| UI or UX | UI + UX - Anti-pattern for agentic side effects executed before human authorization | UI + UX - Runtime checkpoint that pauses AI or automation until an eligible human authorizes the next step | UI + UX - Pre-execution preview of an AI agent's proposed multi-step plan, tools, data access, and expected outputs | UI + UX - Live execution trace for an AI agent or automation run after work has started | UI + UX - Inspectable disclosure of AI agent tool calls, inputs, outputs, permissions, and side effects | UI + UX - Pre-execution review of high-impact actions that may affect money, access, production systems, legal status, customers, external recipients, or safety |
| UI guidance | Do not show an agent as merely thinking, drafting, or preparing when it has already sent, changed, purchased, deployed, revoked, deleted, or externally committed something. | Render a human approval gate as a paused automation checkpoint with the proposed action, tool or workflow step, triggering rule, risk level, payload snapshot, requester or agent, approver eligibility, timeout, and explicit approve, reject, edit, cancel, or bypass controls. | Render agent plan preview as a pre-run plan with objective, ordered steps, planned tools, data sources, permissions, assumptions, dependencies, approval gates, expected outputs, and controls to edit, approve, run, save, or cancel. | Render an agent progress trace as a live, ordered run timeline with run ID, plan version, current step, queued steps, active tool or task, elapsed time, last event time, step status, blocked gates, retry state, and final outcome. | Render tool-use visibility as an inspectable tool-call surface with tool name, purpose, input summary, output summary, permission scope, data source, side-effect risk, status, timestamps, and redaction state. | Render dangerous-action review as a pre-execution checkpoint that names the armed action, actor, target, scope, affected systems, external effects, risk reason, evidence, freshness, permissions, alternatives, and exact outcome of Run, Cancel, Edit, or Escalate. |
| UX guidance | Protect users from surprise agent side effects by separating proposed work from executed work, pausing risky steps, and requiring authorization that is valid only for the displayed payload. | Use human approval gate when automation is ready to act but policy, risk, confidence, cost, access, publication, deployment, customer impact, or legal consequence requires a human decision before execution continues. | Use agent plan preview when users need to understand and shape what an AI agent will do before it starts calling tools, changing records, sending messages, spending budget, or making external side effects. | Use agent progress trace when an AI agent or automation has started multi-step work and users need to monitor progress, intervene on stalls or gates, understand partial completion, and know whether the reviewed plan is still being followed. | Use tool-use visibility when users need to understand, verify, approve, debug, or audit how an AI agent used tools, data, or integrations during a run. | Use dangerous-action review when an action is not necessarily destructive but can create high-impact consequences such as sending money, changing access, executing production commands, contacting customers, publishing content, filing a legal response, or letting an agent use a privileged tool. |
| Good UI | A support agent pauses before issuing a refund, shows customer, order, amount, policy source, approver role, and Approve refund, Edit amount, Reject, and Stop run controls. | An AI support agent pauses before issuing a refund, shows the proposed amount, customer, policy match, confidence, source grounding, approver role, timeout, Approve refund, Edit amount, Reject, and Stop run controls. | A sales assistant previews a six-step account-research plan with CRM lookup, web search, draft email, approval gate before send, estimated sources, and editable recipient scope. | An account research agent trace shows Run A-204, reviewed plan P-18, completed CRM lookup, active policy search, queued draft email, approval gate pending before send, elapsed time, and a View tool details control. | A research agent shows Knowledge search, Web search, and CRM lookup tool cards with purpose, input summary, source scope, output summary, status, and redacted raw request details. | A production console shows Restart payment workers, affected region, open incidents, customer impact, rollback owner, evidence links, change window, dry-run result, and Run restart only after the reviewer checks the risk inventory. |
| Bad UI | A chat message says I handled it and reveals the agent already issued a refund without any review screen. | A banner says Human approval needed but does not show the tool call, payload, approver, timeout, or resume consequence. | The UI says I have a plan and immediately starts executing without showing steps, tools, data access, or external side effects. | A spinner says Working on it while an agent calls several tools with no step identity, elapsed time, blocked state, or recovery path. | A trace says Using tools but never names the tool, input, source, output, permission, or side effect. | A privileged tool button says Continue and immediately sends a customer email, changes access, and updates billing without showing the payload or external recipients. |
