Human in the loop
From review to staged autonomy
Autonomy should be earned with evidence, expanded in bounded steps, and removable when conditions change.
Before you start
Why this matters
A team manually reviews every AI-generated ticket label. After a month, 99% are correct. Should the system label every ticket automatically tomorrow? Not yet. The average may hide poor performance on rare languages, new products, or security incidents. Staged autonomy asks which slice is proven safe, how failures will be detected, and how the team can retreat.
1Learn the idea
Read
Start in shadow mode
In shadow mode, the AI makes proposals but does not control the real action. People follow the existing process while the team compares AI proposals with actual decisions and outcomes.
Shadow mode helps answer:
- Does the system receive the same information available in production?
- Which case types are easy or difficult?
- Are policy thresholds implemented correctly?
- What errors would have caused real harm?
- Are latency and cost acceptable?
It does not reveal everything. Users may behave differently once automation affects them, and reviewers may make mistakes too. Compare against outcomes and expert adjudication, not only agreement with historical decisions.
Read
Move from recommendation to bounded action
A common autonomy ladder is:
- Observe: collect examples; no proposals shown.
- Recommend: show suggestions; people decide.
- Approve: AI prepares actions; people approve each one.
- Automate a safe slice: AI acts only inside strict limits.
- Expand with monitoring: add case types gradually.
- Supervised autonomy: people handle alerts, samples, and exceptions.
Each step needs entry and exit criteria. “The demo looked good” is not an entry criterion. Use measured quality, adequate test coverage, operational readiness, and clear ownership.
The safe slice should be defined in business terms: “English password-reset tickets for verified accounts with no security flags,” not “cases where confidence is above 0.9.” Business constraints are easier to audit and remain meaningful if the model changes.
Read
Use more than model confidence
Confidence can be one signal, but routing should combine:
- action impact and reversibility;
- policy eligibility;
- completeness and consistency of source data;
- whether the input resembles evaluated cases;
- model or rule uncertainty;
- anomaly and abuse signals;
- current system health.
A model may be confidently wrong on an unfamiliar case. A low-confidence classification may still be harmless if the action only adds an internal tag. Risk is a property of the system and action, not a single model score.
Calibrate thresholds using real validation data. If items scored “90%” are correct only 70% of the time, the number is misleading. Recheck calibration after model, prompt, or data changes.
Read
Define promotion criteria
Before increasing autonomy, write measurable requirements. For example:
- at least 5,000 representative cases evaluated;
- no critical policy violations in the evaluation set;
- error rate below an agreed threshold for every important subgroup;
- rollback tested in a production-like environment;
- alerts reach an on-call owner;
- review queue remains within its service level;
- incident and customer-remediation procedures are documented.
Do not rely only on a global accuracy target. A system can reach 98% overall while failing half of a small but important category. Report results by action type, risk tier, language, market, and other relevant slices.
Read
Add canaries and limits
When a safe slice is ready, expose it gradually. A canary may automate five percent of eligible traffic while the rest follows the reviewed process.
Add hard limits:
- maximum amount per action and per day;
- allowed tools and destinations;
- rate limits;
- permitted customer or case segments;
- maximum consecutive failures;
- automatic pause when monitoring data is missing.
Compare canary outcomes with the control group. Expansion should be a deliberate decision, not an automatic schedule that continues despite warning signs.
Read
Know when to step backward
Autonomy is reversible. Define rollback triggers before launch:
- critical policy or privacy violation;
- error rate above threshold;
- unusual override or complaint rate;
- source-data outage or drift;
- model, prompt, or tool change without validation;
- queue or monitoring failure;
- an incident whose cause is not understood.
Rollback may mean returning to approval mode, narrowing the eligible slice, disabling a tool, or stopping the workflow. Practice the switch. A rollback plan that takes hours of emergency coding is not a reliable control.
Avoid treating rollback as failure. It is evidence that the control system worked. The failure would be continuing harmful automation because the team feels committed to the launch.
Read
Human roles change with autonomy
As direct approvals decrease, people move toward supervision, exception handling, policy design, and quality review. They need different training and interfaces.
Supervisors should understand what the system can do, what alerts mean, and how to pause it. Keep enough real review work for people to maintain judgment; total removal from routine cases can make rare escalations harder to assess.
Plan staffing for peaks and incidents. If the automated branch pauses, can the human process handle the returned volume? An autonomy design that has no fallback capacity may turn a safety pause into an outage.