Every team that ships agents to production hits the same wall, and it isn't technical. The prototype works. The demo lands. Then someone from risk or compliance asks a simple question — if this agent refunds the wrong customer $40,000, who approved that? — and the project stalls for a quarter.
We spent most of last year interviewing the people who say no. Risk officers at two payment companies, a compliance lead at a healthcare network, the internal-controls team at a public SaaS company. Their objection was never 'agents are scary.' It was specific and reasonable: existing approval mechanisms assume a human is the actor. When the actor is software, the accountability chain has a hole in it exactly where the money moves.
Why post-hoc review fails
The first thing most teams try is logging plus periodic review: let the agent act, write everything down, have a human sample the log weekly. Risk teams reject this almost immediately, and they're right to. A refund that shouldn't have happened is not undone by noticing it on Thursday. Post-hoc review converts prevention into forensics, and forensics doesn't satisfy a control objective that says unauthorized transactions must not occur.
The second attempt is usually the opposite extreme: route every agent action through a human queue. This fails on economics. If a person must click a button for each of the 14,000 actions an agent takes in a day, you haven't deployed an agent — you've built a very expensive suggestion engine, and the humans rubber-stamp within a week anyway. Blanket approval is indistinguishable from no approval.
The shape that works: policy-triggered approval
What got risk teams to yes was narrower and stricter than either extreme. Approvals in govern.sh are a policy verdict, not a workflow bolted on top. A policy evaluates every action at the Policy Enforcement Point, and one of its possible verdicts — alongside allow and deny — is hold. A held action is suspended before execution, an approval request is created, and the action proceeds only when a named human with the right role signs off.
- Thresholds live in policy, versioned and reviewable: refunds over $500, any write to a production database, any new payee.
- The approver sees the full context — agent identity, the exact call, the policy that triggered the hold, and the agent's recent history — not a bare 'approve?' prompt.
- Approvals happen where the team already is. A Slack message with the decision embedded resolves in a median of 94 seconds across our customers.
- Every approval or rejection becomes a signed receipt in the same hash chain as the action itself. The question 'who approved this?' has a cryptographic answer.
The moment we could show that an approval is a signed record chained to the action it authorized — not a Slack thread someone screenshots — our internal-controls team stopped treating the agent program as an exception and started treating it as a control.
The detail that mattered most: escalation defaults
One design decision came up in every risk conversation: what happens when nobody responds. Systems that auto-approve on timeout are an immediate rejection — that's an unauthorized-transaction path wearing a costume. govern.sh holds default to deny. If no approver acts within the policy's window, the action is refused, the agent receives a structured denial it can plan around, and the expiry itself is receipted.
Deny-by-default sounds like it would frustrate operations, but in practice it does the opposite. Because the failure mode is safe, risk teams agree to much more generous allow-scopes everywhere else. Teams that adopted hold policies ended up granting their agents broader autonomous authority than teams that tried to negotiate blanket allowances up front.
What the numbers look like
Across workspaces using approvals in production, roughly 1.2% of agent actions trigger a hold. Of those, 89% are approved, most within two minutes. That ratio is the whole story: humans review the actions where their judgment changes the outcome, and nothing else. The agent runs at machine speed 98.8% of the time, and the remaining 1.2% is exactly the slice a control framework cares about.
If your agent project is stuck in review, the fix probably isn't a better model or a longer security questionnaire. It's giving your risk team a verdict they can own. Put hold in the policy language, make timeouts fail closed, and sign the approval into the audit chain — then ask them again.