The approve button is not an AI safety plan

This matters because AI agents are no longer only answering questions. OpenAI's workspace agents can run in the cloud, work on schedules, connect to team tools, draft follow-ups, and ask for approval when needed. Google's June Gemini update put computer use directly into Gemini 3.5 Flash, so developers can build agents that see and act across browser, mobile, and desktop environments.

Those are normal work surfaces. Sales notes. Spreadsheets. tickets. browser forms. internal tools. The more an assistant can actually do, the less useful it is to interrupt the human for every tiny move. A permission popup on step 37 of 92 is not oversight. It is a tiny compliance costume.

The better question is where the consequence changes. Reading a file is not the same as sending an email. Drafting a refund note is not the same as issuing the refund. Opening a vendor page is not the same as approving a purchase. If the product treats all of those as equal clicks, users will eventually treat them as equal too.

Google says Gemini 3.5 Flash's computer-use capability includes targeted adversarial training for prompt injection, plus optional enterprise safeguards that can require explicit user confirmation for sensitive or irreversible actions and automatically stop tasks when indirect prompt injection is identified. That is more serious than a blanket ask-before-everything model.

But even that only works if the product explains why this moment is different. A useful confirmation does not say, in effect, 'do you approve the next mystery click?' It says what is about to change, who is affected, what evidence the agent used, and what happens if the human says no.

Otherwise the confirmation becomes another inbox. People already have too many places asking for one more tiny decision. The agent is supposed to remove busywork, not turn busywork into a row of buttons.

Anthropic's paper makes a clean distinction that product teams should steal: effective oversight is not approving every action. It is being in a position to intervene when it matters. That is a much harder design problem than adding an approval modal.

It means the user needs a live summary they can trust, not a transcript dump. They need a stop control that works mid-run. They need risk markers that are tied to real consequences. They need an after-action note that says what changed, what failed, what was skipped, and what still needs a person.

The dry version of this is auditing. The human version is simpler: if an AI assistant touches your work while you are in a meeting, can you understand the result in 30 seconds afterward without replaying the whole run? If not, the agent did not give you time back. It borrowed time from later.

Start with one repeated job that already wastes time: a weekly report, a lead-research packet, a support-account summary, a document cleanup pass. Do not start with 'use my whole computer.' That is not a pilot. That is a haunted house tour.

Define three consequence levels before the first run. Low: read, summarize, organize, draft. Medium: change a shared document, create a ticket, message a teammate. High: send outside the company, spend money, change customer/account state, delete, publish, or touch regulated data. The approval rule should follow the level, not the model's confidence voice.

Then measure the ugly stuff: how often the agent paused at the right moment, how often it asked for pointless approval, how long the human spent checking, how many changes had to be reversed, and whether anyone affected by the work could understand what happened. If the checking pile grows, pause the rollout. It is not saving time yet.

Noah Park would still try it, because some work really is dumb enough to hand off. His version would start with five boring runs and one artifact at the end: what the agent changed, what it left alone, and where it stopped. If the artifact is harder to review than doing the task, kill the pilot.

Priya Rao would ask who pays for a bad approval. A manager clicking yes on an internal summary is one thing. A customer, patient, student, or worker getting the wrong outcome is another. Her rule: the person affected by the action should be able to see the result, appeal it, and know whether a human actually reviewed the consequential part.

I am with both of them, annoyingly. Use the agents. Just stop pretending a tired person's thumb is a governance system. The product earns trust when it makes the right parts visible and the boring parts vanish. Most approval buttons do the opposite.