Tool-calling agents with approval gates

Agents that mutate state need explicit human approval, least-privilege tools, and audit logs—especially when connecting to CRM, ERP, or ticketing.

Agents are tempting because they act. That is also why unchecked agents delete records, spam customers, or open tickets in the wrong queue. Production patterns start with what the agent is not allowed to do.

Tools are APIs with teeth

Each tool gets a narrow schema, sandbox credentials, and side-effect class: read-only, draft, or execute. Execute tools require approval tokens issued by a human or policy engine—not the model's enthusiasm.

Approvals should be boring

• Slack/Teams cards with diff previews before CRM updates.
• Time-bound approval tokens tied to ticket IDs.
• Automatic escalation when confidence drops mid-run.
• Full transcript + tool payload stored for audit.

Rollouts mirror RAG: internal dogfood, shadow mode, limited channels, then expand. Kill switches and per-tenant feature flags prevent one bad prompt from becoming a company-wide incident.

Agents combine the worst of automation risk with the best of LLM flexibility. Production systems assume the model will eventually attempt something unsafe—design for that day, not for demo day.

Policy layer above the model

Separate policy engines (who may approve, daily limits, forbidden fields) from prompt engineering. Policies should be testable without invoking the LLM—unit tests on rules, not vibes.

Simulation before scale

Replay historical tickets through the agent in read-only mode. Compare proposed actions to what humans actually did. Measure false positives (unnecessary escalations) and false negatives (unsafe auto-actions).

Multi-agent is not free parallelism

Orchestrating multiple agents increases cost and failure modes. Start single-agent with a small tool surface. Add specialization only when evals prove a single planner cannot meet SLA.

• Budget tokens and wall-clock time per session.
• Circuit breakers when external APIs degrade.
• Customer-visible disclosure when AI drafted an action.
• Post-incident reviews that update tools and prompts, not blame individuals.

We document agent runbooks alongside code: escalation paths, kill switches, and which business owner signs off on expanded tool access.