A human approval workflow for AI agents should require an exact proposal, named reviewer, bounded permission, execution receipt, and independent verification before consequential marketing actions become final. Reading data or drafting a recommendation must not silently grant authority to change spend, publish, contact customers, delete records, set prices, decide eligibility, or make promises.
Separate assistance from authority
AI can summarize a campaign, classify search terms, draft an article, prepare a reply, or recommend a budget change. Those are assistance tasks. The risk changes when the system can perform the live action.
Define three permission levels:
- Read: inspect approved sources.
- Draft or propose: create a non-live output for review.
- Execute: change a live system through an authorized route.
Grant each workflow the lowest level it needs. A reporting assistant does not need write access to Google Ads. A content researcher does not need permission to deploy the website.
Classify actions by consequence
The NIST AI Risk Management Framework calls for governance, testing, evaluation, monitoring, and oversight appropriate to context and risk. It does not dictate one marketing approval matrix, but it supports a practical rule: higher-consequence errors need stronger control.
Create an approval matrix:
| Action | Typical consequence | Minimum control |
|---|---|---|
| Internal summary | Low and reversible | Source links and spot review |
| Draft ad or article | Non-live but reputational if used | Editorial review before execution |
| Publish public content | Customer-facing | Exact-body approval and live verification |
| Change spend or targeting | Financial and market impact | Account owner approval with old and new settings |
| Send outreach | Customer and compliance impact | Approved audience, message, consent rule, and suppression check |
| Delete or overwrite data | Durable loss | Explicit confirmation, backup, and rollback |
| Decide price, eligibility, or safety | High customer consequence | Responsible human decision, not autonomous approval |
Adjust the matrix for the business and industry. Do not label every action low-risk simply because it is common.
Require a complete proposal packet
An approver should receive:
- The exact action or content.
- The affected account, campaign, page, audience, customer, or record.
- Source evidence and retrieval time.
- The reason for the change.
- Expected business outcome.
- Known uncertainty and potential harm.
- The permission required.
- The verification test.
- The rollback or repair plan.
Avoid vague requests such as “Approve optimization.” The reviewer should see that the system proposes increasing a named budget, excluding a named search term, publishing an exact article, or sending a specific message to a defined audience.
Bind approval to an exact version
Store a hash, version, or immutable identifier for the approved payload. If the content, budget, location, audience, or destination changes materially after approval, require review again.
Record who approved it, when, under which policy, and for which scope. “The team approved this campaign” is not enough when nobody can reproduce the settings.
For broader account and data control, use Fruitful Local’s marketing ownership checklist.
Execute through one authorized route
The system that owns the action should perform it. Publishing belongs to the Website or platform workflow. Spend changes belong to the ad account. Messages belong to the approved email, SMS, or CRM provider.
Use narrow credentials and roles. Keep production and testing separate. Where possible, use idempotency so a retry cannot create duplicate posts, messages, or campaigns.
The execution receipt should include the approved version, provider response, affected resource, time, and identity used. Do not treat a generated sentence saying “done” as an action receipt.
Verify independently
After execution, read from the live system:
- Open the public URL.
- Read back the campaign budget and location settings.
- Confirm the post appears on the intended profile.
- Verify the message entered the correct provider queue once.
- Confirm the record was updated without losing the original.
Compare the live result with the approved payload. Record pass, fail, or partial. A successful request can still land on the wrong resource, remain pending, be rejected by policy, or display differently.
Fruitful Local’s human review and AI security guide explains why verification belongs in a separate state: self-confirmation by the same model is weak evidence.
Design failure and rollback first
Before scheduling automation, answer:
- What failure can be detected automatically?
- What should stop immediately?
- Who receives the alert?
- Which action is safe to retry?
- How is the previous state restored?
- What customer communication is required?
- Which records must be preserved for investigation?
Examples include pausing a campaign with broken conversion tracking, removing a mispublished page through the Website owner, canceling an unsent message queue, or restoring a previous configuration from a recorded snapshot.
Do not automate rollback blindly when reversal can cause a second harm. Some failures need a person to choose the safest repair.
Avoid approval theater
Human review is ineffective when the reviewer lacks time, source access, authority, or a clear standard. It also fails when the interface encourages approving dozens of opaque changes at once.
Make reviews small and decision-specific. Show differences. Highlight unsupported claims, spend impact, audience size, and irreversible effects. Allow reject, request changes, and narrow scope—not only approve.
Track correction patterns. If reviewers repeatedly fix the same issue, improve the source data, prompt, rule, or workflow. Do not use the human as a permanent patch for a poorly bounded system.
Use lighter controls for low-risk work
Not every internal draft needs executive approval. Define classes of preapproved work, such as formatting a report or creating a non-live summary from a known source. Even then, keep provenance and monitoring.
Escalate when inputs are missing, the model’s confidence is low, sensitive data appears, a policy boundary is triggered, or the requested action exceeds the workflow’s scope.
A minimum approval checklist
Before approving, confirm:
- The source and affected resource are correct.
- The proposal remains within the business’s services, market, and policy.
- Material claims are supported.
- Spend, audience, destination, and timing are visible.
- Customer data and consent rules are respected.
- The action is reversible or has an accepted repair path.
- The verifier and owner are named.
AI can help prepare the packet and flag missing fields. The decision owner remains accountable for consequential action.
A safe AI agent is not one that never makes mistakes. It is one whose permissions, evidence, approvals, actions, failures, and verification are visible enough for the business to control.