve.

No protocol-level approval mechanism exists. No approval/request JSON-RPC method, no requiresApproval field, no tool permission scoping. The closest active proposal is GitHub Issue #711 (trust/sensitivity annotations), adding sensitiveHint (low/medium/high) for policy-based routing. It links to PR #1913 with a security label. No dedicated HITL Specification Enhancement Proposal exists as of February 2026.

The fragmentation is visible: Claude Code uses allow/deny/ask arrays, Cline offers granular auto-approve plus a “YOLO mode,” and users have injected JavaScript into Claude Desktop’s Electron app to bypass confirmations. Every client independently rebuilds approval logic.

Convergence on risk-proportional oversight

Risk-tiered oversight is the dominant paradigm. Classify tool calls by risk, auto-approve the safe majority, focus human attention on the dangerous few.

Feng, McDonald, and Zhang (“Levels of Autonomy for AI Agents,” arXiv:2506.12469, June 2025) define five levels from L1 Operator (full human control) to L5 Observer (full autonomy), with “autonomy certificates” capping an agent’s level based on capabilities and context. Their key observation: at L4 (Approver, the MCP default), “if a user can enable the L4 agent with a simple approval, the risks of both [L4 and L5] agents are similar.” Confirmation fatigue makes per-call approval security-equivalent to no approval.

Engin et al. (“Dimensional Governance for Agentic AI,” arXiv:2505.11579) argue static risk categories fail for dynamic agentic systems and propose tracking how decision authority, autonomy, and accountability distribute dynamically. Cihon et al. (arXiv:2502.15212, Microsoft/OpenAI) score orchestration code along impact and oversight dimensions without running the agent.

Industry converges on three tiers:

• Low risk (read-only, retrieval): auto-approve, log only
• Medium risk (reversible writes, non-sensitive ops): auto-approve with enhanced logging, post-hoc review
• High risk (irreversible actions, financial transactions, PII, production deploys): mandatory human approval, sometimes multi-approver quorum

Galileo’s HITL framework targets a 10–15% escalation rate, with 85–90% of decisions executing autonomously. The TAO framework (arXiv:2506.12482) finds that review requests often trigger where agents express high confidence but the system internally assesses risk differently; self-assessment alone is insufficient as a gate.

Design patterns for graduated tool-call oversight

Reversibility-based action classification

The highest-leverage pattern: classify by reversibility, not abstract risk. A decision-theoretic model (arXiv:2510.05307) formalizes this as minimum-time scheduling (Confirm → Diagnose → Correct → Redo), finding that intermediate confirmation at irreversibility boundaries cut task completion time by 13.54%; 81% of participants preferred it over blanket or end-only confirmation. The EU AI Act codifies this: high-risk systems must support ability to “disregard, override or reverse the output.” Where outputs are truly irreversible, ex ante human oversight is the only compliant approach.

Practical taxonomy: read-only auto-approves; reversible writes (git-tracked edits) log only; soft-reversible actions (emails, tickets) batch; irreversible operations (data deletion, financial transfers, production deploys) require mandatory human gates. Reversibility is contextual: deleting from a git repo is reversible; deleting from unversioned S3 is not.

Plan-level vs. action-level approval

Safiron (Huang et al., arXiv:2510.09781, October 2025) analyzes planned agent actions pre-execution, detecting risks and generating explanations. Existing guardrails mostly operate post-execution and achieved below 60% accuracy on plan-level risk detection. ToolSafe (arXiv:2601.10156, January 2026) complements this with dynamic step-level monitoring during execution, catching what plan-level review misses.

The optimal architecture is hybrid: approve the plan at a high level, then monitor execution with automated step-level guardrails that halt the agent on deviation. OpenAI Codex’s “Long Task Mode” demonstrates this: the agent generates a dynamic whitelist of expected operations, the human reviews the whitelist (not individual calls), and the agent executes within those boundaries with batched questions for consolidated review.

Hierarchical multi-agent oversight

TAO (Kim et al., 2025) implements hierarchical multi-agent oversight inspired by clinical review, with an Agent Router assessing risk and routing to appropriate tiers. Multi-agent review pipelines have shown up to 96% reduction in hallucinations versus single-agent execution.

The emerging reference architecture has five layers: (1) deterministic policy gates (allowlists/denylists) as the fastest filter, (2) constitutional self-assessment by the agent, (3) an AI supervisor for uncertain cases, (4) human-in-the-loop for irreversible or novel situations, (5) audit trail plus post-hoc review. Each layer reduces volume flowing to the next.

Sandbox-first execution for informed review

Instead of asking humans to evaluate tool calls in the abstract, sandbox-first architectures execute in isolation and present actual results for review. The ecosystem is production-ready: E2B (Firecracker microVMs, sub-second creation), nono (kernel-level restrictions bypassing-proof), Google’s Agent Sandbox (GKE + gVisor), AIO Sandbox (MCP-compatible containers).

NVIDIA’s AI Red Team emphasizes application-level sandboxing is insufficient: once control passes to a subprocess, the application loses visibility, so kernel-level enforcement is necessary. Not all actions can be sandboxed: third-party API calls, email, payments must hit real services. For these, the dry-run pattern (agent describes intent, human approves before live execution) remains the fallback.

