Autonomy without control is a liability. Control on every action is a copilot with extra steps. The entire value of an agent that runs a function — rather than one that assists a person — lives in the space between those two failures, and finding it is a governance problem, not a model problem. This is how Harnyss puts a human in the loop exactly where the risk is, and keeps them out of it everywhere else.
The two ways to get this wrong
Set the controls too tight and every action waits for sign-off. The agent is blocked longer than it works; the queue of pending approvals becomes its own full-time job; you have rebuilt a copilot and added latency. The function isn't operating — it's idling, waiting for a human who is now the bottleneck they were trying to remove.
Set them too loose and agents act on things they shouldn't have: an external email sent without a read, a record changed outside what anyone expected. Most of these aren't catastrophic. They don't have to be. Software that acts on your behalf runs entirely on trust, and trust doesn't survive many surprises.
The instinct is to find a dial between the two and turn it to the right spot. That's the wrong mental model. There is no single right spot, because not all actions carry the same risk.
Autonomy is a tier, not a toggle
In Harnyss, every agent and every workflow runs inside an autonomy tier you set, from fully supervised to fully autonomous. The distinction that matters: a tier is a hard architectural limit enforced by the harness, not a preference the agent is trusted to respect. A preference gets rationalized away the moment the model's reasoning wanders or a prompt pulls it somewhere unexpected. An architectural limit can't be — the agent cannot take an action its tier doesn't permit, regardless of what it talks itself into.
Underneath the tier sits the agent's mandate: a defined scope it cannot exceed. The autonomy tier governs how freely it acts within that scope. The mandate governs what the scope is at all. Neither is advisory.
Where the gates go
You place approval gates on the action types with real blast radius — the ones that reach outside the company or are hard to undo: publishing content, sending outbound email, updating CRM records, moving money. The agent does all the work leading up to the gated action — the research, the drafting, the scoring, the sequencing — and then pauses. It surfaces the action with the context you need to decide, waits for your sign-off, and resumes. Everything below the line — internal, reversible, routine — runs without interrupting you.
In the Workflow Builder these gates are hard, not advisory. Every branch of a workflow can require approval, and no workflow can exceed the mandate you defined for it. An approval gate isn't an escalation the agent might choose to raise if it feels uncertain — it's a wall in the execution path. The work stops there until a human moves it.
Trust is earned per agent, over time
You decide how much trust each agent earns. Start one supervised, with tight gates. Watch what it produces. As good work accumulates inside a narrow boundary, widen the autonomy — fewer gates, higher tier — and keep the full record of what it did available to review. If something drifts, suspend it, resume it, or roll it back.
This is how you'd manage a capable new hire: close supervision first, more rope as judgment proves out. The difference is that here the supervision is structural and the record is complete, so "earning trust" is something you can actually see rather than something you assume.
The point is that the job changes
Approval flows look like a settings screen. They're actually the interface of a new job. When the function operates and the person governs, governing concretely means three things: setting each agent's mandate, setting its autonomy per decision, and clearing the handful of approvals that reach you. Tune the gates too conservatively and you've kept your old operator job, now with a backlog. Tune them too permissively and you've quietly taken on exposure you didn't choose. Tune them well and your attention lands only on the decisions that genuinely need a human.
An approval gate is where you keep your hands on the wheel. The skill is knowing how few you need. For how this fits into the rest of the runtime, see how it works; for the bigger shift it's part of, the self-operating company.