| Good UX | A manager sees the agent is armed to change account access, edits the target group, approves the revised payload, and the run resumes only that step. | A billing lead opens the paused refund gate, sees that the amount is under policy but source grounding is partial, edits the refund to the verified amount, approves, and the agent resumes only that step. | A manager removes the Send email step, narrows the data source to approved knowledge, approves the remaining plan, and sees execution start from the revised version. | A user watches the active step move from searching policies to drafting the email, opens the blocked permission item, grants access, and sees the run continue from the same step. | A user opens the active CRM lookup, sees it is read-only, verifies the account ID, and continues watching the run. | A release manager sees that a deploy action affects production EU, has a stale smoke test, cancels execution, refreshes checks, and then runs the action with an audit record. |
| Bad UX | A user asks an agent to research an account and later discovers it changed the opportunity stage. | A human approves a stale agent action from email and the agent applies it to a different customer state. | Users approve a plan that says Research account but the agent also updates the opportunity stage. | Users cannot tell whether the agent is stuck, waiting for approval, or finished because all states use the same animated progress label. | Users cannot tell whether the agent searched the web, read private files, or changed customer data. | A user approves a notification from email after the underlying payload changed, and the system executes against a different customer. |
| Best fit | An AI agent or automation can create side effects that affect customers, money, access, production systems, legal status, public content, sensitive data, or external recipients. | An AI agent, workflow, deployment, or automation is ready to perform a high-impact step and must pause for human authorization. | An AI agent or automation can show a proposed multi-step plan before execution. | An agent or automation run has started and spans multiple steps, tools, gates, or side effects. | An AI agent or automation calls tools, functions, APIs, retrieval systems, commands, or integrations. | A user, agent, automation, or admin tool is about to execute a high-impact action that can affect money, access, production systems, legal/compliance state, customers, external recipients, sensitive data, or safety. |
| Avoid when | The agent can only perform read-only retrieval and cannot affect external systems or user-visible state. | The action has already happened and users only need an audit log. | The system cannot generate a reliable plan before execution. | Execution has not started and users need to inspect or edit a proposed plan. | The system cannot reliably identify tool calls, inputs, outputs, status, permissions, or side effects. | The risk is narrowly permanent deletion or loss of a named object; use destructive action confirmation. |
| Required state | Read-only step allowed state with no external side effect. | Paused gate state with proposed action, payload snapshot, reason for gate, and run context. | Draft plan state with objective, ordered steps, planned tools, and expected output. | Run started state tied to run ID, plan version, objective, and user who started the run. | Pending tool call state with tool name, purpose, requested permission, and side-effect risk. | Armed action state with verb, target, payload, actor, source, and exact execution boundary. |
| Accessibility burden | Expose whether a step is proposed, armed for approval, running, completed, rejected, cancelled, bypassed, or rolled back as text. | Expose gate status, proposed action, target, payload summary, risk, approver rule, timeout, and current run state as text. | Expose objective, plan version, step order, step status, tool, data access, side effect, and expected output as text. | Expose trace status, run ID, current step, elapsed time, blocked state, final outcome, and details availability as text. | Expose tool name, status, permission, risk, input summary, output summary, and redaction reason as text. | Use headings and labels that name the action and target before risk details. |
| Common misuse | Treating Run agent as permission to execute every hidden side-effect step. | Showing Approve without the exact action, payload, target, risk, or resume consequence. | Showing a vague plan summary while hiding planned tool calls, data access, and side effects. | Using one spinner or vague Thinking label for a multi-step agent run. | Showing a vague Using tools label without names, inputs, outputs, or permissions. | Using vague Are you sure, Continue, or Proceed copy without naming the dangerous operation. |