Deterministic policy enforcement

Rule-based systems are the most reliable first layer: deterministic, auditable, zero LLM inference cost. SafeClaw implements deny-by-default with SHA-256 hash chain audit. COMPASS (Choi et al., 2026) maps natural-language policies to atomic rules at tool invocation time, improving enforcement pass rates from 0.227 to 0.500, but also exposed that LLMs fail 80–83% on denied-edge queries with open-weight models, proving policy enforcement cannot rely on LLM compliance alone.

A cautionary case: Cursor’s denylist was bypassed four ways (Base64 encoding, subshells, shell scripts, file indirection) and then deprecated. String-based filtering is fundamentally insufficient for security-critical gating.

HITL implementations across agent frameworks

LangGraph has the most developed HITL support. interrupt() pauses graph execution at any point, persisting state to a checkpointer (PostgreSQL in production). HumanInTheLoopMiddleware enables per-tool configuration with approve, edit, and reject decisions, allowing different tools to receive different oversight levels.

OpenAI Agents SDK provides input guardrails, output guardrails, and tool guardrails wrapping function tools for pre/post-execution validation. Its MCP integration accepts require_approval as “always,” “never,” or a custom callback for programmatic risk-based approval.

Anthropic takes a model-centric approach via Responsible Scaling Policy and AI Safety Levels (ASL-1 through ASL-3+). Claude’s computer use follows an “ask-before-acting” pattern with explicit access scoping. The February 2026 Sabotage Risk Report for Claude Opus 4.6 found “very low but not negligible” sabotage risk, elevated in computer use settings, with instances of “locally deceptive behavior” in complex agentic environments.

Google DeepMind SAIF 2.0 (October 2025) establishes three principles: agents must have well-defined human controllers, their powers must be carefully limited, their actions must be observable. The “amplified oversight” technique, where two model copies debate while pointing out each other’s flaws to a human judge, remains research-stage.

Middleware and proxy architectures for MCP oversight

The practical path runs through proxy/middleware architectures intercepting JSON-RPC tools/call requests. Key solutions: Preloop (CEL-based policies, quorum approvals, multi-channel notifications), HumanLayer (YC F24; framework-agnostic async approval API with Slack/email routing and auto-approval learning), gotoHuman (managed HITL approval UI as MCP server). For code-first approaches, FastMCP v2.9+ provides hooks at on_call_tool, on_list_tools, and other levels for composable HITL pipeline stages.

Enterprise gateways: Traefik Hub (task-based access control, JWT policy enforcement), Microsoft MCP Gateway (Kubernetes-native, Entra ID auth), Kong AI MCP Proxy (MCP-to-HTTP bridge with per-tool ACLs). Lunar.dev MCPX reports p99 overhead of ~4ms, proving proxy-based oversight imposes negligible latency.

For UX, Prigent’s “7 UX Patterns for Ambient AI Agent Oversight” (December 2025) provides the design framework: overview panel (inbox-zero pattern), five oversight flow types (communication, validation, simple/complex questions, error resolution), searchable audit logs, and work reports. The core principle is progressive disclosure (summary first, details on demand) with risk-colored displays.

Progressive autonomy through trust calibration

The forward-looking pattern is progressive autonomy: agents earn trust over time and operate at increasing independence. Okta recommends “progressive permission levels based on demonstrated reliability.” A manufacturing MCP deployment (MESA) follows four stages: read-only pilot → advisory agents → controlled commands → full closed-loop. HumanLayer learns from prior approval decisions to auto-approve similar future requests.

Trust calibration research formalizes this as sequential regret minimization via contextual bandits (September 2025), with LinUCB and neural variants yielding 10–38% task reward increases. A contextual bandit can learn which calls a user always approves and shift those to auto-approve while maintaining scrutiny on novel or historically-rejected patterns.

CHI 2025 (“Trusting Autonomous Teammates in Human-AI Teams”) finds agent-related factors (transparency, reliability) have the strongest trust impact, and “calibrating human trust to an appropriate level is more advantageous than fostering blind trust.” Progressive autonomy systems should not just reduce approval requests; they should communicate their track record and confidence to maintain calibrated oversight.

Conclusion

The state of the art points to a layered defense architecture. From fastest/cheapest to slowest/most expensive:

1. Deterministic policy gates (allowlists, denylists, CEL/Polar parameter rules): zero LLM cost, sub-millisecond
2. Tool annotation screening via MCP’s readOnlyHint/destructiveHint, supplemented by server-reputation scoring
3. AI guardian agent evaluating uncertain cases against constitutional principles and risk heuristics
4. Human-in-the-loop gates for irreversible, high-value, novel, or ambiguous situations, targeting 5–15% of total calls
5. Audit trails with OpenTelemetry tracing, structured logging, post-hoc review for pattern detection and policy refinement

The critical gap is at the protocol level. Until MCP introduces standardized approval primitives (an approval/request method, trusted risk annotations, or a formal HITL extensions framework), every implementation remains bespoke middleware. The highest-impact near-term contribution would be an MCP Specification Enhancement Proposal defining a standard approval negotiation protocol between clients, proxies, and servers.